[APP][4.0+][v1.11 - 20150221] OpenConnect - SSL VPN client for Cisco AnyConnect

• 100% open source (GPLv2+)
• No ads
• One-click connection (batch mode)
• Supports RSA SecurID and TOTP software tokens
• Keepalive feature to prevent unnecessary disconnections
• Compatible with ARMv7, x86, and MIPS devices
• No root required
• Based on the popular OpenConnect Linux package

Click to expand...

Click to collapse

• Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
• An account on a suitable VPN server

Click to expand...

Click to collapse

Binaries are attached to this post under the downloads tab.

Google Play: https://play.google.com/store/apps/details?id=app.openconnect

Source code: https://github.com/cernekee/ics-openconnect

F-Droid: https://f-droid.org/repository/browse/?fdid=app.openconnect

Click to expand...

Click to collapse

Code:

v1.11 - 2015/02/21

 - Fix "Unknown compression type 0" errors when CSTP and DTLS use
   different compression settings

Older changelogs:

Code:

v1.10 - 2015/02/08

 - Fix CSD script problem on Lollipop (bug #1)

 - Fix IPv6 address display on status window (bug #2)

 - Enable LZ4 compression support

 - Identify as a mobile client when Android or iOS is selected

 - Update to OpenConnect v7.04+, GnuTLS 3.2.21

v1.02 - 2014/09/02

 - Fix regression on certificate handling

v1.01 - 2014/08/29

 - Add Spanish translations (thanks to teosoft)

 - Fix regression on CSD scripts starting with "#!/bin/sh"

 - Improve error messages on broken ROMs that throw exceptions when
   starting a VpnService

 - Fix intermittent fragment-related crashes on ICS

v1.00 - 2014/08/10

 - Fix problems storing >8kB certificates on some ROMs

 - Clean up seldom-used menu items and move some options into General Settings
   or About

 - Integrate Xposed module for bypassing the VPN confirmation dialog

 - Switch to ACRA for problem reporting

v0.96 - 2014/07/06

 - Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
   https://code.google.com/p/android/issues/detail?id=70916

 - Fix navigation anomalies (weird Back button behavior) seen after
   re-entering OpenConnect from one of the Notifications

v0.95 - 2014/06/14

 - Show the auth dialog <message> text in case it contains useful information

 - Add German translations (thanks to Ingo Zansinger <ingo@zansinger.de>)

 - Add Chinese translations

 - Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy

 - Clean up a bunch of lint warnings and unused strings/files

 - Try to generate a human-readable profile name when adding a new VPN

v0.91 - 2014/06/01

 - Fix bugs involving saved authgroups

 - Fix batch mode error handling

 - Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466

v0.9 - 2014/04/26

 - Add new "Send feedback" screen

 - Add new "SecurID info" screen for RSA soft token users

 - Allow changing settings and using other menu options (about, SecurID,
   send feedback, etc.) while connected

 - Update FAQ and provide some links to relevant XDA posts

v0.81 - 2014/04/06

 - Fix potential issue recognizing certificates stored in VPN profiles
   created with <= v0.7

v0.8 - 2014/04/02

 - Fix hangs after reconnect if DTLS is disabled

 - Fix incorrect storage of PKCS#12 certificates

 - Remove unnecessary passphrase prompts on unencrypted certificates

 - Add a workaround for ASA certificate request quirks

 - Fix FC when attempting to import an OpenVPN profile

v0.7 - 2014/03/08

 - Update GnuTLS to address CVE-2014-0092

 - Fix FC and other misbehavior on IPv6 connections

 - Update to libopenconnect 5.99+

 - Fix/delete several broken translations

 - Minor improvements to the auth form UI

 - Switch curl from OpenSSL to GnuTLS and remove advertising clauses

v0.6 - 2014/02/09

 - First release in Google Play Store

 - Change to new "big O" launcher icon

 - Avoid displaying error alerts if the user terminated the connection

 - Try to make the libopenconnect build process more robust, and strip *.so
   files to conserve space

v0.5 - 2014/02/01

 - Fix "living dead" connections (can't pass data after reconnection due to
   DTLS parameter mismatches)

 - Add FAQ tab in response to user feedback

 - Move log window into a tab

 - Reorganize action bar so that the most important items (Status/Log/FAQ)
   are tabs, and less important items (Settings/About) are in the menu

 - Fix KeepAlive socket errors on KitKat devices

 - Other UI and documentation fixes

 - Add split tunnel configuration options

 - Improve icons

v0.2 - 2014/01/18

 - Allow SecurID token import via URI or text file

 - Newly reworked "status" tab with uptime, error alerts, IP addresses,
   etc.

 - Fix a couple of bugs involving screen rotation / activity redraw on
   the log window

 - Prompt for hostname instead of profile name when adding a new VPN, to
   help avoid "empty hostname" mistakes

 - Numerous other UI improvements and fixes

 - Remove "reconnect on boot" until it works properly

 - Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"

Click to expand...

Click to collapse

Q: What is this app used for?

A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.

If in doubt, check with your I.T. administrator to see if a suitable service is available.


Q: How do I get started?

A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.

Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.


Q: How do I authenticate using an SSL client certificate?

A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:

P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.

Single PEM/CRT/CER file: same as above.

Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.

When finished, delete the certificate files from external storage so they cannot be stolen by other apps.

If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.


Q: Will OpenConnect work with non-AnyConnect VPNs?

A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.


Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?

A: OpenConnect supports SSL VPN (CSTP + DTLS) only.


Q: How do I import a SecurID software token?

A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.

If you have an "sdtid" XML file, copy it to /sdcard and then import it.


Q: Is it possible to skip all login prompts when connecting?

A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.

The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.

Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.


Q: How do I improve battery life while the VPN is up?

A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.

Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.


Q: How do I use OpenConnect with AFWall+?

A: There are a few caveats to keep in mind when using an Android firewall with VPN:

* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.


Q: Are any apps incompatible with VPN?

A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.


Q: Under what circumstances will OpenConnect request root?

A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.

Based on user feedback and testing, future releases may autodetect these conditions.


Q: How do I send a problem report?

A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.

Click to expand...

Click to collapse

• Translations - I will set up the necessary infrastructure if there are volunteers
• Compatibility testing
• Add x509 certificate parsing/validation in the profile editor
• Enable Android keystore support
• Proxy support
• Split tunnel DNS?

Click to expand...

Click to collapse

• Pre-built APK: https://drive.google.com/file/d/17IRsGNYqUav9Yf2bsInxnc0uGD6g_PZz/view
  • 12 Aug 2018 - based on OpenConnect v8.0 pre-release
  • 06 Jan 2019 - based on OpenConnect v8.02
  • 28 May 2019 - based on OpenConnect v8.03
  • 03 Jun 2019 - added Quick Settings Tile (contributed by Terry Yao)
• My ics-openconnect repository: https://github.com/dlenski/ics-openconnect

Soheil_rf said:

is there any update for android 10 ?

Click to expand...

Click to collapse

msm88now said:

here is the output after some bad sites access

Click to expand...

Click to collapse

Chain st_mangle_POSTROUTING (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 TCPMSS     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU

iptables -t mangle -A POSTROUTING -p tcp -o tun0 --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu