Root privs required for connection

[Captain-Barge]

Describe the bug
I can't connect without running gpclient as root. (This means that the GUI launched via desktop integration doesn't work).

Expected behavior
The GUI launched via normal desktop integration seems to connect but then mysteriously 'crashes' immediately and without explanation. Connecting from the terminal with gpclient --ignore-tls-errors --fix-openssl connect vpn.domain.com:123 -u username@domain.com accepts password & 2FA and seems to connect fine but then immediately closes and the console messages conclude with:

[2024-07-19T17:35:02Z INFO gpclient::connect] Connecting to the selected gateway: XYZ-gw-1 (vpn.domain.com)
[2024-07-19T17:35:02Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-07-19T17:35:03Z INFO openconnect::ffi] openconnect version: v9.01-3
[2024-07-19T17:35:03Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-07-19T17:35:03Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-07-19T17:35:03Z INFO openconnect::ffi] OS: linux
[2024-07-19T17:35:03Z INFO openconnect::ffi] CSD_USER: 1000
[2024-07-19T17:35:03Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-07-19T17:35:03Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-07-19T17:35:03Z INFO openconnect::ffi] MTU: 0
[2024-07-19T17:35:03Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/getconfig.esp
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to 12.345.678.910:123
[2024-07-19T17:35:03Z INFO openconnect::ffi] SSL negotiation with vpn.domain.com
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to HTTPS on vpn.domain.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-07-19T17:35:03Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-07-19T17:35:03Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-07-19T17:35:03Z WARN openconnect::ffi] Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
[2024-07-19T17:35:03Z WARN openconnect::ffi] No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/hipreportcheck.esp
[2024-07-19T17:35:03Z WARN openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum 4e4975db96f1065098284b1afe9417ce.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-07-19T17:35:03Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-07-19T17:35:03Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-07-19T17:35:03Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-07-19T17:35:03Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-07-19T17:35:03Z WARN openconnect::ffi] Set up tun device failed
[2024-07-19T17:35:03Z INFO openconnect::ffi] POST https://vpn.domain.com/ssl-vpn/logout.esp
[2024-07-19T17:35:03Z INFO openconnect::ffi] SSL negotiation with vpn.domain.com
[2024-07-19T17:35:03Z INFO openconnect::ffi] Connected to HTTPS on vpn.domain.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-07-19T17:35:04Z INFO openconnect::ffi] Logout successful.
[2024-07-19T17:35:04Z INFO openconnect::ffi] openconnect_mainloop returned -5, exiting

The "openconnect must be running as root" messages motivated me to try again with sudo: sudo gpclient --ignore-tls-errors --fix-openssl connect vpn.domain.com:123 -u username@domain.com. This worked. The VPN connection established without issues and appears to be stable.

Environment:

• OS: Debian GNU/Linux 12 (bookworm) x86_64
• Desktop Environment: GNOME
• Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep:
  username 1431 0.0 0.0 239908 11880 ? SLsl 10:12 0:00 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
• Is remote SSH? I don't know what this means
• gpclient --version gives gpclient 2.3.4 (2024-07-08)

Additional context
As already stated, running with sudo is a good workaround. But it would be convenient if it wasn't required.

[yuezk]

@Captain-Barge The logs for GUI is at ~/.local/share/gpclient/gpclient.log, can you provide it? So I can investigate why it 'crashes'.

The root privilege is required, even though the GUI relies on a service running as root in the background. By leveraging https://polkit.pages.freedesktop.org/polkit/

[bagnaram]

I cannot get the CLI to run as root because I see the error: Error: Command { std: "/usr/bin/gpauth ........ cannot be run as root

[yuezk]

@bagnaram Can you run it with the -E option, e.g., sudo -E gpclient connect <portal> ... and see what happens?