OpenConnect

Last updated
OpenConnect
Original author(s) David Woodhouse
Developer(s) Daniel Lenski, Nikos Mavrogiannopoulos
Initial releaseMarch 18, 2009 (2009-03-18) [1]
Stable release
9.12 / May 20, 2023;16 months ago (2023-05-20) [1]
Repository
Type VPN
License GNU LGPL v2.1 [2]
Website www.infradead.org/openconnect/

OpenConnect is a free and open-source cross-platform multi-protocol virtual private network (VPN) client software which implement secure point-to-point connections.

Contents

The OpenConnect client supports the following VPN protocols:

It was originally written as an open-source replacement for Cisco's proprietary AnyConnect SSL VPN client, [7] which is supported by several Cisco routers.

As of July 2023, support for several other proprietary VPN protocols is desired or in development:

Architecture

The OpenConnect client is written primarily in C, and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface: [13]

OpenConnect can be built to use either the GnuTLS or OpenSSL libraries for TLS, DTLS and cryptographic primitives.

Platforms

OpenConnect is available on Solaris, Linux, OpenBSD, FreeBSD, MacOS, and has graphical user interface clients for Windows, [14] GNOME, [15] and KDE. [16] A graphical client for OpenConnect is also available for Android devices, [17] and it has been integrated into router firmware packages such as OpenWrt. [18]

OpenConnect VPN graphical client

The OpenConnect project provide clients for Windows [19] and macOS [ citation needed ].

Server

The OpenConnect project also offers an Cisco AnyConnect-compatible server, ocserv, [20] and thus offers a full client-server VPN solution.

OpenConnect and ocserv now implement an extended version of the Cisco AnyConnect VPN protocol, which has been proposed as an Internet Standard. [21] Both OpenConnect and ocserv strive to maintain backwards-compatibility with Cisco AnyConnect servers and clients.

Notable uses

OpenConnect's implementation of the Cisco AnyConnect protocol is sufficiently complete, such that some of Cisco's own IP phone devices embed a very old release of OpenConnect [22] in order to connect to Cisco SSL VPNs. [23] [24]

Related Research Articles

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

<span class="mw-page-title-main">GnuTLS</span> Free software library implementing TLS

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

A VoIP VPN combines voice over IP and virtual private network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data, the VoIP VPN solution accomplishes voice encryption quite simply, applying standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

In computer networking, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.

HTTP tunneling is used to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs and ACLs, among other restrictions. The tunnel is created by an intermediary called a proxy server which is usually located in a DMZ.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

The Transport Layer Security (TLS) protocol provides the ability to secure communications across or inside networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free software and open source.

University of Tsukuba Virtual Private Network, UT-VPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by Daiyuu Nobori and SoftEther Corporation, and is published under the GNU General Public License (GPL) by University of Tsukuba.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

IPOP (IP-Over-P2P) is an open-source user-centric software virtual network allowing end users to define and create their own virtual private networks (VPNs). IPOP virtual networks provide end-to-end tunneling of IP or Ethernet over “TinCan” links setup and managed through a control API to create various software-defined VPN overlays.

References

  1. 1 2 infradead.org - OpenConnect: Changelog.
  2. gitlab.com - OpenConnect: License.
  3. "OpenConnect 7.05 release". lists.infradead.org. 2015-03-10. Retrieved 2023-07-10.
  4. "OpenConnect 8.00 release". lists.infradead.org. 2019-01-04. Archived from the original on 2020-06-09.
  5. "OpenConnect 8.04 release". lists.infradead.org. 2019-08-09. Retrieved 2023-07-10.
  6. "OpenConnect 8.20 release". lists.infradead.org. 2022-02-20. Retrieved 2023-07-10.
  7. ""Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies …"". Infradead.org. Retrieved 2018-08-13.
  8. "Issues - Draft: SonicWall NetExtender support".
  9. "Merge requests - Draft: CheckPoint SNX support". 5 June 2021.
  10. "Merge requests - Draft: Add H3C TLS VPN protocol". 23 July 2022.
  11. "Issues - Add support for Barracuda CloudGen Firewall".
  12. "Issues - Huawei SSL VPN support".
  13. Daniel Lenski (September 17, 2020). "How VPNs Work- The Ins and Outs". DAMA Portland.
  14. "OpenConnect graphical client". GitLab . Retrieved 2023-01-23.
  15. "NetworkManager-openconnect". gnome.org. Retrieved 2020-01-27.
  16. "NetworkManagement". kde.org. Retrieved 2014-10-28.
  17. "Android UI for OpenConnect VPN client". GitLab . Retrieved 2023-01-23.
  18. "VPN Overview". openwrt.org. Retrieved 2018-03-15.
  19. "OpenConnect VPN graphical client". OpenConnect VPN graphical client. Retrieved 2024-10-16.
  20. OpenConnect VPN Server.
  21. N. Mavrogiannopoulos (October 2020). The OpenConnect VPN Protocol Version 1.2. IETF. I-D draft-mavrogiannopoulos-openconnect-03.
  22. "ocserv issues #51".
  23. Nikos Mavrogiannopoulos. "Recipe: VoIP network with ocserv".
  24. "Open Source License Notices for the SPA525G" (PDF). Cisco.