Openconnect VPN in NetworkManager-GNOME with Privileged Access

Ask Fedora
, , ,
1

I am attempting to connect to a GlobalProtect VPN and am having issues accomplishing it through the VPN settings GUI in GNOME (running Silverblue 34).

Issue with GUI Attempt

I have setup the CSD Wrapper script for hipreport.sh successfully, and in the system menu (top right) it looks like it connected well. But attempted to actually access services restricted within the VPN, leads to timeouts.

Annoyingly, as the VPN connects, it closes the connection window which contains the logs. If these are stored in a file, let me know and I’ll upload them if they could be helpful (Could not find where they are stored).

Issue outlined and resolved using openconnect from CLI

I attempted this first in the terminal with:
openconnect --protocol=gp globalprotect.gateway.com --csd-wrapper=hipreport.sh
which seemed to work well until when it came to setting up ESP

Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed

Running the same command with sudo worked as specified with the following respective response:

ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.

Potentially Helpful Links

Solution for setting up privileged access

Probably need to set up something like this, but not sure if there is an appropriate way, given I want to make it as easy as possible with the GUI.

To be clear, I don’t mind the CLI, but would rather leave it just for setup, rather than the permanent option for connecting…

Similar-ish Post

This could be a possible solution, but not sure if applicable in this case – hopefully someone who knows a bit more could let me know :slight_smile:

The networkmanager-cli seems like a reasonable solution to setup the network interface…

2

GlobalProtect Implementation in OpenConnect

This mostly explains the implementation of GlobalProtect within OpenConnect – probably not necessary for this issue, as a connection was achieved

3

Official Documentation

https://fedoraproject.org/wiki/Tools/NetworkManager
https://wiki.archlinux.org/title/NetworkManager

4

Try switching SELinux to permissive mode to isolate the issue.

5

Attempted with SELinux at Permissive level but no luck…

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
1 Like
6

I’ve attempted to get a log from journalctl with the PID set for openconnect, NetworkManager, systemd[1], and the audit service, as seemed the most relevant, pasted here.

I have also looked into this solution from the Arch linux forums, but nothing came up in the debug log. Maybe in hindsight its being listed in journalctl

In any case, still open to ideas, appreciate any help anyone can provide :slight_smile:

1 Like