A NetworkManager VPN plugin that provides native GNOME integration for OpenConnect-based VPNs with Single Sign-On (SSO) authentication. Seamlessly connect to corporate VPNs using GlobalProtect (Palo Alto) and AnyConnect (Cisco) protocols with browser-based SAML/OAuth authentication.
- Native GNOME Integration - Appears directly in GNOME Settings alongside OpenVPN, WireGuard, and other VPN types
- Single Sign-On Support - Browser-based SAML/OAuth authentication flows via Playwright
- Multi-Protocol Support - Works with both GlobalProtect and AnyConnect VPNs
- Heuristic Login Automation - Robust detection of username/password/OTP prompts
- Visual Feedback - Connection status visible in GNOME's network indicator
- Profile Management - Create and manage multiple VPN profiles
- Enterprise Ready - Built for corporate VPN environments with SSO requirements
- One-Click Build - Simple installation from source or .deb package
Screenshots coming soon
- SAML-based authentication
- Portal and gateway discovery
- Prelogin cookie handling
- OAuth/SAML authentication
- Multi-factor authentication
Both protocols use OpenConnect for the actual VPN tunnel establishment.
sudo apt update
sudo apt install networkmanager openconnect python3-playwright python3-pyotp
PLAYWRIGHT_BROWSERS_PATH=/var/cache/ms-playwright python3 -m playwright install chromiumDownload the latest release and install:
sudo dpkg -i gnome-vpn-sso_*.deb
sudo apt-get install -f # Install any missing dependenciesAfter installation, restart NetworkManager:
sudo systemctl restart NetworkManagerUbuntu/Debian:
sudo apt install meson ninja-build gcc \
libnm-dev libgtk-4-dev libadwaita-1-dev \
libwebkitgtk-6.0-dev libsecret-1-dev \
python3-dev python3-pip python3-gi python3-playwright python3-pyotp \
gir1.2-gtk-4.0 openconnect gitFedora:
sudo dnf install meson ninja-build gcc \
NetworkManager-libnm-devel gtk4-devel libadwaita-devel \
webkitgtk6.0-devel libsecret-devel \
python3-devel python3-pip python3-gobject python3-playwright python3-pyotp \
openconnect gitgit clone https://github.com/FHNW-Security-Lab/Gnome-VPN.git
cd Gnome-VPN
./build.sh
sudo meson install -C builddir# Download SSO backend dependencies
./build.sh --deps-only
# Configure build
meson setup builddir
# Compile
meson compile -C builddir
# Install
sudo meson install -C builddir
# Restart NetworkManager
sudo systemctl restart NetworkManager./package-deb.sh
# Output: gnome-vpn-sso_<version>_amd64.deb
### Advanced options
- Force headless auth (no UI):
```bash
nmcli connection modify "My VPN" vpn.data.headless truenix-shellnix build .#gnome-vpn-sso{
imports = [ ./nix/nixos-module.nix ];
services.gnome-vpn-sso.enable = true;
}This module also sets a tmpfiles rule for Playwright browsers at
/var/cache/ms-playwright.
## Quick Start
### Adding a VPN Connection
1. Open **GNOME Settings** → **Network**
2. Click the **+** button next to **VPN**
3. Select **"SSO VPN (GlobalProtect/AnyConnect)"** from the list
4. Fill in the connection details:
- **Name**: A friendly name for your VPN (e.g., "Work VPN")
- **Gateway**: Your VPN server address (e.g., `vpn.company.com`)
- **Protocol**: Choose `GlobalProtect` or `AnyConnect`
- **Username**: (Optional) Your username for display purposes
5. Click **Add** to save the profile
### Connecting to VPN
1. Click the **network icon** in the top-right corner of your screen
2. Under VPN connections, click your **VPN profile name**
3. A browser window will open automatically for SSO authentication
4. **Sign in** using your corporate credentials
5. Complete any multi-factor authentication if required
6. The browser will close automatically once authenticated
7. Your VPN connection will establish
8. A **VPN lock icon** appears in the network indicator when connected
### Disconnecting
1. Click the **network icon** in the top panel
2. Click your active **VPN connection**
3. Select **Disconnect**
## Configuration
### Basic Settings
- **Gateway**: The VPN server hostname or IP address
- Examples: `vpn.company.com`, `gp.example.org`
- **Protocol**: Select the appropriate protocol for your VPN
- `GlobalProtect` for Palo Alto Networks
- `AnyConnect` for Cisco VPNs
- **Username**: Optional display username
### Advanced Settings
Click **Advanced** in the VPN configuration dialog to access:
- **User Group**: Specify portal and prelogin-cookie settings
- Format: `portal:prelogin-cookie`
- **Custom OpenConnect Arguments**: Additional command-line options
- Example: `--os=linux-64 --servercert pin-sha256:ABC123...`
- See `man openconnect` for available options
### Configuration File Location
VPN profiles are stored by NetworkManager in:
/etc/NetworkManager/system-connections/
## Troubleshooting
### VPN Plugin Not Showing in Settings
1. Verify installation:
```bash
ls /usr/lib/NetworkManager/VPN/
# Should show: nm-gnome-vpn-sso-service.name
-
Restart NetworkManager:
sudo systemctl restart NetworkManager
-
Check GNOME Settings plugins:
ls /usr/lib/*/gnome-control-center/ # Should show: libnm-vpn-plugin-gnome-vpn-sso.so
-
Check NetworkManager logs:
journalctl -u NetworkManager -f
-
Verify OpenConnect is installed:
which openconnect openconnect --version
-
Test connectivity to VPN gateway:
ping vpn.company.com
-
Verify Playwright is installed and Chromium is present:
python3 -m playwright --version PLAYWRIGHT_BROWSERS_PATH=/var/cache/ms-playwright python3 -m playwright install chromium
-
Ensure the browser cache path is writable by the service:
sudo mkdir -p /var/cache/ms-playwright /var/cache/gnome-vpn-sso sudo chmod 755 /var/cache/ms-playwright /var/cache/gnome-vpn-sso
-
If you saved Password/TOTP, the SSO flow runs headless.
- To force a visible browser window:
nmcli connection modify <NAME> +vpn.data headless=false - Or clear secrets in the VPN editor.
- To force a visible browser window:
-
Check OpenConnect can establish tunnel:
sudo openconnect --protocol=gp vpn.company.com # Or for AnyConnect: sudo openconnect vpn.company.com -
Check for firewall/routing issues:
sudo iptables -L -n ip route show
If you encounter SSL/TLS certificate errors:
-
Accept server certificate (if trusted):
- Add to Advanced settings:
--servercert sha256:<fingerprint>
- Add to Advanced settings:
-
Get certificate fingerprint:
openconnect --authenticate vpn.company.com
Enable debug logging:
# Stop NetworkManager
sudo systemctl stop NetworkManager
# Run with debug output
sudo NetworkManager --debug 2>&1 | tee /tmp/nm-debug.log
# In another terminal, attempt VPN connection
# Then check /tmp/nm-debug.log| Issue | Solution |
|---|---|
| "VPN service failed to start" | Check journalctl -xe for errors, verify dependencies installed |
| Authentication loops infinitely | Clear saved credentials, try manual authentication |
| DNS doesn't work over VPN | Check /etc/resolv.conf, may need to configure DNS servers |
| Connection drops frequently | Check network stability, try different gateway if available |
Contributions are welcome! Please follow these guidelines:
- Check existing issues first
- Include the following information:
- Linux distribution and version
- GNOME version (
gnome-shell --version) - NetworkManager version (
nmcli --version) - VPN protocol (GlobalProtect or AnyConnect)
- Relevant logs from
journalctl -u NetworkManager
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Follow GNOME coding style for C code
- Test your changes thoroughly
- Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
For development, clone the repository and install build dependencies as shown above. Use meson setup builddir to configure, then meson compile -C builddir to build.
- C code: Follow GNOME coding style
- Python: PEP 8
- Meson: Standard meson formatting
- Use GLib/GObject for C object model
- GTK4 + libadwaita for user interfaces
This project is part of the FHNW Security Lab. Check out our other projects:
- ExploitSimulator - A web based x86 exploit simulator
- ExploitSimulator-Standalone - Standalone x86 Emulator and Exploit Simulator
- ExploitationChallenge - Exploitation Challenges for Teaching Software Security
- WebSecLab - WebSecLab of FHNW
- Proxmoxinator - Management Tool for Cloudinit and Proxmox
- mcs-analyser - Binary analysis tool to simulate and visualise communication paths of multi-component systems
- TraceGuard - Optimizing path exploration in symbolic execution using taint analysis
- DefectDojoUploader - Easy Upload to Defect Dojo
- Sanitizing-Checker - Checking for security and sanitizing features in a binary
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Copyright (C) 2024 GNOME VPN SSO Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
This project builds upon the excellent work of:
-
Playwright by Microsoft
- Cross-browser automation used for SAML flows
- Licensed under Apache-2.0
-
OpenConnect by David Woodhouse and contributors
- Open-source VPN client supporting multiple protocols
- Licensed under LGPL-2.1
-
NetworkManager by the GNOME Project
- Network connection manager for Linux
- Licensed under GPL-2.0+
Special thanks to the GNOME and NetworkManager communities for their comprehensive documentation and VPN plugin examples.
- NetworkManager VPN Plugins: GNOME GitLab
- OpenConnect Documentation: https://www.infradead.org/openconnect/
- GNOME Human Interface Guidelines: https://developer.gnome.org/hig/
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Made with ❤️ for the GNOME community