|Original author(s)||David Woodhouse|
|Developer(s)||Daniel Lenski, Nikos Mavrogiannopoulos|
|Initial release||March 18, 2009|
9.01 / April 29, 2022
|License||GNU LGPL v2.1|
The OpenConnect client added support for Juniper Networks' SSL VPN in version 7.05, then for Palo Alto Networks' GlobalProtect VPN in version 8.00, for Pulse/Junos VPN in version 8.04, and for Fortinet FortiGate, F5 BiGIP, and Array Networks in version 8.20.
Cisco AnyConnect VPNs utilize TLS to authenticate and configure routing, then DTLS to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where firewalls block UDP-based traffic. The DTLS protocol used by Cisco AnyConnect servers was based on a non-standard, pre-release draft of DTLS 1.0, until support for the DTLS 1.2 standard was added in 2018.
Cisco's proprietary AnyConnect clients and servers were originally built against a patched, 2007 release of OpenSSL 0.9.8f, which implemented a pre-release version of DTLS that was not compatible with DTLS 1.0 as standardized in RFC 4347. Because of this, it was difficult to make OpenConnect implement a Cisco-compatible version of DTLS without linking against OpenSSL.
Explicit support for Cisco's non-standard version of DTLS was included in OpenSSL 0.9.8m (where it is known as
DTLS1_BAD_VER) and then GnuTLS 3.2.1 (where it is known as
GNUTLS_DTLS0_9). Newer versions of Cisco's AnyConnect clients and servers support DTLS 1.2 in its standardized on-the-wire form (RFC 6347), though they continue to use a non-standard mechanism (based on session resumption) for DTLS key exchange.
Modern versions of OpenConnect can be built to use either the GnuTLS or OpenSSL for TLS, DTLS, and cryptographic primitives.
The OpenConnect client also implements Juniper, Junos Pulse, and GlobalProtect VPN protocols. These have a very similar structure to the AnyConnect protocol: they authenticate and configure routing over TLS, except that they use ESP for efficient, encrypted transport of tunneled traffic (instead of DTLS), but they too can fall back to TLS-based transport.
As of March 2022[update], support for several other proprietary VPN protocols is in development:
The OpenConnect client is written primarily in C, and it contains much of the infrastructure necessary to add additional VPN protocols operating in a similar flow, and to connect to them via a common user interface:
- Initial connection to the VPN server via TLS
- Authentication phase via HTTPS (using HTML forms, client certificates, XML, etc.)
- Server-provided routing configuration, in a protocol-agnostic format, which can be processed by a vpnc-script
- Data transport phase via a UDP-based tunnel (DTLS or ESP), with fallback to a TLS-based tunnel
OpenConnect is available on Solaris, Linux, OpenBSD, FreeBSD, MacOS, and has graphical user interface clients for Windows, GNOME, and KDE. A graphical client for OpenConnect is also available for Android devices, and it has been integrated into router firmware packages such as OpenWrt.
OpenConnect and ocserv now implement an extended version of the AnyConnect VPN protocol, which has been proposed as an Internet Standard. Both OpenConnect and ocserv strive to maintain backwards-compatibility with Cisco AnyConnect servers and clients.
OpenConnect's implementation of the AnyConnect protocol is sufficiently complete, such that some of Cisco's own IP phone devices embed a very old release of OpenConnect in order to connect to Cisco SSL VPNs.
- infradead.org - OpenConnect: Changelog.
- gitlab.com - OpenConnect: License.
- ""Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies …"". Infradead.org. Retrieved 2018-08-13.
- "OpenConnect 8.00 release". Lists.infradead.org. Retrieved 2019-01-05.
- "OpenConnect 8.20 release". Lists.infradead.org. Retrieved 2022-03-07.
Tiso, John; Scholfield, Mark D.; Teare, Diane (2011). Designing Cisco Network Service Architectures (ARCH): Foundation Learning Guide. Foundation Learning Guides (3 ed.). Cisco Press. p. 464. ISBN 9781587142888. Retrieved 2013-06-13.
Cisco AnyConnect is a Cisco implementation of the thick client. Because the SSL VPN network extension runs on top of the SSL protocol, it is simpler to manage and has greater robustness with different network topologies such as firewalls and Network Address Translation (NAT) than the higher security of IPsec.
- Mavrogiannopoulos, Nikos (2013-11-17). "nmav's Blog: Inside an SSL VPN protocol". Nmav.gnutls.org. Retrieved 2018-08-13.
- "Release Notes for the Cisco ASA Series, 9.10(x)". Cisco. December 12, 2018.
- David Woodhouse (September 23, 2008). "DTLS clue requested".
- David Woodhouse. "How the VPN works § DTLS compatibility".
- N. Mavrogiannopoulos (October 2018). The OpenConnect VPN Protocol Version 1.1. IETF. I-D draft-mavrogiannopoulos-openconnect-02.
- "Merge Requests • add F5 and Fortinet".
- "Issue • Array Networks SSL VPN support".
- "Issues • SonicWall NetExtender support".
- "Merge Requests • CheckPoint SNX support".
- Daniel Lenski (September 17, 2020). "How VPNs Work- The Ins and Outs". DAMA Portland.
- "Openconnect graphical client". GitHub. Retrieved 2014-10-28.
- "NetworkManager-openconnect". gnome.org. Retrieved 2020-01-27.
- "NetworkManagement". kde.org. Retrieved 2014-10-28.
- cernekee. "Android UI for OpenConnect VPN client". GitHub. Retrieved 2014-10-28.
- "VPN Overview". openwrt.org. Retrieved 2018-03-15.
- ocserv home page.
- "ocserv issues #51".
- Nikos Mavrogiannopoulos. "Recipe: VoIP network with ocserv".
- "Open Source License Notices for the SPA525G" (PDF). Cisco.