A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by gp-saml-gui.

• Better Linux support
• Support both CLI and GUI
• Support both SSO and non-SSO authentication
• Support the FIDO2 authentication (e.g., YubiKey)
• Support authentication using default browser
• Support client certificate authentication
• Support multiple portals
• Support gateway selection
• Support connect gateway directly
• Support auto-connect on startup
• Support system tray icon

The CLI version is always free and open source in this repo. It has almost the same features as the GUI version.

Usage: gpclient [OPTIONS] <COMMAND>

Commands:
  connect     Connect to a portal server
  disconnect  Disconnect from the server
  launch-gui  Launch the GUI
  help        Print this message or the help of the given subcommand(s)

Options:
      --fix-openssl        Get around the OpenSSL `unsafe legacy renegotiation` error
      --ignore-tls-errors  Ignore the TLS errors
  -h, --help               Print help
  -V, --version            Print version

See 'gpclient help <command>' for more information on a specific command.

To use the external browser for authentication with the CLI version, you need to use the following command:

sudo -E gpclient connect --browser default <portal>

Or you can try the following command if the above command does not work:

gpauth <portal> --browser default 2>/dev/null | sudo gpclient connect <portal> --cookie-on-stdin

You can specify the browser with the --browser <browser> option, e.g., --browser firefox, --browser chrome, etc. Use --browser remote to use a remote browser for authentication, this will give you a URL you can access on a separate computer with a browser to complete authentication. Useful for headless servers.

The GUI version is also available after you installed it. You can launch it from the application menu or run gpclient launch-gui in the terminal.

sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
sudo apt-get install globalprotect-openconnect

Download the latest deb package from releases page. Then install it with apt:

sudo apt install --fix-broken globalprotect-openconnect_*.deb

Install from AUR: globalprotect-openconnect-git

yay -S globalprotect-openconnect-git

Download the latest package from releases page. Then install it with pacman:

sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst

The package is available on COPR for various RPM-based distributions. You can install it with the following commands:

sudo dnf copr enable yuezk/globalprotect-openconnect
sudo dnf install globalprotect-openconnect

The package is also available on OBS for various RPM-based distributions. You can follow the instructions on this page to install it.

Download the latest RPM package from releases page.

sudo rpm -i globalprotect-openconnect-*.rpm

It is available via guru and lamdness overlays.

sudo eselect repository enable guru
sudo emerge -r guru sync
sudo emerge -av net-vpn/GlobalProtect-openconnect

This repo includes a flake for NixOS. You can add the following to your flake.nix:

{
  inputs = {
    # ... other inputs
    globalprotect-openconnect.url = "github:yuezk/GlobalProtect-openconnect";
  };

  outputs = { nixpkgs, ... }@inputs: {
    nixosConfigurations.<your-host> = nixpkgs.lib.nixosSystem {
      specialArgs = { inherit inputs; };
      modules = [
        ./configuration.nix
      ];
    };
  };
}

Then add globalprotect-openconnect to your environment.systemPackages in configuration.nix:

{ config, pkgs, inputs, ... }:

{
  # ... other configurations
  environment.systemPackages = with pkgs; [
    # ... other packages
  ] ++ [
    inputs.globalprotect-openconnect.packages.${pkgs.system}.default
  ];
}

Finally, run sudo nixos-rebuild switch to apply the changes.

• Install openconnect >= 8.20, webkit2gtk, libsecret, libayatana-appindicator or libappindicator-gtk3.
• Download globalprotect-openconnect_${version}_${arch}.bin.tar.xz from releases page.
• Extract the tarball with tar -xJf globalprotect-openconnect_${version}_${arch}.bin.tar.xz.
• Run sudo make install to install the client.

You can build the client from source using either a devcontainer (recommended) or a local setup.

This project includes a devcontainer configuration that provides a consistent build environment with all dependencies pre-installed.

• Docker
• VS Code with Dev Containers extension (optional, for IDE support)

1. Clone the repository:

   git clone https://github.com/yuezk/GlobalProtect-openconnect.git
   cd GlobalProtect-openconnect

2. Build the devcontainer image:

   docker build -t gpoc-devcontainer .devcontainer/

3. Install jq in the container and build the project:

   docker run --privileged --cap-add=NET_ADMIN --device=/dev/net/tun \
     -v "$(pwd)":/workspace -w /workspace --user root gpoc-devcontainer \
     bash -c "apt-get update && apt-get install -y jq"
   
   docker run --privileged --cap-add=NET_ADMIN --device=/dev/net/tun \
     -v "$(pwd)":/workspace -w /workspace gpoc-devcontainer \
     bash -c "export PATH=/usr/local/cargo/bin:\$PATH && make build"

4. The built binaries will be available in target/release/:

   • gpclient - CLI client
   • gpservice - Background service
   • gpauth - Authentication helper
   • gpgui-helper - GUI helper

1. Open the project in VS Code
2. When prompted, click "Reopen in Container" or run the command "Dev Containers: Reopen in Container"
3. Once the container is built and running, open a terminal in VS Code and run:

   make build

• Install Rust 1.85 or later
• Install Tauri dependencies: https://tauri.app/start/prerequisites/
• Install perl and jq
• Install openconnect >= 8.20 and libopenconnect-dev (or openconnect-devel on RPM-based distributions)
• Install pkexec, gnome-keyring (or pam_kwallet on KDE)
• Install nodejs and pnpm (optional only if you downloaded the source tarball from the release page and run with the BUILD_FE=0 flag, see below)

1. Download the source code tarball from releases page. Choose globalprotect-openconnect-${version}.tar.gz.
2. Extract the tarball with tar -xzf globalprotect-openconnect-${version}.tar.gz.
3. Enter the source directory and run make build BUILD_FE=0 to build the client.
4. Run sudo make install to install the client. (Note, DESTDIR is not supported)

After building, you can test the CLI client:

./target/release/gpclient --help

• BUILD_GUI=0 - Disable GUI components (CLI only)
• BUILD_FE=0 - Skip frontend build (use pre-built assets)
• OFFLINE=1 - Build in offline mode using vendored dependencies

1. How to deal with error Secure Storage not ready

   Try upgrade the client to 2.2.0 or later, which will use a file-based storage as a fallback.

   You need to install the gnome-keyring package, and restart the system (See #321, #316).

2. How to deal with error (gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:

   If you encounter this error when using the CLI version, try to run the command with sudo -E (See #316).

The CLI version is always free, while the GUI version is paid. There are two trial modes for the GUI version:

1. 10-day trial: You can use the GUI stable release for 10 days after the installation.
2. 14-day trial: Each beta release has a fresh trial period (at most 14 days) after released.

• crate gpapi: MIT
• crate openconnect: GPL-3.0
• crate common: GPL-3.0
• crate auth: GPL-3.0
• app gpservice: GPL-3.0
• app gpclient: GPL-3.0
• app gpauth: GPL-3.0
• app gpgui-helper: GPL-3.0