Cannot open browser for MFA

[gonneman]

I am running gpclient 2.0.0 (2024-02-05) on an openSUSE 15.5 system. I am trying to connect to a VPN server that uses MFA.

The command I am using is
gpclient connect [path to gateway]

If I run this command as an ordinary user a browser window opens for MFA. After I've authenticated myself successfully gpclient cannot finish setting up the VPN because it lacks root privileges.
[2024-02-07T10:38:44Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted [2024-02-07T10:38:44Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root See https://www.infradead.org/openconnect/nonroot.html for more information
I didn't understand the instructions linked to in the error well enough to implement because they seem to refer to openconnect directly. Is there a way to pass some of the workarounds listed there to gpclient?

If I run gpclient with sudo then I get the error
(gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:

If I switch to root via su and run gpclient then I get the error
Error: Command { std: "/usr/bin/gpauth" "[server]" "--saml-request" "[long url]" "--user-agent" "PAN GlobalProtect" "--os" "Linux" "--os-version" "Linux openSUSE Leap 15.5", kill_on_drop: false } cannot be run as root

What is the way around this? How can I run the authentication part as a normal user with the VPN tunnel creation part run with root privileges?

[yuezk]

Running sudo gpclient connect xxx is the correct way. Are you using the remote SSH?

[gonneman]

Thank you for the extremely fast reply!

No, I'm running the client locally on my laptop.

[yuezk]

What's the output of echo $DISPLAY?

[gonneman]

The output is
:0

[yuezk]

Does the GUI client work for you?

[gonneman]

It doesn't. The command
gpclient launch-gui
results in
[2024-02-07T11:08:12Z INFO gpclient::cli] gpclient started: 2.0.0 (2024-02-05)
[2024-02-07T11:08:12Z INFO gpclient::launch_gui] Log file: /[home path]/.local/share/gpclient/gpclient.log

Error: No such file or directory (os error 2)

However, gpclient.log exists. It is just empty.

[yuezk]

Weird, I'm trying to set up a 15.5 VM to test it. Does your OS have any special setup you think could be related?

[gonneman]

I can't think of anything, sorry. It is a stock openSUSE 15.5 running KDE in X11 (rather than Wayland).

Are there any other log files I could supply that would be helpful?

[yuezk]

No, let me try to reproduce it first.

[yuezk]

@gonneman Where did you install the client?

[gonneman]

I installed it from the openSUSE package whose repository is
https://download.opensuse.org/repositories/home:/yuezk/15.5/
I'm guessing you maintain this repository. Installing this way places files in
/usr/share and /usr/bin.
The binaries gpauth, gpclient, gpgui and gpservice are all in /usr/bin.

[yuezk]

Ok, I'll verify it soon.

[yuezk]

Ok, I'll verify it soon.

I'm able to reproduce it, trying to fix.

[gonneman]

Great. Thank you for keeping me informed.

[yuezk]

@gonneman Sorry for the late response. I found that the sudo command in SUSE 15.5 doesn't preserve the DISPLAY environment variable.

Running sudo -E gpclient connect ... will preserve the environment variable and can connect to the VPN server after authentication.

gpclient launch-gui still has a problem, I'm working on it.