OpenConnect: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 22:48, 16 December 2021 edit Conan (talk \| contribs) Extended confirmed users 2,323 edits m Aready in Category:Virtual private networks ← Previous edit		Latest revision as of 15:33, 16 October 2024 edit undo IPPON01 (talk \| contribs) Extended confirmed users 4,909 edits No edit summary Tag: Visual edit
(50 intermediate revisions by 21 users not shown)
Line 1: {{Short description\|Open-source multi-protocol VPN application}} {{distinguish\|text=[[~~Technical details of~~ Netflix#~~Open~~Content ~~Connect~~delivery\|Netflix's 'Open Connect' CDN]]}} {{Infobox software \| name = OpenConnect Line 7: \| caption = The open SSL VPN \| author = David Woodhouse \| developer = Daniel Lenski, [[GnuTLS\|Nikos Mavrogiannopoulos]] \| released = {{~~release~~start date\|2009\|03\|18}}<ref name="infradead:changelog" /> \| latest release version = 89.1012 \| latest release date = {{release date and age\|~~2020~~2023\|05\|1420}}<ref name="infradead:changelog">infradead.org - [~~http~~https://www.infradead.org/openconnect/changelog.html OpenConnect: Changelog].</ref> \| genre = [[virtual private network\|VPN]] \| license = [[GNU Lesser General Public License\| GNU LGPL v2.1]]<ref name="gitlab:copying">gitlab.com - [https://gitlab.com/openconnect/openconnect/-/blob/master/COPYING.LGPL OpenConnect: License].</ref> \| website = {{URL\|https://www.infradead.org/openconnect/}} }} {{Portal\|Free and open-source software}} '''OpenConnect''' is ana [[Free software\|free]] and [[open-source software\|open-source]] ~~application~~[[Cross-platform ~~for~~software\|cross-platform]] ~~connecting to~~multi-protocol [[virtual private network]]s (VPN), client software which implement secure [[Point-to-point (telecommunications)\|point-to-point]] connections. The OpenConnect client supports the following VPN protocols: It was originally written as an open-source replacement for [[Cisco]]'s [[proprietary software\|proprietary]] [[AnyConnect]] SSL VPN client,<ref>{{cite web\|url=http://www.infradead.org/openconnect/ \|title="Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies …" \|publisher=Infradead.org \|access-date=2018-08-13}}</ref> which is supported by several Cisco [[network router\|routers]].▼ ~~===~~* [[Cisco]] AnyConnect~~===~~▼ The OpenConnect client added support for [[Juniper Networks]]' SSL VPN in version 7.05.<ref name="infradead:changelog" /> A fork then developed support for [[Palo Alto Networks]]' GlobalProtect VPN,<ref>{{GitHub\|dlenski/openconnect\|dlenski/openconnect}}</ref> which was included in the version 8.00 release.<ref name="release-v8.00">{{cite web\|url=http://lists.infradead.org/pipermail/openconnect-devel/2019-January/005178.html \|title=OpenConnect 8.00 release \|publisher=Lists.infradead.org \|access-date=2019-01-05}}</ref> * [[Juniper Networks\|Juniper]] Secure Connect (since 7.05)<ref>{{Cite web \|date=2015-03-10 \|title=OpenConnect 7.05 release \|url=https://lists.infradead.org/pipermail/openconnect-devel/2015-March/002818.html \|access-date=2023-07-10 \|website=lists.infradead.org}}</ref> ==Server==▼ * [[Palo Alto Networks]] GlobalProtect (since 8.00)<ref>{{Cite web \|date=2019-01-04 \|title=OpenConnect 8.00 release \|url=https://lists.infradead.org/pipermail/openconnect-devel/2019-January/005178.html \|url-status=dead \|archive-url=https://web.archive.org/web/20200609161130/https://lists.infradead.org/pipermail/openconnect-devel/2019-January/005178.html \|archive-date=2020-06-09 \|website=lists.infradead.org}}</ref> * [[Ivanti]]/Pulse Connect Secure (since 8.04)<ref>{{Cite web \|date=2019-08-09 \|title=OpenConnect 8.04 release \|url=https://www.infradead.org/openconnect/changelog.html \|access-date=2023-07-10 \|website=lists.infradead.org}}</ref> {{As of \| 2013 }}, the OpenConnect project also offers an AnyConnect-compatible server, '''ocserv''',<ref>[http://www.infradead.org/ocserv/ ocserv home page].</ref> and thus offers a full [[client-server]] VPN solution.▼ * [[F5, Inc.\|F5]] BIG-IP and * [[Fortinet]] FortiGate and OpenConnect and ocserv now implement an extended version of the AnyConnect VPN protocol, which has been proposed as an [[Internet Standard]].<ref name="nmav_ietf_draft">{{cite IETF \| title = The OpenConnect VPN Protocol Version 1.1 \| draft=draft-mavrogiannopoulos-openconnect-02 \| author = N. Mavrogiannopoulos \| date = October 2018 \| publisher = [[Internet Engineering Task Force\|IETF]] }}</ref> Both OpenConnect and ocserv strive to maintain [[backwards-compatibility]] with Cisco AnyConnect servers and clients.▼ * [[Array Networks]] AG SSL VPN (since 8.20)<ref>{{Cite web \|date=2022-02-20 \|title=OpenConnect 8.20 release \|url=https://lists.infradead.org/pipermail/openconnect-devel/2022-February/005089.html \|access-date=2023-07-10 \|website=lists.infradead.org}}</ref> ~~==Protocols==~~ ▲===Cisco AnyConnect=== Cisco AnyConnect VPNs utilize [[Transport Layer Security\|TLS]] to authenticate and configure routing, then [[Datagram Transport Layer Security\|DTLS]] to efficiently encrypt and transport the tunneled VPN traffic,<ref> ~~{{cite book~~ ~~\| last1 = Tiso~~ ~~\| first1 = John~~ ~~\| last2 = Scholfield~~ ~~\| first2 = Mark D.~~ ~~\| last3 = Teare~~ ~~\| first3 = Diane~~ ~~\| title = Designing Cisco Network Service Architectures (ARCH): Foundation Learning Guide~~ ~~\| url = https://books.google.com/books?id=ISt9IXgcj0AC~~ ~~\| series = Foundation Learning Guides~~ ~~\| access-date = 2013-06-13~~ ~~\| edition = 3~~ ~~\| year = 2011~~ ~~\| publisher = Cisco Press~~ ~~\| isbn = 9781587142888~~ ~~\| page = 464~~ \| quote = Cisco AnyConnect is a Cisco implementation of the thick client. Because the SSL VPN network extension runs on top of the SSL protocol, it is simpler to manage and has greater robustness with different network topologies such as firewalls and Network Address Translation (NAT) than the higher security of IPsec. }} </ref><ref name="nmav-blog">{{cite web\|last=Mavrogiannopoulos \|first=Nikos \|url=http://nmav.gnutls.org/2013/11/inside-ssl-vpn-protocol.html \|title=nmav's Blog: Inside an SSL VPN protocol \|publisher=Nmav.gnutls.org \|date=2013-11-17 \|access-date=2018-08-13}}</ref> and can fall back to TLS-based transport where [[network firewall\|firewall]]s block [[Universal Datagram Protocol\|UDP]]-based traffic. The DTLS protocol used by Cisco AnyConnect servers was based on a non-standard, pre-release draft of DTLS 1.0, until support for the DTLS 1.2 standard was added in 2018.<ref name="nmav-blog"/><ref>{{cite web\|url=https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/release/notes/asarn910.html\|title=Release Notes for the Cisco ASA Series, 9.10(x)\|publisher=Cisco\|date=December 12, 2018}}</ref> OpenConnect's implementation of the AnyConnect protocol is sufficiently complete that some of Cisco's own [[IP phone]] devices embed a very old release of OpenConnect<ref>{{cite web\|url=https://gitlab.com/openconnect/ocserv/-/issues/51#note_322138534\|title=ocserv issues #51}}</ref> (rather than Cisco's own proprietary software) in order to be able to connect to Cisco SSL VPNs.<ref>{{cite web\|url=https://ocserv.gitlab.io/www/recipes-ocserv-ip-phone.html\|title=Recipe: VoIP network with ocserv\|author=Nikos Mavrogiannopoulos}}</ref><ref>{{cite web\|url=https://www.cisco.com/c/dam/en/us/td/docs/general/warranty/osln_525g.pdf\|title=Open Source License Notices for the SPA525G\|publisher=Cisco}}</ref>▼ ~~===DTLS===~~ Cisco's proprietary AnyConnect clients and servers were originally built against a patched, 2007 release of OpenSSL 0.9.8f,<ref>{{cite web\|url=http://openssl.6102.n7.nabble.com/DTLS-clue-requested-td20090.html\|title=DTLS clue requested.\|author=David Woodhouse\|date=September 23, 2008}}</ref> which implemented a pre-release version of [[Datagram Transport Layer Security\|DTLS]] that was not compatible with DTLS 1.0 as standardized in [//tools.ietf.org/html/rfc4347 RFC 4347]. Because of this, it was difficult to make OpenConnect implement a Cisco-compatible version of DTLS without linking against OpenSSL. Explicit support for Cisco's non-standard version of DTLS was included in OpenSSL 0.9.8m (where it is known as {{code\|DTLS1_BAD_VER}}) and then [[GnuTLS]] 3.2.1 (where it is known as {{code\|GNUTLS_DTLS0_9}}).<ref>{{cite web\|url=https://www.infradead.org/openconnect/technical.html\|title=How the VPN works § DTLS compatibility\|author=David Woodhouse}}</ref> Newer versions of Cisco's AnyConnect clients and servers support DTLS 1.2 in its standardized on-the-wire form ([//tools.ietf.org/html/rfc6347 RFC 6347]), though they continue to use a non-standard mechanism (based on session resumption) for DTLS key exchange.<ref name="nmav_ietf_draft"/> ▲It was originally written as an open-source replacement for [[Cisco]]'s [[proprietary software\|proprietary]] [[AnyConnect]] SSL VPN client,<ref>{{cite web\|url=~~http~~https://www.infradead.org/openconnect/ \|title="Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies …" \|publisher=Infradead.org \|access-date=2018-08-13}}</ref> which is supported by several Cisco [[network router\|routers]]. ~~Modern versions of OpenConnect can be built to use ''either'' the GnuTLS or OpenSSL for [[Transport Layer Security\|TLS]], DTLS, and cryptographic primitives.~~ {{As of\|July 2023}}, support for several other proprietary VPN protocols is desired or in development: ~~===Other protocols===~~ * [[SonicWall]] NetExtender VPN support<ref>{{Cite web\|url=https://gitlab.com/openconnect/openconnect/-/issues/143\|title = Issues - Draft: SonicWall NetExtender support}}</ref> The OpenConnect client also implements [[Juniper Networks\|Juniper]], [[Pulse Secure\|Junos Pulse]], and [[Palo Alto Networks\|GlobalProtect]] VPN protocols. These have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use [[Encapsulating Security Payload\|ESP]] for efficient, encrypted transport of tunneled traffic (instead of DTLS), but they too can fall back to TLS-based transport. ~~{{As~~* ~~of\|May~~[[Check ~~2020}},~~Point]] ~~support~~SNX ~~for several PPP-based protocols~~VPN ~~is in development.~~support<ref>{{Cite web\|url=https://gitlab.com/openconnect/openconnect/-/~~issues?label_name%5B%5D=PPP~~merge_requests/207\|title =~~Issues~~ ·Merge ~~OpenConnect~~requests ~~VPN~~- ~~projects~~Draft: /CheckPoint SNX support\| date=5 June 2021 ~~OpenConnect~~}}</ref> * [[H3C]] VPN support<ref>{{Cite web\|url=https://gitlab.com/openconnect/openconnect/-/merge_requests/397\|title = Merge requests - Draft: Add H3C TLS VPN protocol\| date=23 July 2022 }}</ref> * [[Barracuda Networks\|Barracuda]] CloudGen Firewall VPN support<ref>{{Cite web\|url=https://gitlab.com/openconnect/openconnect/-/issues/574\|title = Issues - Add support for Barracuda CloudGen Firewall}}</ref> * [[Huawei]] VPN support<ref>{{Cite web\|url=https://gitlab.com/openconnect/openconnect/-/issues/603\|title = Issues - Huawei SSL VPN support}}</ref> ==Architecture== The OpenConnect client is written primarily in [[C (programming language)\|C]], and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface:<ref name="damapdx">{{cite web\|url=https://damapdx.org/2020/08/28/september-2020-openconnect/\|author=Daniel Lenski\|date=September 17, 2020\|publisher=DAMA Portland\|title=How VPNs Work- The Ins and Outs}}</ref> * Initial connection to the VPN server via TLS * Authentication phase via HTTPS (using [[HTML forms]], [[client certificate]]s, [[XML]], etc.) * Server-provided routing configuration, in a protocol-agnostic format, which can be processed by a [~~http~~https://www.infradead.org/openconnect/vpnc-script.html vpnc-script] * Data transport phase via a UDP-based tunnel (DTLS or ESP), with fallback to a TLS-based tunnel ** Built-in event loop to handle [[Dead Peer Detection]], [[keepalive]], [[rekeying (cryptography)\|rekeying]], etc. Line 78 ⟶ 48: ==Platforms== OpenConnect is available on [[Solaris (operating system)\|Solaris]], [[Linux]], [[OpenBSD]], [[FreeBSD]], [[MacOS]], and has graphical user interface clients for [[Windows]],<ref>{{cite web\|url = https://~~github~~gitlab.com/openconnect/openconnect-gui~~/wiki~~ \|title = ~~Openconnect~~OpenConnect graphical client \|publisher = [[~~GitHub~~GitLab]] \|access-date=~~2014~~2023-1001-2823}}</ref> [[GNOME]],<ref>{{cite web\|url = https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/ \| title=NetworkManager-openconnect \|publisher= gnome.org \|access-date=2020-01-27}}</ref> and [[KDE]].<ref>{{cite web\|url = https://userbase.kde.org/NetworkManagement \|title = NetworkManagement \|publisher = kde.org \|access-date=2014-10-28}}</ref> A graphical client for OpenConnect is also available for [[Android (operating system)\|Android]] devices,<ref>{{cite web \|url = https://~~github~~gitlab.com/~~cernekee~~openconnect/ics-openconnect \|title = Android UI for OpenConnect VPN client ~~\|author = cernekee~~ \|publisher = [[~~GitHub~~GitLab]] \|access-date = ~~2014~~2023-1001-2823}}</ref> and it has been integrated into [[Router (computing)\|router]] firmware packages such as [[OpenWrt]].<ref>{{cite web\|url = https://openwrt.org/docs/guide-user/services/vpn/overview#openconnect-based_vpn_solutions \|title = VPN Overview \|publisher = openwrt.org \|access-date = 2018-03-15}}</ref> ==OpenConnect VPN graphical client== The OpenConnect project provide clients for [[Windows]]<ref>{{Cite web \|title=OpenConnect VPN graphical client \|url=https://gui.openconnect-vpn.net \|access-date=2024-10-16 \|website=OpenConnect VPN graphical client \|language=en}}</ref> and [[macOS]]{{Citation needed\|date=October 2024}}. ▲==Server== ▲~~{{As of \| 2013 }}, the~~The OpenConnect project also offers an Cisco AnyConnect-compatible server, ~~'''~~ocserv~~'''~~,<ref>[~~http~~https://~~www~~ocserv.~~infradead~~gitlab.~~org~~io/~~ocserv~~www/ ~~ocserv~~OpenConnect ~~home~~VPN ~~page~~Server].</ref> and thus offers a full [[client-server]] VPN solution. ▲OpenConnect and ocserv now implement an extended version of the Cisco AnyConnect VPN protocol, which has been proposed as an [[Internet Standard]].<ref name="nmav_ietf_draft">{{cite IETF \| title = The OpenConnect VPN Protocol Version 1.12 \| draft=draft-mavrogiannopoulos-openconnect-0203 \| author = N. Mavrogiannopoulos \| date = October ~~2018~~2020 \| publisher = [[Internet Engineering Task Force\|IETF]] }}</ref> Both OpenConnect and ocserv strive to maintain [[backwards-compatibility]] with Cisco AnyConnect servers and clients. ==Notable uses== ▲OpenConnect's implementation of the Cisco AnyConnect protocol is sufficiently complete, such that some of Cisco's own [[IP phone]] devices embed a very old release of OpenConnect<ref>{{cite web\|url=https://gitlab.com/openconnect/ocserv/-/issues/51#note_322138534\|title=ocserv issues #51}}</ref> ~~(rather than Cisco's own proprietary software)~~ in order ~~to be able~~ to connect to Cisco SSL VPNs.<ref>{{cite web\|url=https://ocserv.gitlab.io/www/recipes-ocserv-ip-phone.html\|title=Recipe: VoIP network with ocserv\|author=Nikos Mavrogiannopoulos}}</ref><ref>{{cite web\|url=https://www.cisco.com/c/dam/en/us/td/docs/general/warranty/osln_525g.pdf\|title=Open Source License Notices for the SPA525G\|publisher=Cisco}}</ref> ==References== Line 85 ⟶ 69: ==External links== * [~~http~~https://www.infradead.org/openconnect OpenConnect project homepage] * https://wiki.archlinux.org/~~index.php~~title/OpenConnect▼ ~~'''Some useful usage information.'''~~ ▲* https://wiki.archlinux.org/index.php/OpenConnect {{VPN}}

OpenConnect: Difference between revisions

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.