one profile seems to be losing password after saving it with batch mode selected it works for a couple of times then it asks for password again as it was not saved

Hi!. Please, update the script vpnc-script-win.js. The latest version can be downloaded from this page which contains the latest script. With the bundled script in OpenConnect-GUI 0.6, the TAP interface is not configured. If I manually change the IP address of the TAP interface and configure the static routes with route add, everything works ok (with the bundled script). If I copy the new script to the OpenConnect folder, everything works ok without any manual configuration. Tested in Windows XP SP 2 32 bits. Thanks.

Hi,

is there a plan to make openconnect-gui available for Linux (X)? I am asking because for any Linux user who does not use the "nm-applet" this would be extremely nice. The Mac OsX version lets me hope ;-)

Cheers!
Kalle

says all

While traveling (and using congested hotel Wi-Fi networks) I often fail to setup a DTLS connection to servers overseas. The DTLS handshake will timeout. Meanwhile OpenVPN or other UDP protocols manage to establish successfully. (And once OpenConnect itself does get through properly, it works without issue.)

Is the low handshake timeout a performance consideration? (E.g. if the handshake is slow, UDP is probably not worth using?) I would prefer if the default were a bit higher and the value made configurable.

as my company's internal network uses Cisco Secure Desktop (which is stupid however it's not my position to change it :( ), it would be nice if openconnect-gui can support CSD wrapper functionality, which is supported by the commandline version of openconnect.

After waking up my laptop the log shows that the OpenConnect connection died:

2014-09-09 09:17 DTLS Dead Peer Detection detected dead peer!
2014-09-09 09:17 CSTP Dead Peer Detection detected dead peer!

But it doesn't take any action. (Does not revert to disconnect state, does not re-connect, does not show an error.)

Currently I have to close the log window each time I want to connect/disconnect. This can be a bit tedious when debugging.

To reproduce:

• Create a new server by typing the hostname.
• Click the edit button.
• Enable batch mode and load a CA certificate in the CA field.
• Save and close the Edit window.
• Re-open the edit window.
• You'll now see that the CA certificate is loaded for both CA and User.

This causes OpenConnect to start in certificate mode rather than username/password mode.

In order to build the gui on OSX I'd need the static libs for it. In the package included seem only Windows static libs. Can you please add those for OSX too? Thank you.

To reproduce:

• Have multiple servers in your list
• Select any server, just not the first one
• Click the Edit icon to open the Edit dialog
• Close the Edit dialog with either Save or Cancel
• The main dialog will now suddenly show the first server in the list, not the server you selected

Hello!

Openconnect seems to be able to be installed without any attention using the /S switch for the installer, but an annoying TAP installation window still pops up.

There should be a switch to ommit the TAP installation, or at least also make it silent.

In my setup, I also get TAP from OpenVPN so there is no need to install it again, but an option to install it without any attention would also be great.

Under Mac OS X, run from launchpad, warns about root privilege.

Improvement: request privilege elevation, prompt an authentication dialog, etc.

Possible solution:

1. set SUID on executable, add QApplication::setSetuidAllowed(true); to main.cpp before QApplication a(argc, argv)
2. prompt for user authentication

My preference is the first one.

https://forum.qt.io/topic/50628/how-to-use-qcoreapplication-to-set-root-permission-to-my-app/4

Cisco IOS client have a new app rules. Unfortunately I do not seem to see the relevant configuration in ocserv.I was wondering if I missed what information?

To reproduce:

• Enter a hostname to connect to, e.g. gw1.vpn.com
• Click the Edit icon
• Change the name of the server to Gateway 1
• Leave the gateway of the server to gw1.vpn.com
• Close the Edit window
• Click Connect

The GUI will now try to connect to https://Gateway 1, not to https://gw1.vpn.com

I get this on occasion in the log Window.
Failed to spawn script "vpnc-script-win.js, no more files" after that same script has completed.
I suspect an ERRORLEVEL=1 is being received in the Script and passed back to openconnect-gui .
Can you test if the file exists first?

On Win7 when connecting to VPN all network requests are still being routed thru the local connection instead of the VPN connection.

Checking the routes everything looks ok with the vpn network metric at 2 etc

Anything I can try? Below is a comparison of the Openconnect and Cisco client route setup, the cisco one does work.

Open connect route

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.29 25
0.0.0.0 0.0.0.0 172.27.2.103 172.27.2.102 2
125.236.73.16 255.255.255.255 192.168.1.1 192.168.1.29 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.27.2.102 255.255.255.255 On-link 172.27.2.102 257
192.168.1.0 255.255.255.0 On-link 192.168.1.29 281
192.168.1.29 255.255.255.255 On-link 192.168.1.29 281
192.168.1.255 255.255.255.255 On-link 192.168.1.29 281
192.168.134.0 255.255.255.0 On-link 192.168.134.1 276
192.168.134.1 255.255.255.255 On-link 192.168.134.1 276
192.168.134.255 255.255.255.255 On-link 192.168.134.1 276
192.168.150.0 255.255.255.0 On-link 192.168.150.1 276
192.168.150.1 255.255.255.255 On-link 192.168.150.1 276
192.168.150.255 255.255.255.255 On-link 192.168.150.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.27.2.102 257
224.0.0.0 240.0.0.0 On-link 192.168.1.29 281
224.0.0.0 240.0.0.0 On-link 192.168.150.1 276
224.0.0.0 240.0.0.0 On-link 192.168.134.1 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.27.2.102 257
255.255.255.255 255.255.255.255 On-link 192.168.1.29 281
255.255.255.255 255.255.255.255 On-link 192.168.150.1 276

255.255.255.255 255.255.255.255 On-link 192.168.134.1 276

Persistent Routes:
Network Address Netmask Gateway Address Metric
#0.0.0.0 0.0.0.0 172.27.2.103 1

When using Cisco client (works)

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.29 25
0.0.0.0 0.0.0.0 172.27.2.101 172.27.2.100 2
125.236.73.16 255.255.255.255 192.168.1.1 192.168.1.29 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.27.2.100 255.255.255.255 On-link 172.27.2.100 257
192.168.1.1 255.255.255.255 On-link 192.168.1.29 26
192.168.1.29 255.255.255.255 On-link 192.168.1.29 281
192.168.134.1 255.255.255.255 On-link 192.168.134.1 276
192.168.150.1 255.255.255.255 On-link 192.168.150.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.29 281
224.0.0.0 240.0.0.0 On-link 192.168.150.1 276
224.0.0.0 240.0.0.0 On-link 192.168.134.1 276
224.0.0.0 240.0.0.0 On-link 172.27.2.100 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.29 281
255.255.255.255 255.255.255.255 On-link 192.168.150.1 276
255.255.255.255 255.255.255.255 On-link 192.168.134.1 276

255.255.255.255 255.255.255.255 On-link 172.27.2.100 257

Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 172.27.2.110 1
#0.0.0.0 0.0.0.0 172.27.2.101 1

Add support for SPLIT_DNS in vpnc-script in systems that allow that.

I think it would be nice if openvpn.exe could be linked statically against libraries so that can build low size binary rather than copying prexompiled dlls from mingw tree

If I run a ocserv server on vmware bridged network, openconnect will add a wrong route table that makes connect fail.
My local ip is 192.168.1.2 and 192.168.1.4(server ip) is bridged to 192.168.1.2.
When openconnect finished auth, It add a wrong route table 192.168.1.4 via gateway 192.168.1.1 and interfaces is 192.168.1.2 and it makes 192.168.1.4 unaccessable!
I think there is no need to add that table.

I ran into this one by first setting the CISCO_SPLIT_INC* environment variables .
When you invoke OpenConnect-gui.exe and connect, it crashes.
David has the fix for this one; it was incorporated into OpenConnect.exe .

In several use-cases it is desirable to disable UDP and simply use a TLS channel.

It is desirable to support the windows CNG store for user certificates, in order to not require the user to export his key. That may require changes to gnutls, and openconnect.

To reproduce:

• Select a server
• Enable batch mode
• Connect to server
• Disconnect from server
• Change user password
• Connect to server again - this will fail with an authentication error

There's also no way to enter the new password in the Edit window. This means the user has to disable batch mode, connect to the server to enter the new password, then re-enable batch mode again.

When connecting vpn it seems the TAPS network adapter is not being setup correctly. The IPV4 settings fail to be applied. Is this an error/bug in the vpnc-script.js?

The vpnc.log snippet below
Interface: "Local Area Connection 3"
executing: route add 125.236.73.16 mask 255.255.255.255 192.168.1.1
OK!
MTU: 1406
executing: netsh interface ipv4 set subinterface "Local Area Connection 3" mtu=1406 store=active
Element not found.
Configuring "Local Area Connection 3" interface for Legacy IP...
executing: netsh interface ip set interface "Local Area Connection 3" metric=1
Element not found.
executing: netsh interface ip set address "Local Area Connection 3" static 172.27.2.123 255.255.255.255 172.27.2.124 1
Element not found.
executing: netsh interface ip add dns "Local Area Connection 3" 172.27.4.240 index=1
The object is already in the list.
executing: netsh interface ip add dns "Local Area Connection 3" 172.27.7.240 index=2
The object is already in the list.

what about a some enhancements in tray icon right click menu like Connect/Disconnect with a list of profiles also it would be great if there is an option to start up minimized to tray / starting up with windows minimized to tray

In editdialog configuration allow the option to replace a default route. This requires some intercommunication with the spawned vpnc script.

Is it possible to make output of the script visible in the log? This would make it easier to help debug issue #5 and future issues like it.

I see this error in the log after connecting:

Could not open C:/Users/Niels/AppData/Local/Temp\vpnc.log

The vpnc.out file is created correctly, but vpnc.log is indeed missing.

After entering a group name, the GUI appears to continue the login, but then suddenly stall. It never fully establishes the connection. (It works fine if I disable the groups feature on the server.)

Letting it sit for a while (10 mins or so), this will pop-up:

0.9 DTLS works:
2015-03-19 09:30 DTLS option X-DTLS-CipherSuite : AES128-SHA
2015-03-19 09:30 DTLS initialised. DPD 30, Keepalive 20
2015-03-19 09:30 Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).

1.0 DTLS breaks, and falls back to standard https:
2015-03-19 09:33 DTLS option X-DTLS-CipherSuite : AES128-SHA
2015-03-19 09:33 DTLS handshake failed: No supported cipher suites have been found.
2015-03-19 09:33 Error setting up DTLS

** By the way - thanks for rolling this awesome windows OC client! **

I'm unsure if split-tunnel support is possible in Windows. I suspect it involves editing the vpnc-script-win.js. It would be nice if there is a gui for each connection so one can specify the ips/subnets to include/exclude from going over the vpn (perhaps this involves having a separate vpnc-script for each connection?). Ideally, if there are only 'include' statements, then only the mentioned subnets will go over the vpn and if there are only 'exclude' statements, then only the mentioned subnets will NOT go over the vpn. The former setup would be ideal for keeping internet/local traffic off the vpn.

These are actually two separate issues:

On Windows 8 the TAP interface is setup correctly. A new default route is also created correctly. A direct route to the VPN gateway however is not. Traffic loops/stops flowing and causes the second error below.

The GUI correctly detects DTLS setup failed and shows a red traffic sign/disconnected state. It forgets however to remove the default route to the VPN and bring down the TAP interface. This leaves the computer unable to access the Internet.

I get following message in my ocserv logs when I disconnect. this type of disconnection forces ocserv to do some cleanup after a while.
worker-vpn.c:986: GnuTLS error (at worker-vpn.c:986): The TLS connection was non-properly terminated.

My normal DNS server is being queried instead of the ones setup by the VPN. Is there any way to tell it to query the ones added by the VPN first? I am using Windows 10 if that matters.

Would be nice if the log window could tail the log so we don't have to scroll down manually.

The meaning of the servers' hostnames are not always clear to the end-user. It would be nice if there was a separate title field. (Which could default to copying the hostname for those who don't need it.)

Hi!. The Up and Down traffic are inverted in the VPN Info tab. I have downloaded a large file but appears in the Up traffic:

This patch (may be) correct this, but I can't test this change. Thanks.

diff --git a/mainwindow.cpp b/mainwindow.cpp
index 9b30b66..b9af4fc 100755
--- a/mainwindow.cpp
+++ b/mainwindow.cpp
@@ -130,8 +130,8 @@ value_to_string(uint64_t bytes)

 void MainWindow::statsChanged(QString tx, QString rx)
 {
-    ui->lcdDown->setText(tx);
-    ui->lcdUp->setText(rx);
+    ui->lcdDown->setText(rx);
+    ui->lcdUp->setText(tx);
 }

 void MainWindow::updateStats(const struct oc_stats *stats)

Please add an option for the app to minimize to task tray IF the vpn is currently connected. So if the vpn is not established and you minimize the app, it will still show up in the taskbar. But if the vpn is connected and it is minimized either manually or automatically (via the 'Minimize on Connect' option), then it does not show up in the task bar but only show as a task tray icon.

On a fresh Windows 7 install, the message "msvcr100.dll is missing from your computer." pops up when starting openconnect-gui.exe.

Fixed it by installing http://www.microsoft.com/en-us/download/details.aspx?id=26999 but maybe the missing dll should be included with openconnect-gui.

It would be nice if the log function could append the cscript output of vpnc-script-win.js to the log Window so we can catch any errors. If would also be nice if the button was labeled.
Thanks

The log is saved in a temporary file within the home directory. If it cannot be opened you'll see a log entry with the reason, please copy paste that here (feel free to re-open the bug if it is still there).

I checked and no such file appears in C:\Program Files (x86)\OpenConnect.
However a file openconnect-gui.XXXXXX in %TEMP% does appear with 0 bytes.

A message is displayed saying vpnc.log not found.
If I pre-allocate the file in %TEMP%, the message goes away, but still no Cscript output.

As windows doesn't offer a keychain it is desirable to use a framework like qtkeychain (https://github.com/frankosterfeld/qtkeychain) to store all configuration data provided by the user.

Per the DEFAULT_VPNC_SCRIPT set by common.h:49 and used in VpnInfo::Connect() vpninfo.cpp:464, the script to be executed is named "vpnc-script-win.js".

However, the script actually installed is named "vpnc-script.js". As a result, the script cannot be found and is not run, making the tunnel useless.

Possible solutions:

1. Modify DEFAULT_VPNC_SCRIPT to point to "vpnc-script.js".
2. Modify the installer to create a file named "vpnc-script-win.js" instead of "vpnc-script.js".
3. Add a required GUI option for the user to pick a script. (This should probably be used with caution, as if the user launches the GUI with UAC bypassed, they could then execute any code of their choosing with administrative privileges.)

As a work-around, renaming the installed script to "vpnc-script-win.js" works.

Even though batch mode is enabled, the last version doesn't seem to remember the password.

I've been unable to reproduce this yet, but the first time I ran 0.8 I noticed this error in the log:

Failed to spawn script 'vpnc-script-win.js' for connect: The specified resource type cannot be found in the image file.

Not a bug, but as the GUI's libraries are almost 30M I thought this might be useful to reduce its size: https://github.com/WPN-XM/qt-mini-deploy

It would be nice if the log function could append the cscript output of vpnc-script-win.js to the log Window so we can catch any errors. If would also be nice if the button was labeled.
Thanks

When a trusted certificate is not specified, and the peer's key ID is trusted, disable the trust of system certificates. That would prevent an explicitly trusted key to be overriden by the system certificates.

When blocked by a firewall like Kaspersky openconnect-gui reports:
DTLS handshake failed: Error in the push function.

That should be enhanced with a user-friendly message to check their firewall settings.

I am using Windows 8.1 and also Win7 and am getting a Error setting DTLS. I have no idea why this would be failing. I can see from fragments of the log below that at the start there was a TLS connection error not sure if this is pertinent to the DTLS error further down the log.

Is anybody able to lead me in the right direction to resolve this issue please? Is there some debug logging I can turn on to get more diagnostic info?

Thanks

2015-06-05 21:34 Failed to read from SSL socket: The TLS connection was non-properly terminated.
2015-06-05 21:34 Error fetching HTTPS response
.....
2015-06-05 21:34 Configuring Legacy IP networks:
2015-06-05 21:34 Route configuration done.
2015-06-05 21:34 Error setting up DTLS