When specifying a secondary password script, the output should be appended to the temporary password file and shouldn't overwrite it. If you refer to the case where there is a static secondary password, you can see that the secondary password is appended. Without this fix, only the secondary password is passed to the `openconnect` session.
Signed-off-by: Frederick Morlock <FrederickGeek8@gmail.com>
openconnect v8.10 supports 4 VPN protocols
--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
This patch allows user to specify protocol use the new "vpn_protocol"
option and deprecate the old option "juniper" which seems to be missing in
the current openconnect client.
Signed-off-by: Mengyang Li <mayli.he@gmail.com>
openconnect may emit following error logs every minute when negotiating
with deployments forbidding usage of dtls
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: DTLS handshake failed: Error in the push function.
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: (Is a firewall preventing you from sending UDP packets?)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Properly quote arguments when assembling the command line and eval the
proto_run_command() invocation in order to prevent the shell from
improperly splitting the command arguments on $IFS.
Fixes: #10137
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"token_mode" add support for "script", which execute "token_script" to
get the password. Some token is not supported by OpenConnect natively,
e.g. "MobilePass" or "Softoken II" used in Cisco VPN
Signed-off-by: Gavin Ni <gisngy@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
- use exec directly to eliminate a level in the process tree
- use "$@" instead of "$*" to pass arguments to openconnect
According to openconnect(8), openconnect will call vpnc-script to
cleanup before quit when it received SIGINT(2) and will quit immediately
when it received SIGTERM (the default signal by kill command)
Before and after the change, openconnect process will be killed first
with SIGINT sent from netifd. This was decided by the
'proto_kill_command "$config" 2' notify call in the proto script.
SIGKILL is the only other signal that can be sent from netifd when the
process did not quit on SIGINT on time. There should be no need to trap
on signal 1 3 6 9 (HUP QUIT ABRT KILL)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes#2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
It was introduced with 41f8d5465 ("openconnect: fix a couple of minor
things and add an interface option") and not needed since 4083de9d7
("openconnect: use proto_add_host_dependency")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Some VPN servers might be configured in a way that a CSD wrapper script
is mandatory to complete the authentication process, allow that to be
specified for openconnect.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Some servers might be implementing ACLs based on the value specified by
openconnect for "os", allow that to be configured.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
* Restore hooks support from vpnc-script
* Use consistent style for tests and blocks in openconnect.sh
* Cleanup code that writes banner to syslog
Signed-off-by: Matthew Sykes <matthew.sykes@gmail.com>
Add a new build configuration option for openconnect and let it link
against libstoken if instructed to. Two new uci configuration variables
are introduced: "token_mode" and "token_secret" to allow openconnect to
use those.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Frederick Morlock
Mengyang Li
Yousong Zhou
Marco Gulino
Jo-Philipp Wich
Gavin Ni
Vladimir Berezhnoy
Nikos Mavrogiannopoulos
Florian Fainelli
Daniel Gimpelevich
Jasper
Matthew Sykes