Android support for openconnect
David Woodhouse
dwmw2 at infradead.org
Fri Sep 3 05:23:17 EDT 2010
No, don't get excited; it's not working yet. But it doesn't look hard.
As far as I can tell, openconnect itself ought to build and run just
fine on Android if someone who cares would just build an 'Android.mk'
file for it. The openvpn makefile should serve as a useful example.
If there are modifications needed to vpnc-script to make it run on
Android (with busybox, etc.), then the people who did vpnc support will
have handled those already.
For Android I think we want to use it in the same way we do from
NetworkManager -- the connection is in two parts. First we connect to
the HTTPS server and present our certificate and let the user fill in
the forms until we are successfully authenticated and rewarded with the
'webvpn' HTTP cookie.
Then we just pass that cookie to openconnect to actually make the
connection. We give it the server IP address and the SHA1 of the
server's SSL certificate, so the native openconnect executable doesn't
even need access to the full CA cert chain for server cert validation.
So we just need someone to do that authentication part, and tie it in to
the Android network configuration tools, etc. (Or does it just run as a
standalone app?) Either way, you ought to be able to lift a lot of it
from the existing vpnc and openvpn front ends.
You could perhaps use the native Dalvik HTTPS client support, but I
suspect it's best to use the authentication code in openconnect -- that
has workarounds for bugs in the Cisco HTTPS server implementation, etc.
The openconnect auth code is already available as a (static) library,
for use by external tools like the NetworkManager auth-dialog. It
shouldn't be hard to make it a shared library in the Android.mk file and
then it can be used through native method invocation from the GUI code.
Any volunteers to implement the GUI part? I'll try to help out, but I
don't have an Android device... certainly not one that I could connect
to my company VPN without getting shot.
--
dwmw2
More information about the openconnect-devel
mailing list