Join Log in
Score:1
Sören Kuklau avatar Ubuntu

Can I override which URL openconnect POSTs to?

pl flag
Sören Kuklau

A while ago, a connection to a VPN broke. The admin says it's because openconnect is sending a POST to the wrong URL. The dump looks something like this:

echo 'MyPassword' | openconnect -b --pid-file=/tmp/openconnect-pid --user="MyUser" --printcookie --dump-http-traffic entry.foo.corp/subGroup
POST https://entry.foo.corp/subGroup
Attempting to connect to server 195.222.249.123:443
Connected to 195.222.249.123:443
SSL negotiation with entry.foo.corp
Connected to HTTPS on entry.foo.corp
> POST /subGroup HTTP/1.1
> Host: entry.foo.corp
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 219

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init"><version who="vpn">v8.05-1</version><device-id>linux-64</device-id><group-access>https://entry.foo.corp/subGroup</group-access></config-auth>

Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 06 Apr 2023 08:56:31 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
<opaque is-for="sg">
<tunnel-group>AnyConnect-subGroup-TunnelGroup</tunnel-group>
<config-hash>1679989103949</config-hash>
</opaque>
<auth id="main">
<title>Login</title>
<message>Please enter your username and password.</message>
<banner></banner>
<form>
<input type="text" name="username" label="Username:"></input>
<input type="password" name="password" label="Password:"></input>
</form>
</auth>
</config-auth>

XML POST enabled
Please enter your username and password.
Password:
POST https://entry.foo.corp/
> POST / HTTP/1.1
> Host: entry.foo.corp
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 373
>

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply"><version who="vpn">v8.05-1</version><device-id>linux-64</device-id><opaque is-for="sg">
<tunnel-group>AnyConnect-subGroup-TunnelGroup</tunnel-group>
<config-hash>1679989103949</config-hash>
</opaque><auth><username>MyUser</username><password>MyPassword</password></auth></config-auth>

Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Thu, 06 Apr 2023 08:56:31 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body http 1.0 (-1)
SSL socket closed uncleanly
Unexpected 404 result from server
Failed to obtain WebVPN cookie

So, in the first request, the POST goes to https://entry.foo.corp/subGroup.

But in the second request, it instead goes to https://entry.foo.corp. That looks wrong, and the admin of that VPN agrees that it's the wrong URL.

So, is there a way I can tell openconnect that it should POST to the same URL both times?

(Better yet: is there a better explanation on why this is suddenly failing?)

85
1 + 3
vpn
David avatar
cn flag
David
What version of Ubuntu are you using?
0
Reply
Sören Kuklau avatar
pl flag
Sören Kuklau
This is Ubuntu Server 22.04.2 LTS and OpenConnect version v8.20-1. (It previously occurred on an older release, so I tried upgrading, to no avail.)
0
Reply
David avatar
cn flag
David
Upgrading never fixes an ongoing issue it just carries it over.
0
Reply
Score:1
Saxtheowl avatar Ubuntu
iq flag
Saxtheowl

The second POST request is not sent to the correct URL, one solution is to create a local reverse proxy that intercepts the request and forwards it to the correct URL.

First lets install socat sudo apt-get install socat then we start the reverse proxy to listen on port 8080 and forwards all traffic to entry.foo.corp:443 socat TCP-LISTEN:8080,fork,reuseaddr TCP:entry.foo.corp:443.

Then modify your Openconnect to use this reverse proxy echo 'MyPassword' | openconnect -b --pid-file=/tmp/openconnect-pid --user="MyUser" --printcookie --dump-http-traffic http://localhost:8080/subGroup

If it still dont work try to update Openconnect.

+ 1
Sören Kuklau avatar
pl flag
Sören Kuklau
Thanks! This got me a few steps closer, but would have `openconnect` pass the wrong `Host:` header. So I did the same thing with Caddy instead, where I can use `header_up Host entry.foo.corp` to override that. That gives me `<auth id="success">` and `Got CONNECT response: HTTP/1.1 200 OK`, but then `No MTU received. Aborting`. Odd.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.