2FA RSA code support

[AntouanK]

Btw, I made an ubuntu vm, and tried the script from in there.
I get no errors, but my login is denied.
Could it be that it doesn't ask for the RSA code? ( the 2FA part )

From the same vm, using the f5vpn "app", I can get connected.

[MatthiasLohr]

I didn't even know that there's 2FA support in F5. What does it looks like? Can you post some screen logs asking for a 2FA code?

[AntouanK]

there's a small app it makes you download. There's .deb for ubuntu, and .rpm for fedora. Nothing for arch :(

[MatthiasLohr]

What about testing it in a virtual machine? And then try to connect via command line please. Since this tool here is only using command line, we have to find a way passing the RSA code via command line if we want to support that here.

[AntouanK]

I did make an ubuntu vm, and used that "app" it makes you download ( an app made with Qt ).
it connect fine, but it's all through a simple GUI.
Not sure if I'll see anything by running it via a terminal.
I'll try it though.

[AntouanK]

also, it had to be 17.10, because with the latest Ubuntu, it wouldn't work. Seems like it needed an old openssl library version or something.

[AntouanK]

@MatthiasLohr what happens is, once you login with that form on that website, a "vpn" link appears.
When you click it, it asks you what application to open it with, and the default is the f5vpn one.
Now I think that link sends some token to the application, so it runs it with that as an argument.
I'll try to post a screenshot later today.

[MatthiasLohr]

You installed the F5 VPN on your system, right? Try to find a binary called f5fpc on your computer. If you found that, please execute f5fpc -s -x -t <you vpn server> and post a screendump here. Since this tool here is using the CLI for connecting to the server, I can't work with any magic links.

[AntouanK]

The only way I made it work is in an Ubuntu vm.
Yes, it makes you download a .deb file, and I can find the binary in /opt/f5/vpn/f5vpn.
But I never run this directly. I click the link in the page, and it launches that binary.
That's what I mean, I have to find a way to see what arguments it passes when it launches it.

[MatthiasLohr]

It does not matter what you do for a "normal" connection. If you want to have support for 2FA tokens here in this project, we have to work out the CLI thing. Maybe this link can help, but the more important thing is that you look, how the CLI tool will react to the server's 2FA request.

[AntouanK]

I'm just trying to explain how I use it in the company I work for.
Since they accept the 2fa token in the website, that's all I can say.

On what you asked earlier, if I run /opt/f5/vpn/f5vpn -s -x -t connect.moneycorp.com it does nothing.

[AntouanK]

Oh, I saw you wrote f5fpc. I'll try to find that one.

[MatthiasLohr]

Did you try with sudo? What's the return value (echo $? after the command ended; would be interesting anyway)?

[AntouanK]

Cannot find that file anywhere.
Here's what I see in that /opt/f5/vpn directory:

$ tree /opt/f5/vpn/
/opt/f5/vpn/
├── com.f5.f5vpn.desktop
├── com.f5.f5vpn.service
├── f5vpn
├── lib
│   ├── libcrypto.so.1.0.0
│   └── libssl.so.1.0.0
├── logos
│   ├── 1024x1024.png
│   ├── 128x128.png
│   ├── 16x16.png
│   ├── 24x24.png
│   ├── 256x256.png
│   ├── 32x32.png
│   ├── 48x48.png
│   ├── 512x512.png
│   ├── 64x64.png
│   └── 96x96.png
├── platforms
├── svpn
├── tunnelserver
└── xdg-scripts
    ├── xdg-desktop-menu
    ├── xdg-icon-resource
    └── xdg-mime

4 directories, 20 files

[AntouanK]

with sudo :

$ sudo /opt/f5/vpn/f5vpn -s -x -t connect.moneycorp.com
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
$ echo $?
1

[MatthiasLohr]

Please try to use the docker container:

docker run -it matthiaslohr/f5fpc /usr/local/bin/f5fpc -s -x -t <your vpn host>

[AntouanK]

The container prints this log, and exits.

antouank at blade15-vm in ~ 
$ dpsf                                                                                 
IMAGE                STATUS                       NAMES               PORTS
matthiaslohr/f5fpc   Exited (95) 13 seconds ago   trusting_poincare   

antouank at blade15-vm in ~ 
$ docker logs trusting_poincare 
Enter username: AntonisK
Enter password: 
Operation in progress


Please check back the status with /usr/local/bin/f5fpc --info

[JensTimmerman]

I'm also trying to get 2FA to work, But I'm afraid it's just not suppored in the cli
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-12-0-0/5.html states:
On the CLI for Linux, APM supports logon with user name and password only and does not support any endpoint security features.

but for completeness sake:

sudo ./f5fpc_x86_64 --start --host vpn.example.com  --user "user" --password "password" --nocheck 
Operation in progress


Please check back the status with ./f5fpc_x86_64 --info

 sudo ./f5fpc_x86_64 --info  
Connection Status: logon in progress
Favorites Information:
______________________
fav-Id   fav-Type  fav-Status       fav-Name


  sudo ./f5fpc_x86_64 --info 
Connection Status: logon failed

The above command does send me an sms with a code that I can use in the web interface to log in, but the login fails before I can do anything with it.
Trying the connection again with only the code, or with passwordcode or password+code also doesn't work.

[hablijack]

Same here ... i'm on a ubuntu laptop and want to connect to our company F5VPN. We are using a 2FA VASCO-token which i can enter via Web-Form but via CLI (f5fpc) it does not ask for a token, only username and password are requested. Is it possible to add a switch in the CLI-tool to ask for a 2FA?

[MatthiasLohr]

@hablijack, as @JensTimmerman posted previously: It seem not to be supported by f5fpc client (they say "only username and password". But why do they have at least an option for client certificates?).

Since my company also does not use it (yet), i can't develop/test anything in this direction. Maybe someone is willing to contribute to this project.

[flomsk]

+1 if there will be any solution for 2fa

[zrhoffman]

The session ID is all you should need for authentication, which you can get from visiting a VPN server in your web browser and logging in. Since that would be trivial to support and f5fpc marks its --sessionid option as "not implemented", I would assume that F5 is not interested in letting you do that, and you would need to look elsewhere for 2FA support. AFAIK, there are 2 separate options for 2FA users on Linux.

The first option, is, as @AntouanK mentions, the f5vpn GUI client, and it is in the Arch User Repository. In order for it to work with up-to-date systems, the AUR package does 2 crucial things:

1. Since the original RPM or DEB relies on the system using an old QT version but also supplies its own QT plugins that f5vpn expects to load at that exact absolute path, the PKGBUILD replaces those old plugins with symlinks to the up-to-date QT plugins installed on the system.

2. The f5vpn GUI program runs as an unprivileged user, but the actual connection and traffic is handled by svpn, which must be run as root. So, the PKGBUILD adds a set-user-ID bit for svpn so that it runs as root. The original RPM and DEB packages do this, but when those packages are extracted rather than being installed directly, that set-user-ID bit is lost.

The second option is a CLI-only option is the f5vpn-login Python script, originally written by James Y Knight and extended by others. It makes use of the /myvpn endpoint to connect to BIG-IP APM using the FOSS ppp package. My fork has a few updates that were necessary to support directly passing it the session ID instead of trying to log in and acquire the session ID.

[jocado]

Some extra info. It is possible to run the non-cli version of the client that supports 2fa in a docker container. I have done that as an experiment. All that's remaining is to automate the auth to generate the token to pass into the docker container. I will do that when I get some time to play.

So it is possible to use the same kind of set-up, with the other non-cli client.

[MatthiasLohr]

Oh, nice! Can you tell me how to put it in a Docker container? Then I can help with automatization.

[zrhoffman]

An update on CLI-only 2FA support: I adapted the aforementioned 2FA-supporting f5vpn-login fork to use F5's svpn instead of pppd. Now, data transfer takes place over F5's FastPPP protocol instead PPP's standard HDLC framing, which is a >20x speed improvement.

Project is zrhoffman/svpn-login. It run on Linux and Mac but should be able to run in Docker too.

Update: Python 3 compatibility improved from >= 3.7 to >=3.6.

[ahmadnbl]

I think for the 2FA one, we can see the implementation example of this https://github.com/zrhoffman/svpn-login or this https://github.com/zrhoffman/f5vpn-login, although this is not using official f5 client. Tested on my machine and it works.

[MatthiasLohr]

Wow, this is actually quite neat.

This raises the question if we still would need to add the support in this project. This project was intended to get around of the forced default route using the VPN connection, and since both scripts of @zrhoffman provide the capability to disable (auto) route creation, it looks like he overtook the pole position for this kind of problem ;) So, what to do with this ticket / this project in general? Any opinions? Do you still require Docker support?

[zrhoffman]

If you're interested in a FOSS-only project that does not use auto route creation from the VPN server's LAN0 and LAN6_0 parameters, supports 2FA, is fast (unlike f5vpn-login), check out kayrus/gof5, it works great. Maybe @kayrus can provide some insight on any use cases that gof5 does/does not cover.

Update: gof5 supports automatic route creation as of kayrus/gof5@ec83441bf2

[jocado]

Both of those projects look interesting.

I haven't dug into it, but I assume that the gof5 project does not implement FastPPP, and that could be a sticking point for some people.

[kayrus]

@jocado FastPPP in gof5 was implemented from the beginning. If you're using a pppd (or ppp from FreeBSD) binary as driver, then HDLC is used.
gof5 doesn't not cover DTLS and automatic routes handling, end user must specify the routes in a config file.

[jocado]

Ah, ok. Thanks for the info 👍

But, in that case I guess DTLS will be a sticking point. I know from personal experience that it can be quite beneficial, especially with poor internet connections.

Automatic routes is unlikely to be an issue for most people, some people will even prefer that :)

[kayrus]

@jocado in my case F5 server pushes a list of ExcludeSubnets0. So I need to calculate an inverse list of subnets to set as a route. I started to develop a go module, currently it supports an inverse subnet calculation for one CIDR, which is not enough: https://github.com/kayrus/go-inverse

As for the DTLS, F5 servers I work with don't support it, so I cannot test.

[kayrus]

@jocado recent gof5 supports automatic routes set, pushed from F5. Can you provide me an access to a F5 VPN server, which supports DTLS? I can implement it in the next version.

[jocado]

@kayrus Unfortunately I'm not able to. I may be able to collaborate on it with you, and do the testing at on my side, although my golang experience is pretty limited. Would you like to try that approach ?

[jocado]

Hey.

Sorry to hijack the thread, but if anyone has a gateway that support DTLS1.2 and is willing to help test DTLS support in above mentioned gof5 agent, please add a comment here: kayrus/gof5#24

Thanks !

[zrhoffman]

As of v8.20 (2022-02-20), OpenConnect supports F5. After getting the session ID from the MRHSession cookie, you can connect to a 2FA-enforced server:

echo MRHSession=0123456789abcdef0123456789abcdef | sudo openconnect --protocol=f5 --cookie-on-stdin SERVERNAME

[frizzorossi]

Hi!
I'm trying to setup a VPN connection to a F5 which use 2FA auth, and this thread was really helpful (and the only one I found so far).
I tried all the mentioned clients but all seems to rely on a GET /vdesk/vpn/index.php3?outform=xml that should contains a list of VPN profiles (?). In my case the response is:

<favorites type="VPN" limited="YES"> </favorites>

so all the clients fails to get VPN params.
Is there a way to manually pass VPN params and any idea where to find them?

I was able to grab the logs from the F5 MacOS client (which connects successfully to the same VPN) and it seems it makes these requests:

2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  Location: /Applications/F5 VPN.app/Contents/MacOS/F5 VPN
2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  Version: 7220.2022.0308.1
2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  Locale: C
2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  Qt version: 5.5.1
2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  =====================================
2022-09-02,11:44:28:445, 1301,2420704,, 0,,,,  
2022-09-02,11:44:28:445, 1301,2420704,, 48,,,, current log level = 63
2022-09-02,11:44:28:451, 1301,2420704,, 48, /Helpers.h, 117, void f5::qt::setupLogs(const std::string &, const std::string &), QT - OpenSSL supported: true. Lib in use: OpenSSL 1.0.2za  24 Aug 2021. Build: OpenSSL 1.0.2za  24 Aug 2021
2022-09-02,11:44:28:451, 1301,2420704,, 48, /Helpers.h, 118, void f5::qt::setupLogs(const std::string &, const std::string &), F5 - OpenSSL build version: OpenSSL 1.0.2za  24 Aug 2021
2022-09-02,11:44:28:730, 1301,2420704,, 48, /SessionManager.cpp, 198, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl &), otc is non empty, 19a1d55b
2022-09-02,11:44:28:951, 1301,2420704,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl &, uint32_t), starting GET request to, https://<hostname>/vdesk/get_sessid_for_token.php3
2022-09-02,11:44:29:529, 1301,2420704,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200
2022-09-02,11:44:29:530, 1301,2420704,, 48, /SessionManager.cpp, 78, bool f5::qt::retrieveSidFromOtc(const QUrl &, const CString &, CString &), session id(a3d04b0b) for otc(19a1d55b)
2022-09-02,11:44:29:530, 1301,2420704,, 48, /SessionManager.cpp, 200, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl &), exchanged session id is, a3d04b0b
2022-09-02,11:44:29:531, 1301,2420704,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl &, uint32_t), starting GET request to, https://<hostname>/my.report.na
2022-09-02,11:44:30:243, 1301,2420704,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200
2022-09-02,11:44:30:245, 1301,2420704,, 48, /Session.cpp, 118, void f5::qt::Session::ProfileDownload(), Profile download starting, https://<hostname>/pre/config.php?version=2.0
2022-09-02,11:44:30:247, 1301,2420704,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl &, uint32_t), starting GET request to, https://<hostname>/pre/config.php?version=2.0
2022-09-02,11:44:30:247, 1301,2420704,, 48, /SessionManager.cpp, 268, bool f5::qt::SessionManager::CreateAndLaunchSessionInternal(const QUrl &), ----Session a3d04b0b starts----
2022-09-02,11:44:30:954, 1301,2420704,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200
2022-09-02,11:44:30:956, 1301,2420704,, 48, /UnixAutoUpdater.cpp, 185, bool f5::qt::UnixAutoUpdater<f5::qt::MacPackage>::ShouldUpdateSelf() [T = f5::qt::MacPackage], Version: our,their,min, 7220.2022.308.1, 7220.2022.308.1,
2022-09-02,11:44:30:956, 1301,2420704,, 48, /UnixAutoUpdater.cpp, 188, bool f5::qt::UnixAutoUpdater<f5::qt::MacPackage>::ShouldUpdateSelf() [T = f5::qt::MacPackage], Application is up-to-date
2022-09-02,11:44:30:956, 1301,2420704,, 48, /Session.cpp, 73, void f5::qt::Session::AutoUpdateSuccess(), Application is up-to-date
2022-09-02,11:44:31:476, 1301,2420704,, 48, /MainWindow.cpp, 57, f5::qt::MainWindow::MainWindow(QWidget *, Qt::WindowFlags), Notification-area instantiated
2022-09-02,11:44:33:020, 1301,2420704,, 48, /BrowserController.cpp, 432, void f5::qt::BrowserController::onPageLoaded(bool), Successfilly loaded page https://<hostname>/vdesk/resource_template
2022-09-02,11:44:33:021, 1301,2420704,, 48, /BrowserController.cpp, 423, void f5::qt::BrowserController::downloadNAConfig(), Downloading NA config: https://<hostname>/vdesk/vpn/connect.php3?resourcename=/Common/VPNC2S-RAT_AM_TEP&outform=xml&client_version=1.1
2022-09-02,11:44:33:021, 1301,2420704,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl &, uint32_t), starting GET request to, https://<hostname>/vdesk/vpn/connect.php3?resourcename=/Common/VPNC2S-RAT_AM_TEP&outform=xml&client_version=1.1
2022-09-02,11:44:33:073, 1301,2420704,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200
2022-09-02,11:44:35:341, 1301,2420704,, 48, /BrowserController.cpp, 579, void f5::qt::BrowserController::onTunnelConnecting(QString, int), Tunnel /Common/VPNC2S-RAT_AM_TEP (2) connecting...
2022-09-02,11:44:37:348, 1301,2420704,, 48, /BrowserController.cpp, 552, void f5::qt::BrowserController::onTunnelConnected(QString, int), Tunnel /Common/VPNC2S-RAT_AM_TEP (2) connected
2022-09-02,11:44:38:349, 1301,2420919,, 48, /VpnController.h, 39, virtual void f5::qt::VpnController::tunnelDetails(CString &),
, TunnelHost=<hostname>
TunnelPort=443
TunnelTransportProto=TCP
TunnelTransportSecurityProto=TLSv1.3
TunnelTransportSecurityCipherStrengthInt=128
TunnelTransportSecurityExchAlgo=any
TunnelTransportSecurityCipherAlgo=AESGCM(128)
TunnelTransportSecurityHashAlgo=AEAD
Params=Z=/Common/VPNC2S-RAT_AM_TEP
TunnelTypeInt=2
X-VPN-client-IP=172.17.40.89
X-VPN-server-IP=1.1.1.1
X-VPN-client-IPv6=
X-VPN-server-IPv6=
SessionID=
TunnelKeepAliveRequests=0
NegotiateGZIPCompression=Enabled
X-PPP-client-IPv4=172.17.40.89
X-PPP-server-IPv4=1.1.1.1
X-PPP-client-IPv6-LL=
X-PPP-server-IPv6-LL=
LCP_PEERMRU=1351
LCP_LOCAL_MRU=1351
NegotiateIPCPv6=0
2022-09-02,13:44:45:962, 1301,2420704,, 48, /BrowserController.cpp, 246, void f5::qt::BrowserController::onWindowCloseRequestedByJS(), close window requested by JS
2022-09-02,13:44:46:067, 1301,2420704,, 48, /ResourceManager.cpp, 133, int f5::qt::ResourceManager::close(const QString &, int), Closing resource /Common/VPNC2S-RAT_AM_TEP...
2022-09-02,13:44:46:068, 1301,2420704,, 48, /SvpnHandler.cpp, 390, SvpnHandler::StopSvpn, SVPN pid file opened to read PID
2022-09-02,13:44:46:069, 1301,2420704,, 48, /SvpnHandler.cpp, 392, SvpnHandler::StopSvpn, SVPN pid =
, 1307
2022-09-02,13:44:46:069, 1301,2420704,, 48, /SvpnHandler.cpp, 396, SvpnHandler::StopSvpn, SVPN pid has running process
2022-09-02,13:44:46:072, 1301,2420704,, 48, /SvpnHandler.cpp, 398, SvpnHandler::StopSvpn, The received pid owned by the SVPN
2022-09-02,13:44:46:072, 1301,2420704,, 48, /SvpnHandler.cpp, 402, SvpnHandler::StopSvpn, TunnelService, closed
2022-09-02,13:44:46:615, 1301,2420704,, 48, /BrowserController.cpp, 589, void f5::qt::BrowserController::onTunnelClosed(QString, int, int), Tunnel /Common/VPNC2S-RAT_AM_TEP (2) has been closed
2022-09-02,13:44:46:615, 1301,2420704,, 48, /BrowserController.cpp, 519, bool f5::qt::BrowserController::exitIfNoTunnels(), All tunnels are down. closing window...
2022-09-02,13:44:46:617, 1301,2420704,, 48, /SessionManager.cpp, 317, void f5::qt::SessionManager::SessionFinished(), ----Session a3d04b0b ends----
2022-09-02,13:44:46:656, 1301,2420704,, 48, /SessionManager.cpp, 302, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application....
2022-09-02,14:21:30:170, 3486,2513928,, 0,,,,