There is no way to have arguments containing spaces in the vpnopts variable in /etc/conf.d/openconnect. The variable is used unquoted in the init script, thus it is subject to word splitting. Arguments with spaces may be necessary to connect to some networks, such as --authgroup with a group name containing spaces.
Can't you instead embed escaped spaces in conf.d so they will only get interpreted/unescaped in init.d?
I tried, to no avail. Escaping the space with a backslash won't work. If you have it working, could you provide an example? Here is a minimal example: $ t='test\ space'; printf '%s\n' $t test\ space Because the variable is not quoted, the two parts are split despite the backslash.
Created attachment 662110 [details, diff] Patch that adds an authgroup option Would a patch like this have a chance to get merged? It adds the authgroup argument if the authgroup_$VPN variable is set in conf.d/openconnect. This way it can have spaces and it'll be parsed as one argument thanks to the quotes.
I'm having the same problems, and the patch works for my use case. I did not test to see if VPNs without a group continue to work.
I do not use or really maintain the init script, and would prefer to drop it entirely. Maybe William can take a look at this issue.
It seems to me that a cleaner approach is going to be to have openconnect configuration files in /etc/openconnect/<vpn>.conf which control tunnel specific options. The service script will then use the --config command line switch to openconnect. This is cleaner because your tunnel configurations are no longer in /etc/conf.d and can be used regardless of your init system. Currently the service script and ebuild warn you to perform the migration, but the plan is to ignore the old conf.d settings in the future.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41acdc92e655eb64a0d667b3b612fd5312921656 commit 41acdc92e655eb64a0d667b3b612fd5312921656 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-11-22 23:41:54 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-11-23 00:03:27 +0000 net-vpn/openconnect: 8.10-r1 revbump to fix openrc service This changes the openrc service to support the use of separate openconnect config files for each tunnel instead of setting the tunnel options in the conf.d files. The config files will be stored in /etc/openconnect/<tunnel>.conf. The contents of these config files is defined in the openconnect man page. Closes: https://bugs.gentoo.org/733614 Signed-off-by: William Hubbs <williamh@gentoo.org> net-vpn/openconnect/files/README.OpenRC | 30 +++++ net-vpn/openconnect/files/openconnect.initd.8.10 | 105 ++++++++++++++++ net-vpn/openconnect/openconnect-8.10-r1.ebuild | 153 +++++++++++++++++++++++ 3 files changed, 288 insertions(+)
Would it be possible to keep the support for the password_VPN variable? It can still be useful for several reasons: 1) In case one wants to call a command to retrieve the password I call pass in my conf.d/openconnect, that way the passwords are not stored in plaintext. 2) In case 2FA is required with unsupported --token-mode One of the VPNs I connect to requires 2FA with only the Android or iOS Duo app (that sucks). I've read the --token-mode help but I don't think I can use it to provide the code I get from the Duo app. The only solution seems to use --password-on-stdin and provide the code on the 2nd line, after the password. In addition, it's not clear to me how to migrate the password from password_VPN to the config file. The README.OpenRC file only points to the man page, which says any command-line option can be put there. Except the only option I see for passwords is --password-on-stdin. Is there a --password option? (I guess probably not since that would leave the password readable by anyone). So how are we supposed to specify the password in the config file? Maybe this could be explained in the README.OpenRC file.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7ea3fbeadbd0524ea7d7498a8eb563b0b780495 commit e7ea3fbeadbd0524ea7d7498a8eb563b0b780495 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-10-02 05:54:38 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-10-02 06:00:09 +0000 net-vpn/openconnect: revise init script Remove warnings about removal of variables. Restore sample conf.d file. Allow for missing config file. Use eval to allow quoted whitespace in vpnopts. Bug: https://bugs.gentoo.org/733614 Closes: https://bugs.gentoo.org/763579 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-vpn/openconnect/files/openconnect.conf.in | 2 +- net-vpn/openconnect/files/openconnect.initd | 109 +++++++++++++++++++++ ...t-8.10-r2.ebuild => openconnect-8.10-r3.ebuild} | 5 +- net-vpn/openconnect/openconnect-9999.ebuild | 5 +- 4 files changed, 118 insertions(+), 3 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d08fe11b2b09f874ea8a2fbd296f69a4ce073702 commit d08fe11b2b09f874ea8a2fbd296f69a4ce073702 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-10-02 17:07:50 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2021-10-02 17:19:57 +0000 net-vpn/openconnect: rewrite initscript Support for the server_${VPN}, password_${VPN}, and vpnopts_${VPN} variables is dropped. Per-VPN variables are now defined in /etc/conf.d/openconnect.${vpn}. Instead of defining server and vpnopts, the user should set command_args which will be passed to openconnect via the default_start function. Support for 'password' and 'password_file' variables is added. If neither is specified, the password will be prompted for interactively. Support for up/down hooks is dropped. The functionality can be replaced with vpnc-script hooks. Bug: https://bugs.gentoo.org/733614 Bug: https://bugs.gentoo.org/763579 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-vpn/openconnect/files/README.OpenRC | 25 +---- net-vpn/openconnect/files/openconnect.confd | 6 ++ net-vpn/openconnect/files/openconnect.initd | 107 +++------------------ ...t-8.10-r3.ebuild => openconnect-8.10-r4.ebuild} | 2 +- net-vpn/openconnect/openconnect-9999.ebuild | 2 +- 5 files changed, 25 insertions(+), 117 deletions(-)