Command-line client for PaloAlto Networks' GlobalProtect VPN, integrated with OKTA. This utility will do the authentication dance with OKTA to retrieve portal-userauthcookie, which will be passed to OpenConnect with PAN GlobalProtect support for creating actual VPN connection. Compatible with Python 2 and 3. Tested on FreeBSD, Linux and MacOS X.

It also supports Google and OKTA two factor authentication and can work without user interaction, if initial TOTP secret is provided. Otherwise, it will ask for generated code.

To gather TOTP secret, there are two possibilities - either scan the provided QR code with normal QR code scanner and write down the secret. Or create backup from current OTP application in phone. Some applications have this feature, but some don't. For example, andOTP on Android do support this feature.

This utility depends on requests and lxml Python libraries. If TOTP secret is being used, then pyotp is also required.

   ./gp-okta.py gp-okta.conf

Build Docker image before running container:

docker build -t gp-okta .

Edit gp-okta.conf and launch Docker container:

sh run-docker.sh

Configuration file should be self-explanatory. Options can be overridden with GP_ prefixed respective environment variables, e.g., GP_PASSWORD will override password option in configuration file.

If openconnect returns with ioctl error, then this version has a bug, which requires to prefix stdin input with a newline. Set bug.nl=1 in configuration file to work-around this issue.

If openconnect returns with fgets (stdin): Resource temporarily unavailable error, then this version has a bug, which requires to prefix stdin input with a username. Set bug.username=1 in configuration file to work-around this issue.