OpenConnect is an

open-source software Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. Ope ...

application for connecting to virtual private networks (VPN), which implement secure point-to-point connections. It was originally written as an open-source replacement for

Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...

's proprietary

AnyConnect Cisco Systems' products and services focus upon three market segments—enterprise and service provider, small business and the home. Corporate market "Corporate market" refers to enterprise networking and service providers. ;Enterprise network ...

SSL VPN client, which is supported by several Cisco routers. The OpenConnect client added support for

Juniper Networks Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security products, ...

' SSL VPN in version 7.05, then for

Palo Alto Networks Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core products is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to ...

' GlobalProtect VPN in version 8.00, for Pulse/Junos VPN in version 8.04, and for Fortinet FortiGate, F5 BiGIP, and

Array Networks Array Networks is an American networking hardware company. It sells network traffic encryption tools. Array Networks was founded in 2000 by Lawrence Lu and is based in Milpitas, California.Berndtson, Chad. (2011-03-24). "Array Networks Looks To B ...

in version 8.20.

Protocols

Cisco AnyConnect

Cisco AnyConnect VPNs utilize TLS to authenticate and configure routing, then

DTLS Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol ...

to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

s block UDP-based traffic. The DTLS protocol used by Cisco AnyConnect servers was based on a non-standard, pre-release draft of DTLS 1.0, until support for the DTLS 1.2 standard was added in 2018.

DTLS

Cisco's proprietary AnyConnect clients and servers were originally built against a patched, 2007 release of OpenSSL 0.9.8f, which implemented a pre-release version of

that was not compatible with DTLS 1.0 as standardized in /tools.ietf.org/html/rfc4347 RFC 4347 Because of this, it was difficult to make OpenConnect implement a Cisco-compatible version of DTLS without linking against OpenSSL. Explicit support for Cisco's non-standard version of DTLS was included in OpenSSL 0.9.8m (where it is known as ) and then

GnuTLS GnuTLS (, the GNU Transport Layer Security Library) is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network tra ...

3.2.1 (where it is known as ). Newer versions of Cisco's AnyConnect clients and servers support DTLS 1.2 in its standardized on-the-wire form ( /tools.ietf.org/html/rfc6347 RFC 6347, though they continue to use a non-standard mechanism (based on session resumption) for DTLS key exchange. Modern versions of OpenConnect can be built to use ''either'' the GnuTLS or OpenSSL for TLS, DTLS, and cryptographic primitives.

Other protocols

The OpenConnect client also implements

Juniper Junipers are coniferous trees and shrubs in the genus ''Juniperus'' () of the cypress family Cupressaceae. Depending on the taxonomy, between 50 and 67 species of junipers are widely distributed throughout the Northern Hemisphere, from the Arcti ...

, Junos Pulse, and GlobalProtect VPN protocols. These have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use ESP for efficient, encrypted transport of tunneled traffic (instead of DTLS), but they too can fall back to TLS-based transport. As of version 8.20, it also implements Fortinet FortiGate and F5 BiGIP, which use TLS and DTLS, and are additionally based on the Point-to-point protocol (PPP). , support for several other proprietary VPN protocols is in development: *

* SonicWall NX ( PPP-based) *

Check Point Check Point is an American-Israeli multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security ma ...

Architecture

The OpenConnect client is written primarily in C, and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface: * Initial connection to the VPN server via TLS * Authentication phase via HTTPS (using

HTML forms A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. ...

client certificate In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication Mutual authentication or tw ...

XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. ...

, etc.) * Server-provided routing configuration, in a protocol-agnostic format, which can be processed by
vpnc-script
* Data transport phase via a UDP-based tunnel (DTLS or ESP), with fallback to a TLS-based tunnel ** Built-in event loop to handle

Dead Peer Detection Dead Peer Detection (DPD) is a method of detecting a dead Internet Key Exchange (IKE) peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer. DPD is used to reclaim the lost r ...

keepalive A keepalive (KA) is a message sent by one device to another to check that the link between the two is operating, or to prevent the link from being broken. Description Once a TCP connection has been established, that connection is defined to be v ...

, rekeying, etc. OpenConnect can be built to use ''either'' the

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HT ...

libraries for TLS,

and cryptographic primitives.

Platforms

OpenConnect is available on Solaris,

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which i ...

OpenBSD OpenBSD is a security-focused operating system, security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking N ...

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

MacOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac (computer), Mac computers. Within the market of ...

, and has graphical user interface clients for

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...

, GNOME, and

KDE KDE is an international free software community that develops free and open-source software. As a central development hub, it provides tools and resources that allow collaborative work on this kind of software. Well-known products include the ...

. A graphical client for OpenConnect is also available for Android devices, and it has been integrated into router firmware packages such as

OpenWrt OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. A ...

Server

, the OpenConnect project also offers an AnyConnect-compatible server, ocserv, and thus offers a full client-server VPN solution. OpenConnect and ocserv now implement an extended version of the AnyConnect VPN protocol, which has been proposed as an

Internet Standard In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow ...

. Both OpenConnect and ocserv strive to maintain

backwards-compatibility Backward compatibility (sometimes known as backwards compatibility) is a property of an operating system, product, or technology that allows for interoperability with an older legacy system, or with input designed for such a system, especially i ...

with Cisco AnyConnect servers and clients.

Notable uses

OpenConnect's implementation of the AnyConnect protocol is sufficiently complete, such that some of Cisco's own

IP phone A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet. This is in contrast to a standard phone which uses the traditional public switched telephone netwo ...

devices embed a very old release of OpenConnect in order to connect to Cisco SSL VPNs.

References

External links

OpenConnect project homepage
* https://wiki.archlinux.org/title/OpenConnect {{DEFAULTSORT:Openconnect Tunneling protocols Free security software Unix network-related software Virtual private networks