F5 SSL VPN

Experimental support for F5 SSL VPN was added to OpenConnect in March 2021. It is also known as BIG-IP in some documentation. It is a PPP-based protocol using the native PPP support which was merged into the 9.00 release.

F5 mode is requested by adding --protocol=f5 to the command line:

  openconnect --protocol=f5 big-ip.example.com

Since TCP over TCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS, and will only fall over to the PPP-over-TLS tunnel if that fails, or if disabled via the --no-dtls argument.

Quirks and Issues

Currently, OpenConnect should fully support basic username/password authentication for F5, along with an optional TLS client certificate and the "domain" dropdown used by some F5 VPNs. The domain form field can be automatically populated with the --authgroup command-line option.

Like Juniper, the F5 VPN expects a full web browser environment for authentication, and uses HTML forms which rely heavily on JavaScript. In some cases, JavaScript is used to inject modified values into hidden form fields, without which authentication will not complete successfully. If, as in #493, your F5 VPN uses a hidden form field with a value that must be overridden, you may be able to work around this by running openconnect --protocol=f5 --form-entry="hidden_form:choice=1" or similar (see issue for details on how this was determined).

If you have access to an F5 VPN which uses other types of authentication (e.g. RSA or OATH tokens), please send information to the mailing list so that we add support to OpenConnect.

DTLS

Connectivity over DTLS is supported. On BIG-IP server v16, it is possible to use either DTLSv1.0 or DTLSv1.2, if configured correctly. On BIG-IP server v15, it is limited to DTLSv1.0 because experiments show that BIG-IP server v15 cannot negotiate correctly down to DTLSv1.0 when a newer version of DTLS is attempted.

Interpreting f5-vpn:// URIs

Some proprietary F5 VPN clients use a web-based front-end for authentication. This authentication flow terminates in a URI that starts with f5-vpn://, for which the proprietary F5 client is registered as a handler.

We do not yet understand how to interpret these URIs in a way that is sufficient to allow OpenConnect to use them to establish a connection. See GitLab issue #639 and this August 2021 discussion on the mailing list. Please contribute if you have information that can help us understand how to use these URIs.