Skip to content

Instantly share code, notes, and snippets.

@darrenpmeyer
Last active June 10, 2020 16:24
Show Gist options
  • Save darrenpmeyer/fa427b1ebdd8239bf665 to your computer and use it in GitHub Desktop.
Save darrenpmeyer/fa427b1ebdd8239bf665 to your computer and use it in GitHub Desktop.
Building OpenConnect 7 on Ubuntu 14 (trusty), 15 (vivid), and 16 (xenial)

READ FIRST

This is outdated information, though the concepts are valid. A script implmenting these concepts for OpenConnect 8 on Ubuntu 18 (bionic) and 19 (eoan) is available

Building OpenConnect 7 on Ubuntu 14 (trusty) and 15 (vivid)

The steps in this guide are available as an autobuild shell script

Why?

Because the OpenConnect package from Ubuntu is a bit outdated, and if you have a recent AnyConnect server, you need a newer OpenConnect to play with it.

Why this guide uses OpenSSL instead of GnuTLS

We'll be building OpenConnect mostly with its defaults, but we're going to use OpenSSL rather than GnuTLS. This isn't a philosophical choice: GnuTLS is still maturing, and my testing showed that compilation with GnuTLS leads to a bit of a crapshoot when connecting to AnyConnect endpoints. I haven't debugged this; if you find a good path to compiling with GnuTLS that works reliably, I'm all ears.

Build

Preflight

sudo apt-get install curl vpnc-scripts build-essential libssl-dev libxml2-dev liblz4-dev
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz.asc
gpg --keyserver pgp.mit.edu --recv-key 67e2f359

Verify

gpg --verify openconnect-7.08.tar.gz.asc

You should see something very much like:

gpg: assuming signed data in `openconnect-7.08.tar.gz'
gpg: Signature made Tue 17 Mar 2015 08:33:15 AM CDT using RSA key ID 67E2F359
gpg: Good signature from "David Woodhouse <dwmw2@infradead.org>"
gpg:                 aka "David Woodhouse <dwmw2@exim.org>"
gpg:                 aka "David Woodhouse <david@woodhou.se>"
gpg:                 aka "David Woodhouse <dwmw2@kernel.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE07 D9FD 5480 9AB2 C4B0  FF5F 6376 2CDA 67E2 F359

Build

tar xzf openconnect-7.08.tar.gz
cd openconnect-7.08
./configure --without-gnutls --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
make
sudo make install
sudo ldconfig /usr/local/lib

OpenConnect will be at /usr/local/sbin/openconnect

@StuMinch
Copy link

We are running firmware version 8.2R5.1 (build 50797) on our MAG 2600 HA Pair and had to install openconnect-7.08 in order to connect via VPN from Ubuntu. The instructions above work almost flawlessly by simply substituting '7.06' with '7.08'. The one thing we needed to add to the /.configure command was --without-openssl-version-check.

@suxxor
Copy link

suxxor commented Apr 25, 2017

How can I build with PKCS#11 support?
Autobuild script worked successfully, but I get This version of OpenConnect was built without PKCS#11 support error when I run:
$ openconnect --juniper --no-cert-check -c 'pkcs11:MY_PARAMS' example.com

EDIT:
Got the answer: for PKCS#11 support you need to install the following libraries before building:
sudo apt-get install libp11-kit-dev libp11-dev

@calamarico
Copy link

calamarico commented Feb 28, 2018

I have an error in 'make check':

...
PASS: lzstest
PASS: seqtest
FAIL: bad_dtls_test
============================================================================
Testsuite summary for openconnect 7.08
============================================================================
# TOTAL: 3
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

Any clue about what means that fail?: bad_dtls_test.

It doesn't matter, install is ok and working.

@jussi-ft
Copy link

Working, thanks for advice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment