Re: [Announce] OpenConnect (-GUI) VPN client
 

i ll test it tomorrow... thanks for the work!

edit: i didn't :o
but looking good, now i made an alert to remind me testing the new stuff :D

Re: [Announce] OpenConnect (-GUI) VPN client
 

some updates:
I patched and compiled the latest version of openconnect 2.26 and it works!

BUT (there's always a but ...)

I need some help here. I'm still on PR1.2 (lazy, I know) and the SDK is on PR1.3. When I'm building the DEB file, it receives a dependency of libssl >=0.9.8m.

So it doesn't install on mine,as I have a version 0.9.8e from PR1.2.
But when looking in details at my libssl package in FAP, I see there's now a 0.9.8n version available. I upgraded to that one (it also upgraded openssl alongside) and as expected, it now accepts and installs my new openconnect 2.26 DEB.

Can people check if libssl 0.9.8n is indeed the version supplied with PR1.3 ?

First hurdle taken.

Then, when connecting via the openconnect-gui, using the 2.26 version (no other changes), I'm getting a nice error log message about the server certificate not being verifiable due to missing local issuer certificate and asking if I want to accept the certificate anyway. Of course, the openconnect-gui doesn't handle this user input situation.

When running openconnect in xterm, I can enter 'yes' and it connects fine to my VPN server, all fine, as planned.

I think I can also override this check when calling the openconnect command, executed by the openconnect-gui, so there is no user issue with this. It might be a bit less safe. But not less safe than when using the current 2.12 solution, as that one doesn't care at all about the server certificate anyway :)
Do people like this proposed (eyes closed) behaviour ?

The very good thing about the new openssl 0.9.8n version is the fact it seems to allows DTLS :) No need for the default option (--no-dtls) anymore. Yes !!
This should allow performance gains in dropped packets environments, like 3G connections :D

Of course further testing should happen, as there were some other strange messages on screen, about a dead peer. The connection is made fine though, data routed through the VPN.
I'll look into that issue if proven troublesome for some.

So if people confirm the version in PR1.3 and the preferred wanted behaviour concerning the accepting of the server certificate, I can make then make the required changes and get a new GUI version out.

For people who want to follow along, here's the latest, working openconnect 2.26 DEB.

Again, all requests/info is welcome. if time permits, I'll work on them :)

ps. I really need to get my stuff in garage now, getting it properly registered and using autobuild !
Maybe when I have a version of both packages, where people are happy with...

ps2. Maybe I can create my own openconnect VPN status applet, such as the one from VPNC :D

Re: [Announce] OpenConnect (-GUI) VPN client
 

hi i am using pr1.3 and xterm gives me this
(btw your new version of openconnect installs flawlessly)

Re: [Announce] OpenConnect (-GUI) VPN client
 

thanks. That confirms already the version.

On the dtls side, it seems I've been cheering too quickly. It looks as if it's starting in dtls mode (via xterm) but when there's a network glitch, it gets a write error and it reconfigures the vpn link into SSL. So either the openssl in PR1.3 is still (partly) broken in terms of dtls support, or there is something else wrong. Anyhow, my latest gui has the --no-dtls still as a default option so no problem there.

also, in my latest gui, to avoid the servercheck, you can enter the --no-cert-check as the free option in the gui/profile, then everything connects fine, no errors/user input request anymore.
Of course it kills the possibility of specifying the usergroup in there, temporarily.

So if I don't hear objections, I'll create a new GUI, also containing this --no-cert-check option as a default.

Can people also test their connectivity, straight from xterm and via the gui ? Just wondering if the open issues people had improved by my porting of the latest version.

Re: [Announce] OpenConnect (-GUI) VPN client
 

ok, here is my xterm output:
another problem is that i cannot enter my password, i have to open a new xterm and copy the password from there.

via the gui it wasn't possible, because i need the group feature (authgroup), so it stopped at selfsigned cert or the wrong group.

nevertheless thanks for continuing the work on openconnect!

Re: [Announce] OpenConnect (-GUI) VPN client
 

Hi Sirpaul,
I think you're pretty close, at least on the commandline. For the gui version I need to make a change in the code. I'll try to do that asap.

You forgot to include the script, as the openconnect program wants to tell you:
This was probably your problem already with the previous version 2.12, if I recall well. At least now I know (a bit) where to look :D

This is a -technically- working commandline for me, you only need to add the proper Authgroup parameter and you'll be good to go, all on one line of course ... :

The "--background --syslog --no-deflate" part is optional for me. For you, just add the authgroup=abc and replace the proper variables and you're fine. You were just missing the reference to the script (borrowed from the vpnc package) which sets up all default routes etc ...

I'll start changing the gui code now, maybe by tomorrow I'l have a more flexible way of entering default (cross-profile) parameters. brrr, it's getting a bit more real now :)

What's the issue with the entering of the password in the 2.26 version ? My password (all kind of chars) is accepted fine, in gui and straight in xterm?

The maemo version of Openconnect (already as of 2.12) has a feature NOT found in the official openconnect version: the possiblity to add the password straight on the command prompt. That's how the gui works ...

Re: [Announce] OpenConnect (-GUI) VPN client
 

OMG it is working!!!!!
never thought it would ever be going to happen...
THANKS! you ve made my month!
(lol, did not even think, that i was that close...)

i just added the passwd option, it worked pretty well.
connectivity works fine, but i am just using it for some minutes.
(atm i am using my unis vpn!).

EDIT
i ve tested more and it still works good.
i had one problem when the connection was a bit strange, but a reboot did it; besides that, i haven't spotted any errors.

Re: [Announce] OpenConnect (-GUI) VPN client
 

Thanks. I have uploaded the openconnect and openconnect-gui into extras-devel. This is my first upload, the building went fine. I'm not an experienced Debian package maintainer so bare with me when things might not be 100% according to the book.

The gui package uploaded in the repository differs from the .DEB as I already posted in this thread only in the 2nd default parameter, the one to disable server cert verification. The openconnect package itself is the same as the .DEB included by me in this thread.

'Normal' people should get an upgrade notice in FAP, early adopters who installed already the thread versions, might have to do a --reinstall (or remove & install) to get the latest repository versions.

Please let me know how things are going.

The "real" flexible way of entering 'random' cross-profile params will take a bit longer. That's why I released this quick fix for the gui. It will be enough (I think) for at least 80% of all N900 openconnect users :)

Re: [Announce] OpenConnect (-GUI) VPN client
 

the gui is now working flawlessly for me, after entering the authgroup parameter.

BUT i had an issue that after several times connecting to wlan + connecting to the vpn via gui openconnect was not starting via gui neither via xterm; a reboot solved iit for the moment. but dont know how to re-do it. (but thats something i can live with) ;)

Re: [Announce] OpenConnect (-GUI) VPN client
 

mmmm, a bit lost on the possible reason for the non-starting openconnect. I haven't seen this odd behaviour yet.

When it happens, can you provide me here a full log from the xterm, using the --verbose parameter as well?
I can then have a look (positive thinking) if I can see something weird.

If not, I might have to take it upstream, to the openconnect devs, fur further investigation.

Thanks for testing and glad you like it so far. With all the storms around Nokia/Microsoft/Meego now, we can only try to make our N900 as good as possible and prolong it's life, as I don't think there's a real alternative yet :)