Simple and flexible NetworkManager support for OpenConnect in Python.
This is a concurrent project aimed in support of OpenConnect (an open-source implementation of Cisco's AnyConnect) within Gnome's NetworkManager (or just NM). There are several drawbacks of original OpenConnect support in NetworkManager.
-
Inability to activate a VPN connection without typing as password. In other words, you should type something like the following.
nmcli connection up YourVPNConn -a
The issue is that you should type not only password but a username (sic!) as well. Moreover, some corporate networks suggest a choice of role or network to connect to. Underlying
openconnect
client allows to specify desired form options manually or via comman line options. This implementation assumes that all auxiliary options are already enumerated innmconnection
file, So there is no need in manual typing too. -
C/C++ gives an excelemnt performance in a cost of laborious development efforts. We believe there is no need to write a code in C/C++ here. Python is enough in order to execute
openconnect
binary and sleep until a connection is deactivated. -
Original implementation is distributed under toxic GPL.
-
Enormous complexity of DBus and NetworkManager in general. In my perspective there are some bizzare things in implementation and internals of DBus. Interaction protocol within NetworkManager is unclear and vague.
NOTE This implementation conflicts with original implementation.
Since this plugin relies on OpenConnect binary and an architecture and configuration of original plugin implementation, the first part of installation process is pretty straightforward: you should just install the packages as follows.
apt update && apt install openconnect network-manager-openconnect # Ubuntu
And then install this package.
pip install git+https://github.com/daskol/networkmanager-openconnect.git
The second part is more tedious since we need to update a NetworkManager configuration a litte bit. We need to edit a service file for a DBus service which exposes plugin services to NetworkManager. As we finished with the configuration file it should look like the following.
# Config file: /usr/lib/NetworkManager/VPN/nm-openconnect-service.name
[VPN Connection]
name=openconnect
service=org.freedesktop.NetworkManager.openconnect
program=/usr/local/bin/nm-openconnect # Path to executable.
supports-multiple-connections=true
Finally, we should reload NetworkManager and activate our VPN connection.
nmcli connection reload
nmcli connection up YourVPNConn
As it was mentioned above, the plugin relies on original implementation. This
is true for configuration as well. Below a snippet of nmconnection
file shows
the difference with original configuration file. The rest of fields are pretty
the same as in the original configuration (if they are used at all).
[vpn]
service-type=org.freedesktop.NetworkManager.openconnect
password-flags=0 # Do not ask agent for secrets.
username=your-username-here # Username.
form=main:group_list=AccessVPN,main:field=value # Comma-separated form data.
[vpn-secrets]
password=your-password-here # Password in plaintext.
NOTE Some configuration options are not used at all but it is simple enough to support them.
We need to fix logging and read full configuration (support every option of
original openconnect
binary). Also, logging requires some efforts to make it
behave exactly as the original implementation.
There are plenty amazing tools for monitoring, discovery, introspection, and communication from scratch.
busctl --system capture > dbus-traffic.pcap
Then one should use wireshark
to open and analyze the dump.
There are some issues with access to secrets agent from proccess run with root priviledges. It requires some research to figure out solution if it is actually an issue. Also, we need to drop priviledges properly in plugin.