base on A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc. # GlobalProtect-openconnect A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by [gp-saml-gui](https://github.com/dlenski/gp-saml-gui). <p align="center"> <img width="300" src="https://github.com/yuezk/GlobalProtect-openconnect/assets/3297602/9242df9c-217d-42ab-8c21-8f9f69cd4eb5"> </p> ## Features - [x] Better Linux support - [x] Support both CLI and GUI - [x] Support both SSO and non-SSO authentication - [x] Support the FIDO2 authentication (e.g., YubiKey) - [x] Support authentication using default browser - [x] Support client certificate authentication - [x] Support multiple portals - [x] Support gateway selection - [x] Support connect gateway directly - [x] Support auto-connect on startup - [x] Support system tray icon ## Usage ### CLI The CLI version is always free and open source in this repo. It has almost the same features as the GUI version. ``` Usage: gpclient [OPTIONS] <COMMAND> Commands: connect Connect to a portal server disconnect Disconnect from the server launch-gui Launch the GUI help Print this message or the help of the given subcommand(s) Options: --fix-openssl Get around the OpenSSL `unsafe legacy renegotiation` error --ignore-tls-errors Ignore the TLS errors -h, --help Print help -V, --version Print version See 'gpclient help <command>' for more information on a specific command. ``` To use the external browser for authentication with the CLI version, you need to use the following command: ```bash sudo -E gpclient connect --browser default <portal> ``` Or you can try the following command if the above command does not work: ```bash gpauth <portal> --browser default 2>/dev/null | sudo gpclient connect <portal> --cookie-on-stdin ``` You can specify the browser with the `--browser <browser>` option, e.g., `--browser firefox`, `--browser chrome`, etc. ### GUI The GUI version is also available after you installed it. You can launch it from the application menu or run `gpclient launch-gui` in the terminal. > [!Note] > > The GUI version is partially open source. Its background service is open sourced in this repo as [gpservice](./apps/gpservice/). The GUI part is a wrapper of the background service, which is not open sourced. ## Installation ### Debian/Ubuntu based distributions #### Install from PPA (Ubuntu 18.04 and later, except 24.04) ``` sudo apt-get install gir1.2-gtk-3.0 gir1.2-webkit2-4.0 sudo add-apt-repository ppa:yuezk/globalprotect-openconnect sudo apt-get update sudo apt-get install globalprotect-openconnect ``` > [!Note] > > For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`. #### **Ubuntu 24.04 and later** The `libwebkit2gtk-4.0-37` package was [removed](https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/2061914) from its repo. You can use the [`deb-install.sh`](./scripts/deb-install.sh) script to install the package: ```bash curl -o- https://raw.githubusercontent.com/yuezk/GlobalProtect-openconnect/main/scripts/deb-install.sh \ | bash -s -- 2.3.9 ``` #### **Ubuntu 18.04** The latest package is not available in the PPA either, but you still needs to add the `ppa:yuezk/globalprotect-openconnect` repo beforehand to use the required `openconnect` package. Then you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package. #### Install from deb package Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `apt`: ```bash sudo apt install --fix-broken globalprotect-openconnect_*.deb ``` ### Arch Linux / Manjaro #### Install from AUR Install from AUR: [globalprotect-openconnect-git](https://aur.archlinux.org/packages/globalprotect-openconnect-git/) ```bash yay -S globalprotect-openconnect-git ``` #### Install from package Download the latest package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `pacman`: ```bash sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst ``` ### Fedora 38 and later / Fedora Rawhide #### Install from COPR The package is available on [COPR](https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/) for various RPM-based distributions. You can install it with the following commands: ```bash sudo dnf copr enable yuezk/globalprotect-openconnect sudo dnf install globalprotect-openconnect ``` ### openSUSE Leap 15.6 / openSUSE Tumbleweed #### Install from OBS (openSUSE Build Service) The package is also available on [OBS](https://build.opensuse.org/package/show/home:yuezk/globalprotect-openconnect) for various RPM-based distributions. You can follow the instructions [on this page](https://software.opensuse.org//download.html?project=home%3Ayuezk&package=globalprotect-openconnect) to install it. ### Other RPM-based distributions #### Install from RPM package Download the latest RPM package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. ```bash sudo rpm -i globalprotect-openconnect-*.rpm ``` ### Gentoo It is available via `guru` and `lamdness` overlays. ```bash sudo eselect repository enable guru sudo emerge -r guru sync sudo emerge -av net-vpn/globalprotect-openconnect ``` ### Other distributions - Install `openconnect >= 8.20`, `webkit2gtk`, `libsecret`, `libayatana-appindicator` or `libappindicator-gtk3`. - Download `globalprotect-openconnect_${version}_${arch}.bin.tar.xz` from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. - Extract the tarball with `tar -xJf globalprotect-openconnect_${version}_${arch}.bin.tar.xz`. - Run `sudo make install` to install the client. ## Build from source You can also build the client from source, steps are as follows: ### Prerequisites - [Install Rust 1.75 or later](https://www.rust-lang.org/tools/install) - Install Tauri dependencies: https://tauri.app/v1/guides/getting-started/prerequisites/#setting-up-linux - Install `perl` and `jq` - Install `openconnect >= 8.20` and `libopenconnect-dev` (or `openconnect-devel` on RPM-based distributions) - Install `pkexec`, `gnome-keyring` (or `pam_kwallet` on KDE) - Install `nodejs` and `pnpm` (optional only if you downloaded the source tarball from the release page and run with the `BUILD_FE=0` flag, see below) ### Build 1. Download the source code tarball from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Choose `globalprotect-openconnect-${version}.tar.gz`. 2. Extract the tarball with `tar -xzf globalprotect-openconnect-${version}.tar.gz`. 3. Enter the source directory and run `make build BUILD_FE=0` to build the client. 3. Run `sudo make install` to install the client. (Note, `DESTDIR` is not supported) ## FAQ 1. How to deal with error `Secure Storage not ready` Try upgrade the client to `2.2.0` or later, which will use a file-based storage as a fallback. You need to install the `gnome-keyring` package, and restart the system (See [#321](https://github.com/yuezk/GlobalProtect-openconnect/issues/321), [#316](https://github.com/yuezk/GlobalProtect-openconnect/issues/316)). 2. How to deal with error `(gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:` If you encounter this error when using the CLI version, try to run the command with `sudo -E` (See [#316](https://github.com/yuezk/GlobalProtect-openconnect/issues/316)). ## About Trial The CLI version is always free, while the GUI version is paid. There are two trial modes for the GUI version: 1. 10-day trial: You can use the GUI stable release for 10 days after the installation. 2. 14-day trial: Each beta release has a fresh trial period (at most 14 days) after released. ## License - crate [gpapi](./crates/gpapi): [MIT](./crates/gpapi/LICENSE) - crate [openconnect](./crates/openconnect): [GPL-3.0](./crates/openconnect/LICENSE) - crate [common](./crates/common): [GPL-3.0](./crates/common/LICENSE) - app [gpservice](./apps/gpservice): [GPL-3.0](./apps/gpservice/LICENSE) - app [gpclient](./apps/gpclient): [GPL-3.0](./apps/gpclient/LICENSE) - app [gpauth](./apps/gpauth): [GPL-3.0](./apps/gpauth/LICENSE) - app [gpgui-helper](./apps/gpgui-helper): [GPL-3.0](./apps/gpgui-helper/LICENSE) ", Assign "at most 3 tags" to the expected json: {"id":"7065","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"