Home Explore Help
Sign In
vimacs
/
openconnect
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: h3c
Branches Tags
openconnect
/
www
/
connecting.xml

connecting.xml 4.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. <PAGE>
    2. 

  2. 	<INCLUDE file="inc/header.tmpl" />
    3. 

  3. 

  4. 	<VAR match="VAR_SEL_STARTED" replace="selected" />
    5. 

  5. 	<VAR match="VAR_SEL_CONNECTING" replace="selected" />
    6. 

  6. 	<PARSE file="menu1.xml" />
    7. 

  7. 	<PARSE file="menu2-started.xml" />
    8. 

  8. 

  9. 	<INCLUDE file="inc/content.tmpl" />
    10. 

  10. 

  11.     	<h1>Connecting to the VPN</h1>
    12. 

  12. 

  13. <p>Once you have <a href="building.html">installed</a> OpenConnect and checked that you have a
    14. 

  14. <a href="vpnc-script.html">vpnc-script</a> which will set up the routing and DNS for it, using OpenConnect
    15. 

  15.  is very simple. As root, run the following command for an AnyConnect/ocserv VPN:
    16. 

  16.  <ul>
    17. 

  17.    <li><tt>openconnect https://vpn.mycompany.com/</tt></li>
    18. 

  18.  </ul>
    19. 

  19.  For one of the other <a href="protocols.html">supported protocols</a>, you'll need to add <tt>--protocol</tt>.
    20. 

  20.  For example, for a PAN GlobalProtect VPN:
    21. 

  21.  <ul>
    22. 

  22.    <li><tt>openconnect --protocol=gp https://vpn.mycompany.com/</tt></li>
    23. 

  23.  </ul>
    24. 

  24. </p>
    25. 

  25. 

  26. <p>That should be it, if you have a password-based login. If your VPN uses
    27. 

  27. <a href="https://en.wikipedia.org/wiki/Client_certificate">TLS/SSL client certificates</a> for authentication,
    28. 

  28. you'll need to tell OpenConnect where to find the certificate with the <tt>-c</tt> option.</p>
    29. 

  29. 

  30. <p>You can provide the certificate either as the file name of a PKCS#12 or PEM file,
    31. 

  31. or if OpenConnect is built against a suitable version of GnuTLS you can provide the
    32. 

  32. certificate in the form of a PKCS#11 URI. If the private key is in a separate file
    33. 

  33. from the certificate, this must be specified with <tt>-k</tt>:
    34. 

  34. <ul>
    35. 

  35.   <li><tt>openconnect -c cert_and_private_key.pem https://vpn.mycompany.com/</tt></li>
    36. 

  36.   <li><tt>openconnect -c certificate.pem -k private_key.pem https://vpn.mycompany.com/</tt></li>
    37. 

  37.   <li><tt>openconnect -c pkcs11:id=X_%b04%c3%85%d4u%e7%0b%10v%08%c9%0dA%8f%3bl%df https://vpn.mycompany.com/</tt></li>
    38. 

  38.   <li><tt>openconnect -c system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe https://vpn.mycompany.com/</tt></li>
    39. 

  39. </ul>
    40. 

  40. </p>
    41. 

  41. 

  42. <p>
    43. 

  43. See the <a href="manual.html">manual</a> for additional options which can be used to tune
    44. 

  44. OpenConnect's connections, and automate various aspects of the authentication process (e.g.
    45. 

  45. populating multi-factor authentication codes using RSA- or OATH-based soft tokens).
    46. 

  46. </p>
    47. 

  47. 

  48. <h2>Windows certificate store</h2>
    49. 

  49. 

  50. <p>If your certificate is in the system certificate store, OpenConnect should be able
    51. 

  51. to use it when built against GnuTLS, as a "<a href="https://www.gnutls.org/manual/html_node/Application_002dspecific-keys.html">system key</a>".
    52. 

  52. </p>
    53. 

  53. 

  54. <p>
    55. 

  55.   To find the <tt>system:win:…</tt> URI to use for your key with the <tt>list-system-keys.exe</tt>
    56. 

  56.   tool included with OpenConnect. Its output might look something like the following:
    57. 

  57. <table border="1"><tr><td><pre>
    58. 

  58. Label: (null)
    59. 

  59. Cert URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=cert
    60. 

  60. Key URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=privkey
    61. 

  61. Cert info: subject `CN=d1ab215ccab521bc', issuer `CN=Token Signing Public Key', serial 0x2ce0193a3ecf4da9f0591cee9158e48ec53a8e54, RSA key 1024 bits, signed using DSA-SHA1 (broken!), activated `2020-05-07 06:48:59 UTC', expires `2020-05-14 06:48:59 UTC', pin-sha256="2XOidBPfppXj4REiuj9fIE3UYQK6TTQIODQajIOiLFi="
    62. 

  62. </pre></td></tr></table>
    63. 

  63. You can choose the certificate you need to use, and provide it to OpenConnect with the <tt>-c</tt> argument as shown in the last example above; omitting the <tt>;type=</tt> part.</p>
    64. 

  64. 

  65. <p>
    66. 

  66.   Note that as of the time of writing (2022-05-22; GnuTLS v3.7.5), GnuTLS is only able to use keys from the <tt>CERT_SYSTEM_STORE_CURRENT_USER</tt> store in Windows,
    67. 

  67.   not the <tt>CERT_SYSTEM_STORE_LOCAL_MACHINE</tt> or <a href="https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations">other locations</a>.
    68. 

  68.   This is reported as <a href="https://gitlab.com/gnutls/gnutls/-/issues/1365">GnuTLS issue #1365</a>.
    69. 

  69. </p>
    70. 

  70. <p>
    71. 

  71.   Even where the certificate is marked as "non-exportable", some have succeeded in stealing
    72. 

  72.   certificates from their Windows certificate store using tools like
    73. 

  73.   <a href="https://github.com/iSECPartners/jailbreak">Jailbreak</a> and
    74. 

  74.   <a href="https://krestfield.github.io/docs/pki/exporting_a_nonexportable_certificate.html">mimikatz</a>.
    75. 

  75. </p>
    76. 

  76. 	<INCLUDE file="inc/footer.tmpl" />
    77. 

  77. </PAGE>
    78. 

  78.