A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by gp-saml-gui.
- Better Linux support
- Support both CLI and GUI
- Support both SSO and non-SSO authentication
- Support the FIDO2 authentication (e.g., YubiKey)
- Support authentication using default browser
- Support client certificate authentication
- Support multiple portals
- Support gateway selection
- Support connect gateway directly
- Support auto-connect on startup
- Support system tray icon
The CLI version is always free and open source in this repo. It has almost the same features as the GUI version.
Usage: gpclient [OPTIONS] <COMMAND>
Commands:
connect Connect to a portal server
disconnect Disconnect from the server
launch-gui Launch the GUI
help Print this message or the help of the given subcommand(s)
Options:
--fix-openssl Get around the OpenSSL `unsafe legacy renegotiation` error
--ignore-tls-errors Ignore the TLS errors
-h, --help Print help
-V, --version Print version
See 'gpclient help <command>' for more information on a specific command.
To use the external browser for authentication with the CLI version, you need to use the following command:
sudo -E gpclient connect --browser default <portal>
Or you can try the following command if the above command does not work:
gpauth <portal> --browser default 2>/dev/null | sudo gpclient connect <portal> --cookie-on-stdin
You can specify the browser with the --browser <browser>
option, e.g., --browser firefox
, --browser chrome
, etc.
The GUI version is also available after you installed it. You can launch it from the application menu or run gpclient launch-gui
in the terminal.
Note
The GUI version is partially open source. Its background service is open sourced in this repo as gpservice. The GUI part is a wrapper of the background service, which is not open sourced.
sudo apt-get install gir1.2-gtk-3.0 gir1.2-webkit2-4.0
sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
sudo apt-get update
sudo apt-get install globalprotect-openconnect
Note
For Linux Mint, you might need to import the GPG key with: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761
if you encountered an error gpg: keyserver receive failed: General error
.
The libwebkit2gtk-4.0-37
package was removed from its repo. You can use the deb-install.sh
script to install the package:
curl -o- https://raw.githubusercontent.com/yuezk/GlobalProtect-openconnect/main/scripts/deb-install.sh \
| bash -s -- 2.3.9
The latest package is not available in the PPA either, but you still needs to add the ppa:yuezk/globalprotect-openconnect
repo beforehand to use the required openconnect
package. Then you can follow the Install from deb package section to install the latest package.
Download the latest deb package from releases page. Then install it with apt
:
sudo apt install --fix-broken globalprotect-openconnect_*.deb
Install from AUR: globalprotect-openconnect-git
yay -S globalprotect-openconnect-git
Download the latest package from releases page. Then install it with pacman
:
sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst
The package is available on COPR for various RPM-based distributions. You can install it with the following commands:
sudo dnf copr enable yuezk/globalprotect-openconnect
sudo dnf install globalprotect-openconnect
The package is also available on OBS for various RPM-based distributions. You can follow the instructions on this page to install it.
Download the latest RPM package from releases page.
sudo rpm -i globalprotect-openconnect-*.rpm
Install from the rios
or slonko
overlays. Example using rios:
sudo eselect repository enable rios
- If you have eix installed, use it:
sudo eix-sync
- Otherwise, use:
sudo emerge --sync
sudo emerge globalprotect-openconnect
- Install
openconnect >= 8.20
,webkit2gtk
,libsecret
,libayatana-appindicator
orlibappindicator-gtk3
. - Download
globalprotect-openconnect_${version}_${arch}.bin.tar.xz
from releases page. - Extract the tarball with
tar -xJf globalprotect-openconnect_${version}_${arch}.bin.tar.xz
. - Run
sudo make install
to install the client.
You can also build the client from source, steps are as follows:
- Install Rust 1.75 or later
- Install Tauri dependencies: https://tauri.app/v1/guides/getting-started/prerequisites/#setting-up-linux
- Install
perl
andjq
- Install
openconnect >= 8.20
andlibopenconnect-dev
(oropenconnect-devel
on RPM-based distributions) - Install
pkexec
,gnome-keyring
(orpam_kwallet
on KDE) - Install
nodejs
andpnpm
(optional only if you downloaded the source tarball from the release page and run with theBUILD_FE=0
flag, see below)
- Download the source code tarball from releases page. Choose
globalprotect-openconnect-${version}.tar.gz
. - Extract the tarball with
tar -xzf globalprotect-openconnect-${version}.tar.gz
. - Enter the source directory and run
make build BUILD_FE=0
to build the client. - Run
sudo make install
to install the client. (Note,DESTDIR
is not supported)
-
How to deal with error
Secure Storage not ready
Try upgrade the client to
2.2.0
or later, which will use a file-based storage as a fallback.You need to install the
gnome-keyring
package, and restart the system (See #321, #316). -
How to deal with error
(gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:
If you encounter this error when using the CLI version, try to run the command with
sudo -E
(See #316).
The CLI version is always free, while the GUI version is paid. There are two trial modes for the GUI version:
- 10-day trial: You can use the GUI stable release for 10 days after the installation.
- 14-day trial: Each beta release has a fresh trial period (at most 14 days) after released.