Corporate GlobalProtect on GNU/Linux

test_olo_pep · March 8, 2025, 12:51am

Hello everyone!

One more post regarding possibility to use GlobalProtect on GNU/Linux. I have working VPN configuration on Microsoft Windows 11 system. Is there a chance to export configuration somehow to be able to use it on Linux machine as well?

I’m using EndeavourOS (Arch based) and I tried the following packages:

gp-saml-gui, Package Details: gp-saml-gui-git r57.17b2ca6-1, doesn’t work with the following error:

eval $( gp-saml-gui --allow-insecure-crypto --no-verify --clientos=Windows -c test1.cer -p  )
Looking for SAML auth tags in response to https://someportal.com/global-protect/prelogin.esp...
usage: gp_saml_gui.py [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
                      [--key KEY] [-v | -q] [-x | -P | -S | -E] [-u]
                      [--clientos {Linux,Windows,Mac}] [-f EXTRA]
                      [--allow-insecure-crypto] [--user-agent USER_AGENT]
                      [--no-proxy]
                      server [openconnect_extra ...]
gp_saml_gui.py: error: SSL error (try --allow-insecure-crypto to ignore): [SSL] PEM lib (_ssl.c:3916)someportal.com

GlobalProtect-openconnect, Package Details: globalprotect-openconnect-git 2.3.7-1, doesn’t work with the following error:

Prelogin error: GlobalProtect gateway does not exist

GlobalProtect-openconnect, globalprotect-openconnect 1.4.9-2, doesn’t work with the following error:

Gateway authentication failed
Unknown response for gateway prelogin interface.

Not sure if this is achievable, but I really need to do my best to try, otherwise I can’t work.

Thanks everyone.

Ok_Watermelon_2878 · March 8, 2025, 12:51am

I’m using Globalprotect on Arch. I use the GlobalProtect-openconnect one, but made sure to use the 1.x branch. The new rewrite of that didn’t work for me because they locked the SAML GUI auth behind a paywall.

https://github.com/yuezk/GlobalProtect-openconnect/tree/1.x

Using this does not require to import any configuration, it will connect to the portal directly and get everything it needs to connect. Our VPN does not use a pre-login, it’s only on demand, so I don’t know if that will make a difference or not.

Resident-Artichoke85 · March 8, 2025, 12:51am

Easier to just have a Windows Guest VM and run GP on that. You can then tunnel connections through the Windows guest to a Linux jump box at the office.

WendoNZ · March 8, 2025, 12:51am

A lot of configs require a device or user cert on the device. If OP needs that it’s not as simple as just connecting as they will be missing the relevant certs (and probably the root CA cert too)

test_olo_pep · March 8, 2025, 12:51am

Silly question. Where should I download this client? Is it true that I need to have kind of GlobalProtect account or license to use it?