| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Retry when resolveip fails as it seems to be causing issues
on startup depending on various unpredictable parameters.
Resolves: #23185
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
|
| |
|
|
|
|
|
| |
Add support for the OpenConnect option `--pfs`.
Designed to require perfect forward secrecy.
Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
|
| |
|
|
| |
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
| |
|
|
|
|
|
| |
Allow connection via a proxy server (required on some sites where
direct outbound HTTP(S) access is not permitted).
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
|
| |
|
|
|
|
|
|
| |
According to David Woodhouse, OpenConnect has no issues reconnecting on any
interface. Make the host dependency optional, as it can cause issues in multiple
WAN scenarios.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
The --juniper switch has been deprecated in favour of --protocol=nc. Fix the
proto script thusly, while keeping compatibility with existing configurations.
Note that, as far as UCI is concerned, if both options juniper and vpn_protocol
are specified, the latter takes precedence.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
| |
This is the preferred way, according to the wiki.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Using resolveip is more robust and predictable than depending on nslookup and
awk.
This reverts commit 131ec7b3bd6895aa3f86f57169dd23c15f174fe2.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
| |
If it exists (if it isn't built-in), it will be loaded automatically at boot.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
| |
We have nslookup and awk, let's use them.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
|
| |
|
|
|
|
| |
When specifying a secondary password script, the output should be appended to the temporary password file and shouldn't overwrite it. If you refer to the case where there is a static secondary password, you can see that the secondary password is appended. Without this fix, only the secondary password is passed to the `openconnect` session.
Signed-off-by: Frederick Morlock <FrederickGeek8@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openconnect v8.10 supports 4 VPN protocols
--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
This patch allows user to specify protocol use the new "vpn_protocol"
option and deprecate the old option "juniper" which seems to be missing in
the current openconnect client.
Signed-off-by: Mengyang Li <mayli.he@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
openconnect may emit following error logs every minute when negotiating
with deployments forbidding usage of dtls
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: DTLS handshake failed: Error in the push function.
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: (Is a firewall preventing you from sending UDP packets?)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
For easier review
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
Just adding the extra option `-g|--usergroup <group>` (required by the VPN server I'm currently using)
Signed-off-by: Marco Gulino <marco@gulinux.net>
|
| |
|
|
|
|
|
|
|
| |
Properly quote arguments when assembling the command line and eval the
proto_run_command() invocation in order to prevent the shell from
improperly splitting the command arguments on $IFS.
Fixes: #10137
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
"token_mode" add support for "script", which execute "token_script" to
get the password. Some token is not supported by OpenConnect natively,
e.g. "MobilePass" or "Softoken II" used in Cisco VPN
Signed-off-by: Gavin Ni <gisngy@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
| |
In some cases, it's useful to specify which interface to establish the VPN connection
Signed-off-by: Gavin Ni <gisngy@gmail.com>
|
| |
|
|
| |
Signed-off-by: Vladimir Berezhnoy <non7top@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes #2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
| |
It was introduced with 41f8d5465 ("openconnect: fix a couple of minor
things and add an interface option") and not needed since 4083de9d7
("openconnect: use proto_add_host_dependency")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
| |
This ensures that a direct route to the connected host is added
by netifd.
Resolves #2548
|
| |
|
|
|
|
|
| |
That code was causing netifd disabling openconnect with no way
to restart it.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
Resolves #1419
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
Some VPN servers might be configured in a way that a CSD wrapper script
is mandatory to complete the authentication process, allow that to be
specified for openconnect.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
|
| |
|
|
|
|
|
| |
Some servers might be implementing ACLs based on the value specified by
openconnect for "os", allow that to be configured.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
|
| |
|
|
| |
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
This reverts commit b53e5bfe875d673fc8a57a4766d7af6fc1b3e074.
|
| |
|
|
| |
This reverts commit fa8f5479458ee5163c9907ee3e92d8bd6b62389b.
|
| |
|
| |
The location for the server CA file was moved in b53e5bfe875d673fc8a57a4766d7af6fc1b3e074, but the corresponding command line option for opeconnect not updated.
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
* Restore hooks support from vpnc-script
* Use consistent style for tests and blocks in openconnect.sh
* Cleanup code that writes banner to syslog
Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add a new build configuration option for openconnect and let it link
against libstoken if instructed to. Two new uci configuration variables
are introduced: "token_mode" and "token_secret" to allow openconnect to
use those.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
This addresses https://dev.openwrt.org/ticket/16634
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
proto_add_host_dependency
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
| |
and keys
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|