gof5

Requirements

• an application must be executed under a privileged user

Linux

If your Linux distribution uses systemd-resolved or NetworkManager you can run gof5 without sudo privileges. You need to adjust the binary capabilities:

$ sudo setcap cap_net_admin,cap_net_bind_service+ep /path/to/binary/gof5

For systemd-resolved you need to adjust PolicyKit Local Authority config, e.g. in Ubuntu:

$ cd gof5 # changedir to gof5 github repo
$ sudo cp org.freedesktop.resolve1.pkla /var/lib/polkit-1/localauthority/50-local.d/org.freedesktop.resolve1.pkla
$ sudo systemctl restart polkit.service

Per user capabilities

If you want to have more granular restrictions to run gof5, you can allow only particular users to run it.

First of all add an entry before the none * in a /etc/security/capability.conf file:

cap_net_admin,cap_net_bind_service %username%

where a %username% is a name of the user, which should get inherited CAP_NET_ADMIN and CAP_NET_BIND_SERVICE capabilities.

Adjust the binary flags to have inherited capabilities only:

$ sudo setcap cap_net_admin,cap_net_bind_service+i /path/to/binary/gof5

Check user's capabilities:

$ sudo -u %username% capsh --print | awk '/Current/{print $NF}'
cap_net_bind_service,cap_net_admin+i

gof5 should be executed using sudo even if you already logged in as this user:

$ sudo -u %username% /path/to/binary/gof5

MacOS

On MacOS run the command below to avoid a cannot be opened because the developer cannot be verified warning:

xattr -d com.apple.quarantine ./path/to/gof5_darwin

Windows

Windows version doesn't support pppd driver.

ChromeOS

Developer mode should be enabled, since gof5 requires root privileges. The binary should be placed inside the /usr/share/oem directory. Home directory in ChromeOS doesn't allow to have executables. You need to restart shill with an option in order to allow tun interface creation: sudo restart shill BLOCKED_DEVICES=tun0. Use the the driver: pppd config option if you don't want to restart shill.

HOWTO

Build from source

$ make # gmake in freebsd or mingw make for windows
# or build inside docker (linux version only)
$ make docker

Run

# download the latest release
$ sudo gof5 --server server --username username --password token

Alternatively you can use a session ID, obtained during the web browser authentication (in case, when you have MFA). You can find the session ID by going to the VPN host in a web browser, logging in, and running this JavaScript in Developer Tools:

document.cookie.match(/MRHSession=(.*?); /)[1]

Then specify it as an argument:

$ sudo gof5 --server server --session sessionID

When username and password are not provided, they will be asked if ~/.gof5/cookies.yaml file doesn't contain previously saved HTTPS session cookies or when the saved session is expired or explicitly terminated (--close-session).

Use --close-session flag to terminate an HTTPS VPN session on exit. Next startup will require a valid username/password.

Use --select to choose a VPN server from the list, known to a current server.

Use --profile-index to define a custom F5 VPN profile index.

CA certificate and TLS keypair

Use options below to specify custom TLS parameters:

• --ca-cert - path to a custom CA certificate
• --cert - path to a user TLS certificate
• --key - path to a user TLS key

Configuration

You can define an extra ~/.gof5/config.yaml file with contents:

# DNS proxy listen address, defaults to 127.0.0.245
# In BSD defaults to 127.0.0.1
# listenDNS: 127.0.0.1
# rewrite /etc/resolv.conf instead of renaming
# Linux only, required in cases when /etc/resolv.conf cannot be renamed
rewriteResolv: false
# experimental DTLSv1.2 support
# F5 BIG-IP server should have enabled DTLSv1.2 support
dtls: false
# TLS certificate check
insecureTLS: false
# Enable IPv6
ipv6: false
# driver specifies which tunnel driver to use.
# supported values are: wireguard or pppd.
# wireguard is default.
# pppd requires a pppd or ppp (in FreeBSD) binary
driver: wireguard
# When pppd driver is used, you can specify a list of extra pppd arguments
PPPdArgs: []
# disableDNS allows to completely disable DNS handling,
# i.e. don't alter system DNS (e.g. /etc/resolv.conf) at all
disableDNS: false
# TLS renegotiation support as defined in tls.RenegotiationSupport, disabled by default
renegotiation: RenegotiateNever
# A list of DNS zones to be resolved by VPN DNS servers
# When empty, every DNS query will be resolved by VPN DNS servers
dns:
- .corp.int.
- .corp.
# for reverse DNS lookup
- .in-addr.arpa.
# A list of subnets to be routed via VPN
# When not set, the routes pushed from F5 will be used
# Use "routes: []", if you don't want gof5 to manage routes at all
routes:
- 1.2.3.4
- 1.2.3.5/32