Bug 435561 - Cannot specify usergroup for OpenConnect VPNs
Summary: Cannot specify usergroup for OpenConnect VPNs
Status: RESOLVED FIXED
Alias: None
Product: plasma-nm
Classification: Plasma
Component: general (show other bugs)
Version: 5.21.4
Platform: Other Linux
: NOR normal (vote)
Target Milestone: ---
Assignee: Jan Grulich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-09 23:10 UTC by akb825
Modified: 2021-04-15 07:55 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.21.5


Attachments
usergroup.patch (845 bytes, patch)
2021-04-14 01:25 UTC, akb825
Details

Note You need to log in before you can comment on or make changes to this bug.
Description akb825 2021-04-09 23:10:11 UTC
SUMMARY
The usergroup cannot be specified for OpenConnect VPNs. For example, my company provides a "default" connection, which routes specific domains through the VPN, and a "tunnel-all" connection, which routes all traffic. 

Typically the usergroup would be specified by the URL. For example, https://vpn.mycompany.com/tunnel-all. When using the openconnect command-line, you can use the "--usergroup=tunnel-all" command-line option.

Attempting to pass the usergroup to the gateway address (e.g. vpn.mycompany.com/tunnel-all) fails, since it expects it to only be a hostname. Ideally, either the usergroup would be parsed from the gateway address or a separate field would be available to specify it.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Arch Linux
KDE Plasma Version: 5.21.4
KDE Frameworks Version: 5.80.0
Qt Version: 5.15.2
Comment 1 akb825 2021-04-10 00:09:12 UTC
After looking through the code, it looks like it *is* trying to parse the group from the gateway. However, attempting to do this fails to connect. No error is reported in the UI, it simply closes the dialog and isn't connected to the VPN. When viewing the log from journalctl, openconnect reported the error "Pulse authentication cookie not accepted". Using the exact same URL (copy/pasted to avoid typos) works with the openconnect command in a terminal.

I additionally found that you can set an "xmlconfig" element in vpn-secrets section with a base64 XML configuration. When attempting to set the <UserGroup> tag, I get the following error in the UI: "Pulse password request with unknown code 0x00. Please report."
Comment 2 akb825 2021-04-10 01:32:16 UTC
After some more experimentation, the behavior of whether the dialog disappears and openconnect writes the cookie error to the journal, or whether it has the "unknown code" error in the dialog, appears to be inconsistent. In other words, relying on parsing the group from the gateway and using the xmlconfig gives the same results.

This behavior was using the "Pulse Connect Secure" protocol. When using the "Juniper Network Connect" protocol any connection over the VPN times out when providing the usergroup. (even ones that give a forbidden error when not connected to the VPN at all)
Comment 3 akb825 2021-04-14 01:25:59 UTC
Created attachment 137574 [details]
usergroup.patch

I went through the code and I believe the main problem is that only the host + port is passed to the NetworkManager-openconnect plugin that establishes the "real" connection to the VPN. I have attached a patch (usergroup.patch) that appends the urlpath (which is parsed as the usergroup) to the NM_OPENCONNECT_KEY_GATEWAY secrets parameter when it's provided.

This allows the connection to be established with the pulse protocol (since it was using the incorrect URL for the cookie). However, similar to my previous results with the "Juniper Network Connect" protocol all network activity that's routed through the VPN times out. My guess is there's some additional issues in NetworkManager-openconnect that's preventing it from working properly.
Comment 4 akb825 2021-04-14 03:12:43 UTC
Further investigation confirms that the patch I posted should fix the issue on the plasma-nm side of not forwarding the usergroup, while separate issues in NetworkManager-openconnect (related to the split routing) are the cause of the timeout issue.
Comment 5 Jan Grulich 2021-04-14 06:42:12 UTC
Hi, can you submit your patch to review? 

Link: https://invent.kde.org/plasma/plasma-nm/-/merge_requests
Comment 6 Bug Janitor Service 2021-04-14 18:59:06 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/57
Comment 7 akb825 2021-04-14 19:00:47 UTC
I have submitted an MR here: https://invent.kde.org/plasma/plasma-nm/-/merge_requests/57
Comment 8 Jan Grulich 2021-04-15 07:55:17 UTC
Git commit aa872eca0575af615ca918acbb1c8e743d1074d5 by Jan Grulich, on behalf of Aaron Barany.
Committed on 15/04/2021 at 07:55.
Pushed by grulich into branch 'Plasma/5.21'.

Forward opeconnect usergroup

Forward the usergroup for openconnect (provided by the URL path) to the
NetworkManager service by incorporating it in NM_OPENCONNECT_KEY_GATEWAY.
This ensures that the VPN session in the NetworkManager service uses the
same usergroup as provided with the gateway when the initial connection
was made through the UI.

M  +7    -1    vpn/openconnect/openconnectauth.cpp

https://invent.kde.org/plasma/plasma-nm/commit/aa872eca0575af615ca918acbb1c8e743d1074d5