Skip to content

Instantly share code, notes, and snippets.

@miguelgmalpha
Last active December 2, 2024 12:20
Show Gist options
  • Save miguelgmalpha/5c9e78d16312d156b0ec1d1c1bb09c1c to your computer and use it in GitHub Desktop.
Save miguelgmalpha/5c9e78d16312d156b0ec1d1c1bb09c1c to your computer and use it in GitHub Desktop.
AWS Client VPN with SAML for Fedora
The AWS Client VPN for Linux is only provided for Ubuntu as a .deb package. I need it for Fedora. This was tested on Fedora 33.
https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux.html
Get the vpn client deb package.
```
curl https://d20adtppz83p9s.cloudfront.net/GTK/latest/awsvpnclient_amd64.deb -o awsvpnclient_amd64.deb
```
Install `alien` to convert the deb package to rpm.
```
dnf install alien.noarch -y
```
Convert the deb package to rpm. Some warnings will apper, don't worry.
```
alien -r awsvpnclient_amd64.deb --scripts
```
At this point, if I tried to install the generated rpm package, it failed because some conflicting folders.
```
Error: Transaction test error:
file /etc from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /opt from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /usr from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /usr/share from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /usr/share/applications from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /usr/share/doc from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /usr/share/pixmaps from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package filesystem-3.14-3.fc33.x86_64
file /etc/systemd from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package systemd-246.14-1.fc33.x86_64
file /etc/systemd/system from install of awsvpnclient-1.0.0-2.x86_64 conflicts with file from package systemd-246.14-1.fc33.x86_64
```
We need to edit the rpm package and remove these already existing folders from the package using rpmrebuild. Install rpmrebuild.
```
dnf install rpmrebuild.noarch -y
```
And then, edit the rpm package with rpmrebuild removing the previous conflicting folders. https://superuser.com/questions/133317/is-it-possible-to-modify-rebuild-an-rpm-without-the-srpm/133323#133323
```
rpmrebuild -e -p awsvpnclient-1.0.0-2.x86_64.rpm
find the line(s) you wish to change
make changes
save and exit your editor (Esc:wq! in vi[m], Ctrl-x s in emacs)
rpmrebuild will ask if you want to continue
answer 'yes'
check the last line of the rpmrebuild output to find your package
```
The rpm has been rebuilt and stored in the mentioned folder. Now, install it, it should work now.
```
sudo dnf install /home/user/rpmbuild/RPMS/x86_64/awsvpnclient-1.0.0-2.x86_64.rpm -y
Running transaction
Preparing : 1/1
Installing : lttng-ust-2.12.0-3.fc33.x86_64 1/2
Running scriptlet: awsvpnclient-1.0.0-2.x86_64 2/2
+ LOG_FOLDER=/var/log/aws-vpn-client
+ mkdir -p /var/log/aws-vpn-client
+ LOG_FILE=/var/log/aws-vpn-client/preinst.log
+ sudo systemctl stop awsvpnclient
+ sudo systemctl disable awsvpnclient
+ sudo systemctl daemon-reload
+ sudo systemctl reset-failed
Installing : awsvpnclient-1.0.0-2.x86_64 2/2
Running scriptlet: awsvpnclient-1.0.0-2.x86_64 2/2
+ set -e
+ LOG_FOLDER=/var/log/aws-vpn-client
+ mkdir -p /var/log/aws-vpn-client
+ LOG_FILE=/var/log/aws-vpn-client/postinst.log
+ sudo systemctl enable awsvpnclient
+ sudo systemctl start awsvpnclient
Verifying : lttng-ust-2.12.0-3.fc33.x86_64 1/2
Verifying : awsvpnclient-1.0.0-2.x86_64 2/2
Installed:
awsvpnclient-1.0.0-2.x86_64 lttng-ust-2.12.0-3.fc33.x86_64
Complete!
```
Follow the steps from the official documentation from here :)
https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-linux.html#client-vpn-connect-linux-connecting
@slagiewka
Copy link

im using fedora 36. i follow the instruction and got error:

Error:
Problem: conflicting requests

  • nothing provides liblttng-ust.so.0()(64bit) needed by awsvpnclient-3.1.0-2.x86_64
    (try to add '--skip-broken' to skip uninstallable packages)

I've removed that dependency. It works without it.

@wyzemoro
Copy link

I've removed that dependency. It works without it.

how to remove it?

@wyzemoro
Copy link

ive remove it. but when installing.

image

@slagiewka
Copy link

ive remove it. but when installing.

You have to do the same for each of the listed directories while running rpmrebuild.

@wyzemoro
Copy link

i now remove it but its not running. i got Segmentation fault.

when i run $ ./AWS\ VPN\ Client

this is the error:

(AWS VPN Client:4772): Gtk-CRITICAL **: 17:01:58.420: gtk_tree_model_iter_nth_child: assertion 'n >= 0' failed

(AWS VPN Client:4772): Gtk-CRITICAL **: 17:01:58.420: gtk_list_store_get_path: assertion 'iter->stamp == priv->stamp' failed
Segmentation fault (core dumped)

when i run with sudo. $sudo ./AWS\ VPN\ Client

** (AWS VPN Client:4827): WARNING **: 17:04:08.829: AT-SPI: Could not obtain desktop path or name

** (AWS VPN Client:4827): WARNING **: 17:04:08.831: atk-bridge: GetRegisteredEvents returned message with unknown signature

** (AWS VPN Client:4827): WARNING **: 17:04:08.831: atk-bridge: get_device_events_reply: unknown signature

** (AWS VPN Client:4827): WARNING **: 17:04:08.831: atk-bridge: get_device_events_reply: unknown signature

(AWS VPN Client:4827): Gtk-CRITICAL **: 17:04:15.102: gtk_tree_model_iter_nth_child: assertion 'n >= 0' failed

(AWS VPN Client:4827): Gtk-CRITICAL **: 17:04:15.102: gtk_list_store_get_path: assertion 'iter->stamp == priv->stamp' failed
Segmentation fault

@slagiewka
Copy link

slagiewka commented Jul 25, 2022

this is the error:

(AWS VPN Client:4772): Gtk-CRITICAL **: 17:01:58.420: gtk_tree_model_iter_nth_child: assertion 'n >= 0' failed
(AWS VPN Client:4772): Gtk-CRITICAL **: 17:01:58.420: gtk_list_store_get_path: assertion 'iter->stamp == priv->stamp' failed
Segmentation fault (core dumped)

Did you read through my comment? Most likely you're still missing the chmod on that SQLite file.

Please review all my other comments as they are likely to already solve your future issues.


I'm now using the client on a proper Fedora install. I didn't need to patch anything related to those telemetry invariants (runtimeconfig.json). So there's one step less.

@BOPOHA
Copy link

BOPOHA commented Aug 1, 2022

you can try my builds https://copr.fedorainfracloud.org/coprs/vorona/aws-rpm-packages/

or build your own rpm with spec https://github.com/BOPOHA/aws-rpm-packages/blob/main/awsvpnclient/awsvpnclient.spec

i cut out a lot of dependencies for telemetry, debugging and tracing. And, for example, the Workspace client starts working much faster.
Tested on F36

@Abhisheikh-G
Copy link

I can confirm using the directions in this thread the AWS VPN Client is running on Fedora 36.

@jdollar
Copy link

jdollar commented Oct 18, 2022

Confirming following the efforts in the thread gives me a vpn client that works as well for Fedora 36.

Looking at the logs in /var/log/aws-vpn-client/configure-dns-up.log I did additionally see this error after resolving the error 127 from ip not being in the script's PATH:

busctl command exit code: 1, output: Call failed: Could not activate remote peer: activation request failed: unknown unit.

To resolve that I had to enable systemd-resolved: sudo systemctl enable --now systemd-resolved

After making sure that service was running I stopped getting the "Connection Failed" error.

@snorfalorpagus
Copy link

snorfalorpagus commented Oct 18, 2022

I've followed the instructions above and can get the GUI to display, but when I try to connect I get the following error:

No usable version of libssl was found
[1]    32288 IOT instruction (core dumped)  ./AWS\ VPN\ Client

Running a very recent install of Fedora 36. I have openssl and openssl-devel installed.

Edit: This seems related to the update to OpenSSL 3.x (from 1.x) that happened in Fedora 36. I'm not sure how others aren't seeing the same problem.

Edit 2: Installing OpenSSL-1 from source fixes the above problem. Now I get "Unknown error occurred. Try again".

image

@jdollar
Copy link

jdollar commented Oct 18, 2022

@snorfalorpagus It sounds like you figured out the OpenSSL-1, but on my side I was able to use the openssl1.1 package in the fedora repos vs building from source. At least I believe that is why I have it installed.

image

Unsure about the unknown error though. Do you see any additional logs in the /var/log/aws-vpn-client log files?

@snorfalorpagus
Copy link

I didn't realise the older version of OpenSSL would be available as a separate package rather than another version of the same package. Thanks @jdollar.

The "unknown error occurred" above turned out to be the same issue, but in another place. When I installed OpenSSL 1.x it installed to /usr/local/lib64 which I was passing to the executable with LD_LIBRARY_PATH. The problem was caused by the awsvpnclient service crashing because it didn't know about this path. Fixing the environment for that fixed the problem, although I'll probably try it with the official package now instead.

@maxdebayser
Copy link

you can try my builds https://copr.fedorainfracloud.org/coprs/vorona/aws-rpm-packages/

or build your own rpm with spec https://github.com/BOPOHA/aws-rpm-packages/blob/main/awsvpnclient/awsvpnclient.spec

i cut out a lot of dependencies for telemetry, debugging and tracing. And, for example, the Workspace client starts working much faster. Tested on F36

@BOPOHA , I've used your package on Fedora 36 and it's working now, but strangely I had to replace ip with /usr/sbin/ip in /opt/awsvpnclient/Service/Resources/openvpn/configure-dns to get it to work.

Before that it was failing to connect and showing this in the log:

2022-11-25 13:06:17.424 -03:00 [DBG] >LOG:1669392377,I,/opt/awsvpnclient/Service/Resources/openvpn/configure-dns tun0 1500 1552 10.3.240.2 255.255.255.224 init
2022-11-25 13:06:17.446 -03:00 [DBG] >LOG:1669392377,F,WARNING: Failed running command (--up/--down): could not execute external program

@CL-BB
Copy link

CL-BB commented Nov 30, 2022

I just updated to fedora 37 from 36 and my client stopped working. It outputs this error when starting it:

Process terminated. Couldn't find a valid ICU package installed on the system. Set the configuration flag System.Globalization.Invariant to true if you want to run with no globalization support.
   at System.Environment.FailFast(System.String)
   at System.Globalization.GlobalizationMode.GetGlobalizationInvariantMode()
   at System.Globalization.GlobalizationMode..cctor()
   at System.TimeZoneInfo.GetDisplayName(TimeZoneDisplayNameType, System.String ByRef)
   at System.TimeZoneInfo..ctor(Byte[], System.String, Boolean)
   at System.TimeZoneInfo.GetTimeZoneFromTzData(Byte[], System.String)
   at System.TimeZoneInfo.GetLocalTimeZoneFromTzFile()
   at System.TimeZoneInfo+CachedData.CreateLocal()
   at System.CurrentSystemTimeZone..ctor()
   at System.TimeZone.get_CurrentTimeZone()
   at GLib.Marshaller..cctor()
   at GLib.Marshaller.StringToPtrGStrdup(System.String)
   at GLib.Global.set_ProgramName(System.String)
   at Gtk.Application.SetPrgname()
   at Gtk.Application.Init()
   at ACVC.GTK.Program.Initialize()
   at ACVC.GTK.Program.Main(System.String[])
Aborted (core dumped)

I have the package icu installed. I found that adding DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 would resolve it but attempting to connect would be met with "unknown error occurred". I tried replacing the rpm package I repackaged my self using this thread with the copr version linked above but it encounters the same problem. I can't seem to find any logs that point me in a direction.

Has anyone else run into this?

@snorfalorpagus
Copy link

snorfalorpagus commented Nov 30, 2022

@CL-BB I had the same issue when upgrading to Fedora 37.

I have the package icu installed. I found that adding DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 would resolve it but attempting to connected would be met with "unknown error occurred". I tried removing the rpm package I repackaged my self using this thread with the copr version linked above but it encounters the same problem. I can't seem to find any logs that point me in a direction.

Has anyone else run into this?

In addition to adding the environment variable to my .zshrc:

export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1

I also had to update /etc/systemd/system/awsvpnclient.service so the service which runs as root has it too.

[Service]
Type=simple
ExecStart=/opt/awsvpnclient/Service/ACVC.GTK.Service
Restart=always
RestartSec=1s
User=root
Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1

[Install]
WantedBy=multi-user.target

I figured this out looking at the logs for the service:

journalctl _SYSTEMD_UNIT=awsvpnclient.service

@CL-BB
Copy link

CL-BB commented Dec 1, 2022

@snorfalorpagus Yup that solved it! Thank you!

@KrzysiekWyka
Copy link

Someone released unofficial client written in rust, no external libraries are needed https://crates.io/crates/openaws-vpn-client

@covelloz
Copy link

covelloz commented Dec 29, 2022

OS: Fedora 37

Thanks guys for all the info on this post! Extremely, extremely helpful. 💯 🙏

I ended up taking the easy/lazy route and used @BOPOHA 's build.

However, it did still require adding Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 to the awsvpnclient.service file still as well as my .bashrc file. So @snorfalorpagus thanks man!

Great thread all around.
Hope AWS releases a native RPM soon... 😬

edit: regarding BOPOHA's install instructions:
If you don't care or want workspacesclient; you can just install openssl1.1 instead.
That dependency along with the env variable were the real juicers that got things to work.

@martinrw
Copy link

Thanks @BOPOHA your builds are working for me with Fedora 37.

my exact steps to get everything running were:

  • run these commands
    dnf copr enable vorona/aws-rpm-packages -y
    dnf install awsvpnclient -y && systemctl start awsvpnclient
    dnf install workspacesclient -y
    dnf install icu
    dnf install openssl

  • update ~/.bashrc to add the line:
    export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1

  • in /usr/lib/systemd/system/awsvpnclient.service add this line to the [service] section:
    Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1

  • run these commands:
    systemctl daemon-reload
    systemctl restart awsvpnclient

Then from my Start Menu I can run the AWS VPN Client application

@BOPOHA
Copy link

BOPOHA commented Jan 10, 2023

@martinrw

  1. package icu is not installed on my system [*]
  2. openssl is not required from my point of view, but openssl1.1 is a workspacesclient dependency and installed automatically
  3. DOTNET_SYSTEM_GLOBALIZATION_INVARIANT i dont understand what it is for [*]:
  • the environment setting (~/.bashrc) has no effect on launching the application via the Start Menu application icon.
  • pass the DOTNET_SYSTEM_GLOBALIZATION_INVARIANT env variable to the backed service is also strange

* - I only have an integrated GPU, maybe that's the difference.

Or maybe you still have some garbage left from previous installations via alien/rpmrebuild.
Try the following:

dnf remove workspacesclient icu openssl1.1
rm -rf  /opt/workspacesclient/  /usr/lib/x86_64-linux-gnu/pcoip-client/ /usr/share/applications/workspacesclient.desktop /opt/awsvpnclient /usr/share/applications/awsvpnclient.desktop
dnf install workspacesclient awsvpnclient

you can report an issue here

@gSanchezCiarrocchi
Copy link

gSanchezCiarrocchi commented Jan 11, 2023

Confirming that the solution from @BOPOHA works on Fedora 37 Workstation. Thanks!

I was about to install a different OS.

@bshaw
Copy link

bshaw commented Jan 19, 2023

I've got @BOPOHA 's build working on Fedora 37 Workstation as well, however, I've had to do similar to @martinrw.

I don't use workspaces, so am not installing that - here's what I ultimately needed to get it working - all based on reading the logs and resolving any errors:

  • sudo dnf copr enable vorona/aws-rpm-packages -y
  • sudo dnf install awsvpnclient icu openssl1.1 -y
  • Add Environment=DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 to the [Service] section of /usr/lib/systemd/system/awsvpnclient.service
  • sudo systemctl start awsvpnclient
  • Modify the desktop application launcher Exec line to Exec=env DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 /opt/awsvpnclient/AWSVPNClient in /usr/share/applications/awsvpnclient.desktop

There are definitely some things BOPOHA says shouldn't be required, but they are on my setup.

Thanks for eveyone's pas comments here and for BOPOHA for providing a usable build.

@Genesys05
Copy link

Someone have check the compatibility of @BOPOHA build with the last version of AWS VPN Client in version 3.2.0 ?

I ask that because it's the last sotfware who block me to go on Fedora and not Ubuntu because i don't like Ubuntu.

I will check that on my side but this question is just in case if someone have already test.

@project0
Copy link

Just stumbled across this gist, I can confirm that AWS did not made any significant changes in 3.2.0 (I am maintaining the AUR version 😉), so simple upgrade of the package should work.

I am certain most problems will be solved once AWS will support ubuntu 22.04, as they would then need to upgrade all the dependencies. Of course, it would be much easier if they would just open source their client...

@rochaalexandre
Copy link

rochaalexandre commented Feb 7, 2023

you can try my builds https://copr.fedorainfracloud.org/coprs/vorona/aws-rpm-packages/

or build your own rpm with spec https://github.com/BOPOHA/aws-rpm-packages/blob/main/awsvpnclient/awsvpnclient.spec

i cut out a lot of dependencies for telemetry, debugging and tracing. And, for example, the Workspace client starts working much faster. Tested on F36

Getting one of @BOPOHA builds worked for me I just need to install this package https://fedora.pkgs.org/36/fedora-x86_64/openssl1.1-1.1.1n-1.fc36.x86_64.rpm.html and configure the ICU as define in this MS doc https://github.com/dotnet/core/blob/main/Documentation/build-and-install-rhel6-prerequisites.md#install-the-libraries-into-the-netcoredeps-subdirectory-of-your-net-core-application

@glkosh
Copy link

glkosh commented Feb 22, 2023

First of all wanna appreciate @BOPOHA for this build, it literally saved me 2 days of work. Second, it's worth mentioning that I recently updated fedora 36 -> 37 which resulted in a non-working AWS VPN, but after I reproduced @martinrw and @bshaw steps everything came back to normal. Thanks, guys!

@gSanchezCiarrocchi
Copy link

Suddenly @BOPOHA solution stopped working for me.

Following @martinrw instructions solved it and it is working again

@wrossmann
Copy link

Just want to add that up until today I was running Fedora 35 and this worked just fine. I started testing upgrades to 36 and 37, and while 36 worked out of the box, 37 broke with:

Process terminated. Couldn't find a valid ICU package installed on the system. Set the configuration flag System.Globalization.Invariant to true if you want to run with no globalization support.
   at System.Environment.FailFast(System.String)
   at System.Globalization.GlobalizationMode.GetGlobalizationInvariantMode()
   at System.Globalization.GlobalizationMode..cctor()
   at System.TimeZoneInfo.GetDisplayName(TimeZoneDisplayNameType, System.String ByRef)
   at System.TimeZoneInfo..ctor(Byte[], System.String, Boolean)
   at System.TimeZoneInfo.GetTimeZoneFromTzData(Byte[], System.String)
   at System.TimeZoneInfo.GetLocalTimeZoneFromTzFile()
   at System.TimeZoneInfo+CachedData.CreateLocal()
   at System.CurrentSystemTimeZone..ctor()
   at System.TimeZone.get_CurrentTimeZone()
   at GLib.Marshaller..cctor()
   at GLib.Marshaller.StringToPtrGStrdup(System.String)
   at GLib.Global.set_ProgramName(System.String)
   at Gtk.Application.SetPrgname()
   at Gtk.Application.Init()
   at ACVC.GTK.Program.Initialize()
   at ACVC.GTK.Program.Main(System.String[])
Aborted (core dumped)

from the client. Adding the suggested DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 made the client work, but the service would then fail during the login process. Adding the same env var to the service file got it to work as well.

For the record, my package versions are:

openssl-3.0.8-1.fc37.x86_64
workspacesclient-4.5.0.2006-1.x86_64
icu-71.1-2.fc37.x86_64
awsvpnclient-3.2.0-1.x86_64

and, judging by the dnf logs it looks like ICU69 worked and 70 or 71 must be where it gets unhappy.

2023-03-02T14:46:35-0800 SUBDEBUG Upgrade: icu-71.1-2.fc37.x86_64
2023-03-02T14:47:22-0800 SUBDEBUG Upgraded: icu-69.1-6.fc36.x86_64
2023-03-02T14:49:29-0800 SUBDEBUG Upgraded: libicu-69.1-6.fc36.x86_64
2022-10-10T14:57:05-0700 SUBDEBUG Upgrade: libicu-69.1-6.fc35.x86_64
2022-10-10T15:11:01-0700 SUBDEBUG Upgraded: libicu-69.1-2.fc35.x86_64

@BOPOHA
Copy link

BOPOHA commented Mar 7, 2023

@wrossmann thanks for detailed description. the issue with libicu > 69 fixed in awsvpnclient-3.4.0-1.x86_64
(no needs to use DOTNET_SYSTEM_GLOBALIZATION_INVARIANT environment variable)

@efueyo
Copy link

efueyo commented Mar 7, 2023

I can confirm that just the following commands worked for me:

sudo dnf copr enable vorona/aws-rpm-packages -y
sudo dnf install awsvpnclient icu openssl1.1 -y
sudo systemctl start awsvpnclient

On Fedora 37

Thanks everyone for the work and the tips ❤️

(edit typos)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment