SSL VPN OpenConnect
2018-10-14 07:58:05 
阿炯
OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN (which is now known as Pulse Connect Secure), and to the Palo Alto Networks GlobalProtect SSL VPN.
OpenConnect最初是一个SSL VPN客户端,被用来支持Cisco的AnyConnect SSL VPN而创建的。此后,它被移植来支持Juniper SSL SSL VPN(现在称为Pulse Connect Secure)和Palo Alto网络GlobalProtect SSL VPN。
OpenConnect相当于非官方版本的anyconnect,兼容Cisco Anyconnect。具有开源、易获取、可靠等优点。而官方版本的cisco anyconnect配置较为繁琐,需要在管理界面同时部署多平台客户端才能支持多平台。相比之下OpenConnect在这点就具有优势,可以在官方版本无法跨平台时替代使用。
OpenConnect is released under the GNU Lesser Public License, version 2.1.
OpenConnect VPN通道是服务端与客户端通过TCP,HTTP和TLS建立保持的两个连接/通道,分别为控制通道以及备份数据通道。在建立之后,使用DTLS的UDP信道被启动,其作为主要数据信道。如果UDP通道无法建立或暂时不可用,则正在使用TCP / TLS上的备份通道。
OpenConnect VPN可通过AnyConnect客户端或者OpenConnect客户端拨通VPN进行身份验证,验证成功后,服务器将会向客户端提供一个内网IPv4地址与IPv6地址(需终端设备支持),以及一个可以访问的路由列表,实现连接到内部网络。ocserv 全称 OpenConnect VPN Server ,客户端可以用思科的AnyConnect。ocserv(OpenConnect server)是一个OpenConnect SSL 协议服务端,0.3.0版后兼容使用AnyConnect SSL 协议的终端。AnyConnect是思科的安全远程接入解决方案,之前只有思科的设备才支持。可以通过在服务端设置路由表自动区分国内外流量。
Like vpnc, OpenConnect is not officially supported by, or associated in any way with, Cisco Systems, Juniper Networks, Pulse Secure, or Palo Alto Networks. It just happens to interoperate with their equipment.As of 2013, the OpenConnect project also offers an AnyConnect-compatible server, ocserv, and thus offers a full client-server VPN solution.
与vpnc一样,OpenConnect没有得到思科系统(Cisco Systems)、瞻博网络(Juniper Networks)、Pulse Secure或Palo Alto网络的官方任何方式支持,或只是碰巧与他们的设备互操作。截至2013年,OpenConnect项目还提供了一个anyconnection兼容的服务器ocserv,从而提供了一个完整的客户机-服务器VPN解决方案。
Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies:
OpenConnect的开发是在Linux下对Cisco客户端进行测试后开始的,测试发现它有很多不足之处:
Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
不能使用TPM或PKCS#11智能卡上的SSL证书,甚至不能使用密码。
Lack of support for Linux platforms other than i386.
缺乏对i386以外的Linux平台的支持。
Lack of integration with NetworkManager on the Linux desktop.
在Linux桌面上缺乏与NetworkManager的集成。
Lack of proper (RPM/DEB) packaging for Linux distributions.
Linux发行版缺乏适当的(RPM/DEB)打包。
"Stealth" use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed.
使用dlopen()使用库,甚至使用仅用于开发的符号链接(如libz),因此很难正确地发现打包所表达的依赖关系。
Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
Tempfile race允许非特权用户欺骗它以root身份覆盖任意文件。
Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
无法以非特权用户的身份运行,这会降低上述错误的严重性。
Inability to audit the source code for further such "Security 101" bugs.
无法审计源代码以进一步发现"Security 101"错误。
The Juniper and GlobalProtect protocols have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use ESP for efficient, encrypted transport of tunneled traffic (instead of DTLS), but they too can fall back to TLS-based transport.
Juniper和GlobalProtect协议的结构与AnyConnect协议非常相似:它们在TLS上进行身份验证和路由配置,只是它们使用ESP高效、加密的隧道通信传输(而不是dtd),但它们也可以退回到基于tlsbased传输。
OpenConnect is written primarily in C, and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface:
OpenConnect主要是用C语言编写的,它包含了许多必要的编码以便在类似的流中添加额外的VPN协议支持,并通过通用用户界面与之连接:
Initial connection to the VPN server via TLS
通过TLS与VPN服务器的初始连接
Authentication phase via HTTPS (using HTML forms, client certificates, XML, etc.)
通过HTTPS进行身份验证阶段(使用HTML表单、客户端证书、XML等)
Server-provided routing configuration in a standard format that can be processed by a vpnc-script
服务器提供的可由vpnc脚本处理的标准格式的路由配置
Data transport phase via a UDP-based tunnel (DTLS or ESP), with fallback to a TLS-based tunnel
数据传输阶段通过基于udp的隧道(dtd或ESP),并退到基于tls隧道
Built-in event loop to handle Dead Peer Detection, keepalive, rekeying, etc.
内置事件循环,用于处理死机对等检测、保持会话、重新键入等。
Features
Connection through HTTP proxy, including libproxy support for automatic proxy configuration.
通过HTTP代理连接,包括libproxy支持自动代理配置。
Connection through SOCKS5 proxy.
通过SOCKS5代理连接。
Automatic detection of IPv4 and IPv6 address, routes.
自动检测IPv4和IPv6地址,路由。
Authentication via HTTP forms.
可通过HTPP表单来认证。
Authentication using SSL certificates — from local file, Trusted Platform Module and PKCS#11 smartcards.
使用SSL证书的身份验证--来自本地文件、可信平台模块和PKCS#11智能卡。
Authentication using SecurID software tokens (when built with libstoken)
使用SecurID软件令牌进行身份验证(与libstoken一起构建时)。
Authentication using OATH TOTP or HOTP software tokens.
使用OATH TOTP 或 HOTP软件令牌进行身份验证。
Authentication using Yubikey OATH tokens (when built with libpcsclite).
使用Yubikey令牌进行身份验证(与libpcsclite一起构建时)。
UserGroup support for selecting between multiple configurations on a single VPN server.
UserGroup支持在单个VPN服务器上选择多个配置。
Data transport over TCP (HTTPS) or UDP (DTLS or ESP).
基于TCP (HTTPS)或UDP (DTLS atau ESP)来进行数据舆。
Keepalive and Dead Peer Detection on both HTTPS and DTLS.
在HTTPS和dtd上保持有效和无效的对等检测。
Automatic update of VPN server list / configuration.
VPN服务器列表/配置的自动更新。
Roaming support, allowing reconnection when the local IP address changes.
漫游支持,允许重新连接时,本地IP地址改变。
Run without root privileges.
支持非特权用户运行。
Support for "Cisco Secure Desktop", Juniper TNCC (see here), and "GlobalProtect HIP report".
支持"Cisco安全桌面",Juniper TNCC和"GlobalProtect HIP report"。
Graphical connection tools for various environments.
用于各种环境的图形连接工具。
OpenConnect is available on Solaris, Linux, OpenBSD, FreeBSD, Mac OS X, and has graphical user interface clients for Windows 2000/XP/Vista/7, GNOME, and KDE. A graphical client for OpenConnect is also available for Android devices, and it has been integrated into router firmware packages such as OpenWrt.
OpenConnect可在Solaris、Linux、OpenBSD、FreeBSD、Mac OS X上使用,并具有针对Windows 2000/XP/Vista/7、GNOME和KDE的图形用户界面客户端。OpenConnect的图形客户端也可用于Android设备,它已经集成到OpenWrt等路由器固件包中。
最新版本:7.08
项目主页:
OpenConnect
openconnect on github
中文参考:
中山大学 OpenConnect VPN 的用法
中国国内的路由表
OpenConnect最初是一个SSL VPN客户端,被用来支持Cisco的AnyConnect SSL VPN而创建的。此后,它被移植来支持Juniper SSL SSL VPN(现在称为Pulse Connect Secure)和Palo Alto网络GlobalProtect SSL VPN。
OpenConnect相当于非官方版本的anyconnect,兼容Cisco Anyconnect。具有开源、易获取、可靠等优点。而官方版本的cisco anyconnect配置较为繁琐,需要在管理界面同时部署多平台客户端才能支持多平台。相比之下OpenConnect在这点就具有优势,可以在官方版本无法跨平台时替代使用。
OpenConnect is released under the GNU Lesser Public License, version 2.1.
OpenConnect VPN通道是服务端与客户端通过TCP,HTTP和TLS建立保持的两个连接/通道,分别为控制通道以及备份数据通道。在建立之后,使用DTLS的UDP信道被启动,其作为主要数据信道。如果UDP通道无法建立或暂时不可用,则正在使用TCP / TLS上的备份通道。
OpenConnect VPN可通过AnyConnect客户端或者OpenConnect客户端拨通VPN进行身份验证,验证成功后,服务器将会向客户端提供一个内网IPv4地址与IPv6地址(需终端设备支持),以及一个可以访问的路由列表,实现连接到内部网络。ocserv 全称 OpenConnect VPN Server ,客户端可以用思科的AnyConnect。ocserv(OpenConnect server)是一个OpenConnect SSL 协议服务端,0.3.0版后兼容使用AnyConnect SSL 协议的终端。AnyConnect是思科的安全远程接入解决方案,之前只有思科的设备才支持。可以通过在服务端设置路由表自动区分国内外流量。
Like vpnc, OpenConnect is not officially supported by, or associated in any way with, Cisco Systems, Juniper Networks, Pulse Secure, or Palo Alto Networks. It just happens to interoperate with their equipment.As of 2013, the OpenConnect project also offers an AnyConnect-compatible server, ocserv, and thus offers a full client-server VPN solution.
与vpnc一样,OpenConnect没有得到思科系统(Cisco Systems)、瞻博网络(Juniper Networks)、Pulse Secure或Palo Alto网络的官方任何方式支持,或只是碰巧与他们的设备互操作。截至2013年,OpenConnect项目还提供了一个anyconnection兼容的服务器ocserv,从而提供了一个完整的客户机-服务器VPN解决方案。
Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies:
OpenConnect的开发是在Linux下对Cisco客户端进行测试后开始的,测试发现它有很多不足之处:
Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
不能使用TPM或PKCS#11智能卡上的SSL证书,甚至不能使用密码。
Lack of support for Linux platforms other than i386.
缺乏对i386以外的Linux平台的支持。
Lack of integration with NetworkManager on the Linux desktop.
在Linux桌面上缺乏与NetworkManager的集成。
Lack of proper (RPM/DEB) packaging for Linux distributions.
Linux发行版缺乏适当的(RPM/DEB)打包。
"Stealth" use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed.
使用dlopen()使用库,甚至使用仅用于开发的符号链接(如libz),因此很难正确地发现打包所表达的依赖关系。
Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
Tempfile race允许非特权用户欺骗它以root身份覆盖任意文件。
Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
无法以非特权用户的身份运行,这会降低上述错误的严重性。
Inability to audit the source code for further such "Security 101" bugs.
无法审计源代码以进一步发现"Security 101"错误。
The Juniper and GlobalProtect protocols have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use ESP for efficient, encrypted transport of tunneled traffic (instead of DTLS), but they too can fall back to TLS-based transport.
Juniper和GlobalProtect协议的结构与AnyConnect协议非常相似:它们在TLS上进行身份验证和路由配置,只是它们使用ESP高效、加密的隧道通信传输(而不是dtd),但它们也可以退回到基于tlsbased传输。
OpenConnect is written primarily in C, and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface:
OpenConnect主要是用C语言编写的,它包含了许多必要的编码以便在类似的流中添加额外的VPN协议支持,并通过通用用户界面与之连接:
Initial connection to the VPN server via TLS
通过TLS与VPN服务器的初始连接
Authentication phase via HTTPS (using HTML forms, client certificates, XML, etc.)
通过HTTPS进行身份验证阶段(使用HTML表单、客户端证书、XML等)
Server-provided routing configuration in a standard format that can be processed by a vpnc-script
服务器提供的可由vpnc脚本处理的标准格式的路由配置
Data transport phase via a UDP-based tunnel (DTLS or ESP), with fallback to a TLS-based tunnel
数据传输阶段通过基于udp的隧道(dtd或ESP),并退到基于tls隧道
Built-in event loop to handle Dead Peer Detection, keepalive, rekeying, etc.
内置事件循环,用于处理死机对等检测、保持会话、重新键入等。
Features
Connection through HTTP proxy, including libproxy support for automatic proxy configuration.
通过HTTP代理连接,包括libproxy支持自动代理配置。
Connection through SOCKS5 proxy.
通过SOCKS5代理连接。
Automatic detection of IPv4 and IPv6 address, routes.
自动检测IPv4和IPv6地址,路由。
Authentication via HTTP forms.
可通过HTPP表单来认证。
Authentication using SSL certificates — from local file, Trusted Platform Module and PKCS#11 smartcards.
使用SSL证书的身份验证--来自本地文件、可信平台模块和PKCS#11智能卡。
Authentication using SecurID software tokens (when built with libstoken)
使用SecurID软件令牌进行身份验证(与libstoken一起构建时)。
Authentication using OATH TOTP or HOTP software tokens.
使用OATH TOTP 或 HOTP软件令牌进行身份验证。
Authentication using Yubikey OATH tokens (when built with libpcsclite).
使用Yubikey令牌进行身份验证(与libpcsclite一起构建时)。
UserGroup support for selecting between multiple configurations on a single VPN server.
UserGroup支持在单个VPN服务器上选择多个配置。
Data transport over TCP (HTTPS) or UDP (DTLS or ESP).
基于TCP (HTTPS)或UDP (DTLS atau ESP)来进行数据舆。
Keepalive and Dead Peer Detection on both HTTPS and DTLS.
在HTTPS和dtd上保持有效和无效的对等检测。
Automatic update of VPN server list / configuration.
VPN服务器列表/配置的自动更新。
Roaming support, allowing reconnection when the local IP address changes.
漫游支持,允许重新连接时,本地IP地址改变。
Run without root privileges.
支持非特权用户运行。
Support for "Cisco Secure Desktop", Juniper TNCC (see here), and "GlobalProtect HIP report".
支持"Cisco安全桌面",Juniper TNCC和"GlobalProtect HIP report"。
Graphical connection tools for various environments.
用于各种环境的图形连接工具。
OpenConnect is available on Solaris, Linux, OpenBSD, FreeBSD, Mac OS X, and has graphical user interface clients for Windows 2000/XP/Vista/7, GNOME, and KDE. A graphical client for OpenConnect is also available for Android devices, and it has been integrated into router firmware packages such as OpenWrt.
OpenConnect可在Solaris、Linux、OpenBSD、FreeBSD、Mac OS X上使用,并具有针对Windows 2000/XP/Vista/7、GNOME和KDE的图形用户界面客户端。OpenConnect的图形客户端也可用于Android设备,它已经集成到OpenWrt等路由器固件包中。
最新版本:7.08
项目主页:
OpenConnect
openconnect on github
中文参考:
中山大学 OpenConnect VPN 的用法
中国国内的路由表