What is OpenConnect?
Content of the article
OpenConnect is an open source software application for connecting to virtual private networks (VPNs) that implement secure point-to-point connections.
It was originally written as an open source replacement for Cisco's proprietary AnyConnect SSL VPN client, which is supported by several Cisco routers. As of 2013, the OpenConnect project also offers an AnyConnect-compatible server, ocserv, and thus offers a complete VPN client-server solution.
The OpenConnect client added support for Juniper Networks SSL VPN in version 7.05. The fork then developed support for Palo Alto Networks 'GlobalProtect VPN, which was included in the version 8.00 release.
Protocols
Cisco AnyConnect VPNs use TLS for authentication and routing configuration, then DTLS for efficient encryption and transmission of tunneled data. VPN traffic and can fall back to TLS-based transport, where firewalls block UDP-based traffic. The DTLS protocol used by Cisco AnyConnect servers was based on a non-standard preliminary draft of DTLS 1.0 until support for the DTLS 1.2 standard was added in 2018.
OpenConnect and ocserv implement an extended version of the AnyConnect VPN protocol (which was proposed as an Internet standard) as an open source project not affiliated with Cisco. Both OpenConnect and ocserv strive to maintain full backwards compatibility with Cisco AnyConnect servers and clients.
The OpenConnect client also implements the Juniper and GlobalProtect VPN protocols. They have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use ESP for efficient, encrypted transport of tunnel traffic (instead of DTLS), but they too can fall back. to transport based on TLS.
Architecture
The OpenConnect client is written primarily in C and contains much of the infrastructure needed to add additional VPN protocols running in a similar flow and connect to them through a common user interface:
- Initial connection to the VPN server via TLS
- Authentication phase via HTTPS (using HTML forms, client certificates, XML, etc.)
- Server-provided routing configuration in a standard format that can be processed by vpnc-script
- Data transfer phase over a UDP-based tunnel (DTLS or ESP) with fallback to a TLS-based tunnel
- Built-in event loop to handle Dead Peer Detection, keepalive, key changes, etc.
Platforms
OpenConnect is available on Solaris, Linux, OpenBSD, FreeBSD, MacOS and has GUI clients for Windows, GNOME and KDE. A graphical client for OpenConnect is also available for Android devices and is integrated into router firmware packages such as OpenWrt.