A modern GlobalProtect VPN client for Linux, built on OpenConnect with full support for SSO authentication. This project provides both command-line and graphical interfaces for seamless VPN connectivity.
Inspired by gp-saml-gui
- Cross-Platform Linux Support – Optimized for various Linux distributions
- Dual Interface – Available as both CLI and GUI applications
- Flexible Authentication – Supports SSO, non-SSO, FIDO2 (e.g., YubiKey), and client certificate authentication
- Browser Integration – Authenticate using your default browser or any specified browser
- Multi-Portal Support – Connect to multiple portals and gateways
- Direct Gateway Connection – Bypass portal selection when needed
- Auto-Connect – Automatically connect on system startup
- System Tray Integration – Convenient system tray icon (requires gnome-shell-extension-appindicator on GNOME)
The CLI version is fully open source and feature-rich, providing nearly identical functionality to the GUI version.
Usage: gpclient [OPTIONS] <COMMAND>
Commands:
connect Connect to a portal server
disconnect Disconnect from the server
launch-gui Launch the GUI
help Print this message or the help of the given subcommand(s)
Options:
--fix-openssl Get around the OpenSSL 'unsafe legacy renegotiation' error
--ignore-tls-errors Ignore TLS errors
-h, --help Print help
-V, --version Print versionTip: Use
gpclient help <command>for detailed information on a specific command.
For browser-based authentication with the CLI:
Method 1: Using sudo with environment preservation:
sudo -E gpclient connect --browser <portal>Method 2: Using authentication piping:
gpauth <portal> --browser 2>/dev/null | sudo gpclient connect <portal> --cookie-on-stdinBrowser Options:
- Use
--browser <browser>to specify a browser (e.g.,firefox,chrome) - Use
--browser remotefor headless servers – this provides a URL you can access from another machine to complete authentication
The GUI application provides an intuitive interface for managing VPN connections. Launch it from your application menu or via the terminal:
gpclient launch-guiNote
The GUI version is partially open source. The background service (gpservice) is open source, while the GUI wrapper is proprietary.
sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
sudo apt-get update
sudo apt-get install globalprotect-openconnectNote
For Linux Mint users: If you encounter a GPG key error, import the key manually:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761Download the latest .deb package from the releases page, then install:
sudo apt install --fix-broken globalprotect-openconnect_*.debPackage: globalprotect-openconnect-git
You can install it using an AUR helper like yay:
yay -S globalprotect-openconnect-gitThe package is also available in the official Arch Linux Extra repository.
Package: globalprotect-openconnect
Note
Since the official package does not include the system tray support dependency, you need to install libappindicator manually:
sudo pacman -S libappindicator globalprotect-openconnectDownload the latest package from the releases page, then install:
sudo pacman -U globalprotect-openconnect-*.pkg.tar.zstThe package is available on COPR for RPM-based distributions:
sudo dnf copr enable yuezk/globalprotect-openconnect
sudo dnf install globalprotect-openconnectPackages are available on the openSUSE Build Service. Follow the installation instructions for your distribution.
Download the latest RPM package from the releases page:
sudo rpm -i globalprotect-openconnect-*.rpmAvailable via the guru and lamdness overlays:
sudo eselect repository enable guru
sudo emerge --sync guru
sudo emerge --ask --verbose net-vpn/GlobalProtect-openconnectThis repository includes a flake for NixOS integration.
-
Add the flake to your
flake.nix:{ inputs = { # ... other inputs globalprotect-openconnect.url = "github:yuezk/GlobalProtect-openconnect"; }; outputs = { nixpkgs, ... }@inputs: { nixosConfigurations.<your-host> = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; modules = [ ./configuration.nix ]; }; }; }
-
Add the package to your
configuration.nix:{ config, pkgs, inputs, ... }: { # ... other configurations environment.systemPackages = with pkgs; [ # ... other packages ] ++ [ inputs.globalprotect-openconnect.packages.${pkgs.system}.default ]; }
-
Apply the changes:
sudo nixos-rebuild switch
-
Install dependencies:
webkit2gtklibsecretlibayatana-appindicatororlibappindicator-gtk3
-
Download and extract: Download
globalprotect-openconnect_${version}_${arch}.bin.tar.xzfrom the releases page:tar -xJf globalprotect-openconnect_${version}_${arch}.bin.tar.xz
-
Install:
sudo make install
You can build the application from source using either a DevContainer (recommended) or a local development environment.
This project includes a DevContainer configuration that provides a consistent, reproducible build environment with all dependencies pre-installed.
- Docker
- Visual Studio Code (optional, for IDE support)
- Dev Containers extension (if using VS Code)
-
Clone the repository:
git clone https://github.com/yuezk/GlobalProtect-openconnect.git cd GlobalProtect-openconnect git submodule update --init --recursive -
Build the DevContainer image:
docker build -t gpoc-devcontainer .devcontainer/
-
Build the project:
docker run --privileged --cap-add=NET_ADMIN --device=/dev/net/tun \ -v "$(pwd)":/workspace -w /workspace gpoc-devcontainer \ bash -c "export PATH=/usr/local/cargo/bin:\$PATH && make build"
-
Locate build artifacts:
The compiled binaries will be available in
target/release/:gpclient– CLI clientgpservice– Background servicegpauth– Authentication helpergpgui-helper– GUI helper
- Open the project in VS Code
- When prompted, click "Reopen in Container" (or run Dev Containers: Reopen in Container)
- Once the container is ready, open a terminal and run:
make build
- Rust 1.85 or later
- Tauri dependencies
libopenconnect-dev(oropenconnect-develon RPM-based systems)pkexecandgnome-keyring(orpam_kwalleton KDE)nodejsandpnpm(optional if using pre-built release tarballs withBUILD_FE=0)
-
Download source code:
Download
globalprotect-openconnect-${version}.tar.gzfrom the releases page. -
Extract and build:
tar -xzf globalprotect-openconnect-${version}.tar.gz cd globalprotect-openconnect-${version} make build BUILD_FE=0
-
Install:
sudo make install
Note:
DESTDIRis not currently supported.
Verify the CLI client is working correctly:
./target/release/gpclient --helpBUILD_GUI=0– Build CLI components only (excludes GUI)BUILD_FE=0– Skip frontend build (uses pre-built assets)OFFLINE=1– Build in offline mode using vendored dependencies
Solution 1: Update to version 2.2.0 or later, which includes a file-based storage fallback.
Solution 2: Install the gnome-keyring package and restart your system.
See related issues: #321, #316
If you encounter (gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:, try running the command with sudo -E:
sudo -E gpclient connect <portal>See related issue: #316
The CLI version is completely free and open source. The GUI version is a paid application with a 10-day trial period after installation.
This project consists of multiple components, each with its own license:
| Component | Type | License |
|---|---|---|
| gpapi | Crate | MIT |
| openconnect | Crate | GPL-3.0 |
| common | Crate | GPL-3.0 |
| auth | Crate | GPL-3.0 |
| gpservice | Application | GPL-3.0 |
| gpclient | Application | GPL-3.0 |
| gpauth | Application | GPL-3.0 |
| gpgui-helper | Application | GPL-3.0 |
