FORUMS
Remove All Ads from XDA

[APP][4.0+][v1.11 - 20150221] OpenConnect - SSL VPN client for Cisco AnyConnect

186 posts
Thanks Meter: 420
 
By cernekee, Senior Member on 18th January 2014, 10:15 PM
Post Reply Email Thread
Highlights

Quote:

  • 100% open source (GPLv2+)
  • No ads
  • One-click connection (batch mode)
  • Supports RSA SecurID and TOTP software tokens
  • Keepalive feature to prevent unnecessary disconnections
  • Compatible with ARMv7, x86, and MIPS devices
  • No root required
  • Based on the popular OpenConnect Linux package

Requirements

Quote:

  • Android 4.0 (ICS) or higher (with working VpnService + tun infrastructure)
  • An account on a suitable VPN server

Downloads

(note that the F-Droid binaries are signed by a different key than the official releases)

Changelog

Quote:

Code:
v1.11 - 2015/02/21

 - Fix "Unknown compression type 0" errors when CSTP and DTLS use
   different compression settings
Older changelogs:


Code:
v1.10 - 2015/02/08

 - Fix CSD script problem on Lollipop (bug #1)

 - Fix IPv6 address display on status window (bug #2)

 - Enable LZ4 compression support

 - Identify as a mobile client when Android or iOS is selected

 - Update to OpenConnect v7.04+, GnuTLS 3.2.21

v1.02 - 2014/09/02

 - Fix regression on certificate handling

v1.01 - 2014/08/29

 - Add Spanish translations (thanks to teosoft)

 - Fix regression on CSD scripts starting with "#!/bin/sh"

 - Improve error messages on broken ROMs that throw exceptions when
   starting a VpnService

 - Fix intermittent fragment-related crashes on ICS

v1.00 - 2014/08/10

 - Fix problems storing >8kB certificates on some ROMs

 - Clean up seldom-used menu items and move some options into General Settings
   or About

 - Integrate Xposed module for bypassing the VPN confirmation dialog

 - Switch to ACRA for problem reporting

v0.96 - 2014/07/06

 - Force a minimum MTU of 1280 on KK due to bugs in 4.4.3 and 4.4.4 ROMs:
   https://code.google.com/p/android/issues/detail?id=70916

 - Fix navigation anomalies (weird Back button behavior) seen after
   re-entering OpenConnect from one of the Notifications

v0.95 - 2014/06/14

 - Show the auth dialog <message> text in case it contains useful information

 - Add German translations (thanks to Ingo Zansinger <ingo@zansinger.de>)

 - Add Chinese translations

 - Add Advanced options for changing Dead Peer Detection timeout and enabling Perfect Forward Secrecy

 - Clean up a bunch of lint warnings and unused strings/files

 - Try to generate a human-readable profile name when adding a new VPN

v0.91 - 2014/06/01

 - Fix bugs involving saved authgroups

 - Fix batch mode error handling

 - Update to GnuTLS 3.2.15 to fix GNUTLS-SA-2014-3 / CVE-2014-3466

v0.9 - 2014/04/26

 - Add new "Send feedback" screen

 - Add new "SecurID info" screen for RSA soft token users

 - Allow changing settings and using other menu options (about, SecurID,
   send feedback, etc.) while connected

 - Update FAQ and provide some links to relevant XDA posts

v0.81 - 2014/04/06

 - Fix potential issue recognizing certificates stored in VPN profiles
   created with <= v0.7

v0.8 - 2014/04/02

 - Fix hangs after reconnect if DTLS is disabled

 - Fix incorrect storage of PKCS#12 certificates

 - Remove unnecessary passphrase prompts on unencrypted certificates

 - Add a workaround for ASA certificate request quirks

 - Fix FC when attempting to import an OpenVPN profile

v0.7 - 2014/03/08

 - Update GnuTLS to address CVE-2014-0092

 - Fix FC and other misbehavior on IPv6 connections

 - Update to libopenconnect 5.99+

 - Fix/delete several broken translations

 - Minor improvements to the auth form UI

 - Switch curl from OpenSSL to GnuTLS and remove advertising clauses

v0.6 - 2014/02/09

 - First release in Google Play Store

 - Change to new "big O" launcher icon

 - Avoid displaying error alerts if the user terminated the connection

 - Try to make the libopenconnect build process more robust, and strip *.so
   files to conserve space

v0.5 - 2014/02/01

 - Fix "living dead" connections (can't pass data after reconnection due to
   DTLS parameter mismatches)

 - Add FAQ tab in response to user feedback

 - Move log window into a tab

 - Reorganize action bar so that the most important items (Status/Log/FAQ)
   are tabs, and less important items (Settings/About) are in the menu

 - Fix KeepAlive socket errors on KitKat devices

 - Other UI and documentation fixes

 - Add split tunnel configuration options

 - Improve icons

v0.2 - 2014/01/18

 - Allow SecurID token import via URI or text file

 - Newly reworked "status" tab with uptime, error alerts, IP addresses,
   etc.

 - Fix a couple of bugs involving screen rotation / activity redraw on
   the log window

 - Prompt for hostname instead of profile name when adding a new VPN, to
   help avoid "empty hostname" mistakes

 - Numerous other UI improvements and fixes

 - Remove "reconnect on boot" until it works properly

 - Try to accommodate Linux CSD wrapper scripts starting with "#!/bin/bash"

FAQ

Quote:

Q: What is this app used for?

A: OpenConnect is used to access virtual private networks (VPNs) which utilize the Cisco AnyConnect SSL VPN protocol. A typical use case might involve logging into your workplace remotely to check email after hours.

If in doubt, check with your I.T. administrator to see if a suitable service is available.


Q: How do I get started?

A: In most cases, you'll just need to create a profile and enter the hostname of the VPN gateway. The other fields in the profile are all optional and should be left alone unless there is a specific need to change them.

Once you've set up the profile, select the VPN entry and OpenConnect will attempt to establish a new session. If this fails, the "Log" tab may provide helpful diagnostic information.


Q: How do I authenticate using an SSL client certificate?

A: Copy your certificate files to Android's external storage directory (nominally /sdcard or the Downloads folder), then edit the VPN profile and make the following changes:

P12 or PFX file: select "User certificate", pick the file from the list, then touch "select". Leave "Private key" blank.

Single PEM/CRT/CER file: same as above.

Separate PEM/CRT/CER and KEY files: populate "User certificate" with the certificate file, and "Private key" with the key file.

When finished, delete the certificate files from external storage so they cannot be stolen by other apps.

If you are generating your own keys (e.g. for use with your ocserv gateway), some basic CA setup instructions are posted here.


Q: Will OpenConnect work with non-AnyConnect VPNs?

A: Unfortunately the software design is tied very closely to the AnyConnect requirements and the libopenconnect interfaces. Therefore it only works with Cisco AnyConnect and ocserv gateways.


Q: Will OpenConnect work with Cisco IPsec VPNs running on an ASA?

A: OpenConnect supports SSL VPN (CSTP + DTLS) only.


Q: How do I import a SecurID software token?

A: If you have an URL that starts with "com.rsa.securid.iphone://" or "http://127.0.0.1/securid/" in your email, click on it and tell OpenConnect to add it to the desired VPN profile. If you just have a raw token string then write it to a text file, copy it under /sdcard, click "Token string" in the VPN profile editor, then select the filename.

If you have an "sdtid" XML file, copy it to /sdcard and then import it.


Q: Is it possible to skip all login prompts when connecting?

A: If you have saved your username, password, or other credentials, or if you are using SecurID or certificate authentication, you can try enabling "Batch Mode" in the VPN profile to skip the login dialogs. If you need to change your saved password later or have trouble connecting, just disable batch mode.

The VPN warning dialog is a security feature built into the Android OS. It cannot be bypassed by OpenConnect, but if your device is rooted, you can try installing the Xposed Framework and then activating the Auto VPN Dialog Confirm module. Some notes on this are posted here.

Due to the user interaction required by these dialogs, it is not always possible to reliably start up the VPN in the background. So a "start-on-boot" feature is not currently provided.


Q: How do I improve battery life while the VPN is up?

A: One option is to select "Pause when asleep" under Settings. The downside is that VPN access will be temporarily stopped when the screen is off. Also, ASA gateways sometimes get annoyed with constant reconnections and may prematurely terminate your session after a few days.

Another option is to contact your server administrator and request that they disable dead peer detection (DPD), increase the idle timeout to >1hr, and increase the keepalive interval to ~5min or so.


Q: How do I use OpenConnect with AFWall+?

A: There are a few caveats to keep in mind when using an Android firewall with VPN:

* If you run KitKat, use Android 4.4.2 or higher and AFWall 1.2.8 or higher. Android 4.4 and 4.4.1 have a serious TCP MSS bug which causes stalled connections and/or poor performance. AFWall <=1.2.7 does not have the extra logic needed to handle the routing changes in KitKat.
* Always allow traffic from the VPN app on all interfaces. In particular, you should whitelist VPN traffic from OpenConnect, as OpenConnect sends DNS requests over the VPN interface every few minutes to help keep the connection from timing out.


Q: Are any apps incompatible with VPN?

A: Apps which perform their own DNS resolution, such as Firefox, may have issues picking up the latest system DNS settings when connecting to the VPN. This can be a problem if your system DNS servers are not accessible over the VPN's routes, or if you are trying to look up hostnames that do not have public (internet) DNS entries.


Q: Under what circumstances will OpenConnect request root?

A: There are two root-only features shown under Settings; both are disabled by default. One setting works around a ROM bug in CM9 which sets incorrect permissions on /dev/tun, preventing VpnService from passing traffic to the tunnel interface; the other setting loads tun.ko on ROMs that neglect to load it by default.

Based on user feedback and testing, future releases may autodetect these conditions.


Q: How do I send a problem report?

A: Navigate to Log -> (menu) -> Send log file. Please be sure to furnish a complete, accurate description of the issue you are seeing, as the logs do not always show a smoking gun.


TODO

Quote:

  • Translations - I will set up the necessary infrastructure if there are volunteers
  • Compatibility testing
  • Add x509 certificate parsing/validation in the profile editor
  • Enable Android keystore support
  • Proxy support
  • Split tunnel DNS?

MISC

Using OpenConnect + ocserv (on a VPS) to bypass China's Great Firewall (GFW): link

XDA:DevDB Information
OpenConnect, App for the Android General

Contributors
cernekee
Source Code: https://github.com/cernekee/ics-openconnect


Version Information
Status: Testing

Created 2014-01-18
Last Updated 2015-02-21
Attached Thumbnails
Click image for larger version

Name:	screenshot-0.png
Views:	9654
Size:	21.4 KB
ID:	2581714   Click image for larger version

Name:	screenshot-1.png
Views:	9532
Size:	64.8 KB
ID:	2581715   Click image for larger version

Name:	screenshot-2.png
Views:	9277
Size:	21.7 KB
ID:	2581716   Click image for larger version

Name:	screenshot-3.png
Views:	9064
Size:	32.3 KB
ID:	2581717   Click image for larger version

Name:	screenshot-4.png
Views:	8477
Size:	27.8 KB
ID:	2711209  
The Following 14 Users Say Thank You to cernekee For This Useful Post: [ View ] Gift cernekee Ad-Free
 
 
5th April 2014, 04:33 PM |#2  
Junior Member
Thanks Meter: 0
 
More
hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??
6th April 2014, 06:23 PM |#3  
OP Senior Member
Thanks Meter: 420
 
More
Quote:
Originally Posted by msm88now

hello cernekee,
I was using smoothconnect on my note3 and It was working just fine, but now after I update my note3 to kitkat it surfs only couple of things like "play store", google search, and whatsup. but all other web sites and programs do not!!
now I tried out this program "open connect" with some hope but nope, I does the same thing. It only opens play store and google search but no other things.
I wonder what cause this problem, any suggestions please??

Sometimes an MTU or TCP MSS problem could cause this symptom. What kind of gateway are you connecting to? Are you the admininstrator?

Older versions of KitKat did have an MSS problem; I think 4.4.1+ is OK: https://code.google.com/p/android/is...etail?id=61948

There are a few other outstanding problems on <= 4.4.2: http://www.androidpolice.com/2014/03...-some-of-them/

Do you see the same problem connecting from other systems, like a Windows PC, or even the Cisco AnyConnect Android app?
7th April 2014, 12:13 AM |#4  
Junior Member
Thanks Meter: 0
 
More
Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide. that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)

any suggestions please???
7th April 2014, 12:39 AM |#5  
OP Senior Member
Thanks Meter: 420
 
More
Quote:
Originally Posted by msm88now

Hi cernekee,
I have an openSSL Cisco vpn connection provided by my university, I hooked it with D-615 Dlink router through DHCP.
Cisco AnyConnect for andriod does not work on our university network because it asks for a certificate which my uni does not provide.

I don't see this university's VPN requesting a certificate (i.e. SSL client cert). It just asks for a group/username/password.

Are you getting an error that says that the gateway is not licensed for mobile, after you enter your password?

Quote:

that's why I'm using smoothconnect.
anyways, right now I have a flawless connection on my all devices on my room's wireless like my both Win7 laptops and my galaxy S2 andriod 4.1.2.
all work except my note 3 after I updated it to (4.4.2). I don't know if it's a IPv6 or MTU problem,
I tried to decrease MTU value in smoothconnect but with no success. as Cisco stated in: AnyConnect Android 4.4 (KitKat) Compatibility Update (CSCul28340)

any suggestions please???

Can you grab a packet capture when you're seeing the connectivity failures, and email me the result? e.g.

Code:
adb push tcpdump /data/local/tmp
adb shell
cd /data/local/tmp
su
chmod 755 tcpdump
./tcpdump -n -i tun0 -w out.pcap
Attached Files
File Type: zip tcpdump.zip - [Click for QR Code] (863.8 KB, 174 views)
7th April 2014, 02:13 AM |#6  
Junior Member
Thanks Meter: 0
 
More
yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!
that's way I'm using smoothconnect and now openconnect on my both andriod phones.

now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!
did I explain my problem clearly? is it an Ipv6 problem? I'm really confused and frustrated
7th April 2014, 03:58 AM |#7  
OP Senior Member
Thanks Meter: 420
 
More
Quote:
Originally Posted by msm88now

yes that's right, Cisco anyconnect asks only for username/ password but when I try to start a connection it ends up with no license error!

OK. This is because the Cisco mobile clients look for an "X-CSTP-License: accept" header from the gateway after authenticating, to see if the operator has paid extra to support the Cisco mobile client. libopenconnect-based clients (including SmoothConnect) do not require this header.

Quote:

now for my problem, I didn't get what do you mean by connectivity failure because I'm not getting any connectivity failure messages on my note3 after update to 4.4.2 neither on smoothconnect nor on openconnect. it connects as usual and I can see some traffic packets are being transfered but I can only surf google serch, youtube and some other stuff like play store and whatsup. whenever I try to surf any other website like for example bbc news the browser( chrome, opera, Dolfin..) just waits and then ends up with nothing like there is no internet connection!

I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.
7th April 2014, 10:58 PM |#8  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by cernekee

I can take a look at this to see what is happening. Just start up tcpdump to capture the tun0 traffic (see above instructions), then try visiting the BBC news site and maybe a few other non-working sites. Then hit control-C to interrupt tcpdump, make sure there is some data in the pcap file, and email me the pcap file.

Hi,

I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?
9th April 2014, 05:57 PM |#9  
OP Senior Member
Thanks Meter: 420
 
More
Quote:
Originally Posted by msm88now

I don't know how to make Tcpdump on my note3 not to mention hitting the control-c on andriod. what instruction did you mean?

Do you have a friend who is familiar with ADB, rooting phones, etc. who might be able to help out in person?

You could also try something like Shark for Root, or follow this video. Make sure you capture on the tun0 interface so that we can see what is happening on the VPN tunnel. If you capture from the wifi interface you'll still see traffic, but everything will be encrypted so it will not be possible to diagnose the failure.
10th April 2014, 12:34 AM |#10  
Junior Member
Thanks Meter: 0
 
More
I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed
Attached Files
File Type: rar out.rar - [Click for QR Code] (330.8 KB, 74 views)
10th April 2014, 04:27 AM |#11  
OP Senior Member
Thanks Meter: 420
 
More
Quote:
Originally Posted by msm88now

I got it. first I rooted my note3 then I followed the instruction in the video and here it is, I hope it's what you asked me for. waiting for your diagnosis, fingers crossed

According to this trace (partial screenshot attached), the Note 3 is advertising an MSS of 1460 bytes on IPv4 TCP connections. This looks abnormally high for a VPN interface; the other direction is using an MSS of 1380, which looks more realistic. The MSS for IPv4 would normally be the tun0 MTU minus 40 bytes. I am assuming this means the MSS is being computed from the 1500-byte wlan0/eth0 MTU, not the smaller tun0 MTU.

When Google fixed the MSS bug in Android 4.4.1, they left the following comments in the changelog:

Code:
commit ca5b4e8d0d8219273ecf0961ed6e8c47ab5d798a
Author: JP Abgrall <jpa@google.com>
Date:   Wed Nov 20 17:27:01 2013 -0800

    SecondaryTableController: force the MSS to match pmtu on TCP SYN
    
    Without this change, the VPN sets up a tun/ppp that needs a small
    MTU, and during TCP SYN the MSS will end up matching the outgoing iface
    MTU which is potentially too big.
    This leads to connection flakiness. The wrong MSS is visible by
    tcpdump-ing on the tun/ppp device.
    
    With this change, the MSS now is correct.
    It requires the kernel to be configured with
     CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
    If kernel is not configured, it silently fails.
    
    Bug: 11579326
    Change-Id: I254d8c39435b92dff91931e461e1efb8b35f6b1e
Note the bolded sentences (emphasis mine). I suspect that your device is running the latest AOSP netd code that has the fix (if the ROM is indeed based on AOSP 4.4.1/4.4.2), but the kernel may be missing the TCPMSS target. If you see an error when running this command as root, it probably means that kernel support is missing:

Code:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN SYN -d 1.2.3.4 -j TCPMSS --clamp-mss-to-pmtu
Toward the bottom of the page on the original Android 4.4 MSS bug report I see a couple of reports from other Note 3 owners that the problem still isn't fixed for them, so it may be something particular to this device (such as the kernel configuration).

I do not see any evidence of IPv6 usage in your log, which rules out some of the known 4.4.2 VPN issues.

If this does turn out to be a kernel problem, you can try a custom kernel from XDA (assuming you can unlock your bootloader), or you could file a bug report with Samsung asking them to enable CONFIG_NETFILTER_XT_TARGET_TCPMSS=y in the next OTA update. From their end this is a simple, low-risk change.
Attached Thumbnails
Click image for larger version

Name:	wireshark.png
Views:	234
Size:	14.5 KB
ID:	2677904  
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes