{"id":19102690,"url":"https://github.com/kayrus/gof5","last_synced_at":"2025-04-04T22:07:20.920Z","repository":{"id":39996930,"uuid":"259254083","full_name":"kayrus/gof5","owner":"kayrus","description":"Open Source F5 BIG-IP VPN client for Linux, MacOS, FreeBSD and Windows","archived":false,"fork":false,"pushed_at":"2025-03-13T07:10:00.000Z","size":6354,"stargazers_count":141,"open_issues_count":12,"forks_count":24,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-28T21:09:04.795Z","etag":null,"topics":["big-ip","dns-proxy","f5","f5-apm","f5-bigip","f5networks","linux","macos","ppp","vpn","vpn-client"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kayrus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-27T08:35:38.000Z","updated_at":"2025-03-20T16:53:47.000Z","dependencies_parsed_at":"2023-12-05T10:51:40.891Z","dependency_job_id":"288b2ef2-388a-4bbf-abd9-261a6793ad17","html_url":"https://github.com/kayrus/gof5","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fgof5","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fgof5/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fgof5/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fgof5/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kayrus","download_url":"https://codeload.github.com/kayrus/gof5/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247256112,"owners_count":20909240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["big-ip","dns-proxy","f5","f5-apm","f5-bigip","f5networks","linux","macos","ppp","vpn","vpn-client"],"created_at":"2024-11-09T03:56:47.758Z","updated_at":"2025-04-04T22:07:20.900Z","avatar_url":"https://github.com/kayrus.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gof5\n\n## Requirements\n\n* an application must be executed under a privileged user\n\n## Linux\n\nIf your Linux distribution uses [systemd-resolved](https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html) or [NetworkManager](https://wiki.gnome.org/Projects/NetworkManager) you can run gof5 without sudo privileges.\nYou need to adjust the binary capabilities:\n\n```sh\n$ sudo setcap cap_net_admin,cap_net_bind_service+ep /path/to/binary/gof5\n```\n\nFor systemd-resolved you need to adjust PolicyKit Local Authority config, e.g. in Ubuntu:\n\n```sh\n$ cd gof5 # changedir to gof5 github repo\n$ sudo cp org.freedesktop.resolve1.pkla /var/lib/polkit-1/localauthority/50-local.d/org.freedesktop.resolve1.pkla\n$ sudo systemctl restart polkit.service\n```\n\n### Per user capabilities\n\nIf you want to have more granular restrictions to run gof5, you can allow only particular users to run it.\n\nFirst of all add an entry before the `none  *` in a `/etc/security/capability.conf` file:\n\n```\ncap_net_admin,cap_net_bind_service %username%\n```\n\nwhere a `%username%` is a name of the user, which should get inherited `CAP_NET_ADMIN` and `CAP_NET_BIND_SERVICE` capabilities.\n\nAdjust the binary flags to have inherited capabilities only:\n\n```\n$ sudo setcap cap_net_admin,cap_net_bind_service+i /path/to/binary/gof5\n```\n\nCheck user's capabilities:\n\n```\n$ sudo -u %username% capsh --print | awk '/Current/{print $NF}'\ncap_net_bind_service,cap_net_admin+i\n```\n\ngof5 should be executed using sudo even if you already logged in as this user:\n\n```\n$ sudo -u %username% /path/to/binary/gof5\n```\n\n## MacOS\n\nOn MacOS run the command below to avoid a `cannot be opened because the developer cannot be verified` warning:\n\n```sh\nxattr -d com.apple.quarantine ./path/to/gof5_darwin\n```\n\n## Windows\n\nWindows version doesn't support `pppd` driver.\n\n## ChromeOS\n\nDeveloper mode should be enabled, since gof5 requires root privileges.\nThe binary should be placed inside the `/usr/share/oem` directory. Home directory in ChromeOS doesn't allow to have executables.\nYou need to restart shill with an option in order to allow tun interface creation: `sudo restart shill BLOCKED_DEVICES=tun0`.\nUse the the `driver: pppd` config option if you don't want to restart shill.\n\n## HOWTO\n\n### Build from source\n\n```sh\n$ make # gmake in freebsd or mingw make for windows\n# or build inside docker (linux version only)\n$ make docker\n```\n\n### Run\n\n```sh\n# download the latest release\n$ sudo gof5 --server server --username username --password token\n```\n\nAlternatively you can use a session ID, obtained during the web browser authentication (in case, when you have MFA). You can find the session ID by going to the VPN host in a web browser, logging in, and running this JavaScript in Developer Tools:\n\n```js\ndocument.cookie.match(/MRHSession=(.*?); /)[1]\n```\n\nThen specify it as an argument:\n\n```sh\n$ sudo gof5 --server server --session sessionID\n```\n\nWhen username and password are not provided, they will be asked if `~/.gof5/cookies.yaml` file doesn't contain previously saved HTTPS session cookies or when the saved session is expired or explicitly terminated (`--close-session`).\n\nUse `--close-session` flag to terminate an HTTPS VPN session on exit. Next startup will require a valid username/password.\n\nUse `--select` to choose a VPN server from the list, known to a current server.\n\nUse `--profile-index` to define a custom F5 VPN profile index.\n\n### CA certificate and TLS keypair\n\nUse options below to specify custom TLS parameters:\n\n* `--ca-cert` - path to a custom CA certificate\n* `--cert` - path to a user TLS certificate\n* `--key` - path to a user TLS key\n\n## Configuration\n\nYou can define an extra `~/.gof5/config.yaml` file with contents:\n\n```yaml\n# DNS proxy listen address, defaults to 127.0.0.245\n# In BSD defaults to 127.0.0.1\n# listenDNS: 127.0.0.1\n# rewrite /etc/resolv.conf instead of renaming\n# Linux only, required in cases when /etc/resolv.conf cannot be renamed\nrewriteResolv: false\n# experimental DTLSv1.2 support\n# F5 BIG-IP server should have enabled DTLSv1.2 support\ndtls: false\n# TLS certificate check\ninsecureTLS: false\n# Enable IPv6\nipv6: false\n# driver specifies which tunnel driver to use.\n# supported values are: wireguard or pppd.\n# wireguard is default.\n# pppd requires a pppd or ppp (in FreeBSD) binary\ndriver: wireguard\n# When pppd driver is used, you can specify a list of extra pppd arguments\nPPPdArgs: []\n# disableDNS allows to completely disable DNS handling,\n# i.e. don't alter system DNS (e.g. /etc/resolv.conf) at all\ndisableDNS: false\n# TLS renegotiation support as defined in tls.RenegotiationSupport, disabled by default\nrenegotiation: RenegotiateNever\n# A list of DNS zones to be resolved by VPN DNS servers\n# When empty, every DNS query will be resolved by VPN DNS servers\ndns:\n- .corp.int.\n- .corp.\n# for reverse DNS lookup\n- .in-addr.arpa.\n# override DNS servers, provided by a VPN server profile\noverrideDNS:\n- 8.8.8.8\n# override DNS search suffix, provided by a VPN server profile\noverrideDNSSuffix:\n- my.corp\n# A list of subnets to be routed via VPN\n# When not set, the routes pushed from F5 will be used\n# Use \"routes: []\", if you don't want gof5 to manage routes at all\nroutes:\n- 1.2.3.4\n- 1.2.3.5/32\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkayrus%2Fgof5","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkayrus%2Fgof5","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkayrus%2Fgof5/lists"}