The HIP ( Host Integrity Protection) mechanism is a security scanner for the Palo Alto Networks GlobalProtect VPNs, in the same vein as Cisco's CSD and Juniper's Host Checker (source).
gohip accepts the following flags. Most are passed automatically by gpclient as part of the CSD wrapper protocol — you typically don't need to set them manually.
| Flag | Description |
|---|---|
-version |
Print the current version and exit |
-cookie |
URL-encoded cookie string provided by gpclient, contains user, domain, and computer fields |
-client-ip |
Client IP address as reported by the VPN gateway |
-md5 |
MD5 value passed by gpclient and included verbatim in the HIP report |
-client-os |
OS identifier passed by gpclient (accepted but unused) |
-client-version |
Client version string passed by gpclient (accepted but unused) |
-os-version |
OS version string passed by gpclient (accepted but unused) |
-host-id |
Host identifier passed by gpclient (accepted but unused — hostname is used instead) |
gohip -version
Download and install gohip from the releases page, ie:
cp gophip-linux-amd64 /usr/bin/gohip
- If your VPN concentrator already provides a split tunneling configuration, you can skip this step.
- If not, the packaged version will drop a file in
/etc/vpnc/post-connect.d/split.sh. If you opted to install the binary manually, you need to copy this file from this repository.-
Create file
/etc/vpnc/splitvpnwith the following content:MAIN_DEV="enp0s31f6" # Your main network interface GW="192.168.1.254" # Your gatewayYou can determine those values with
ip -json r get 1.1.1.1 | jq '.[]| "MAIN_DEV=\"\(.dev)\" \nGW=\"\(.gateway)\""' -r
-
Start the vpn client with
sudo -E gpclient connect --hip --csd-wrapper /usr/bin/gohip vpn.endpoint.com
You can pass --default-browser to gpclient if your in version 2.3.2 at least, and that should open on what xdg-config says
sudo -E gpclient connect --hip --csd-wrapper /path/to/gohip vpn.endpoint.com --default-browser
To set your default browser you can do
xdg-settings set default-web-browser firefox.desktop
Using firefox/chrome from snaps will not work: the gpclient drops a file in /tmp that needs to be accessible from the browser.
Every push (or merged PR) to main automatically cuts a new patch release via GitHub Actions:
- Tests run on the
mainbranch - On success, the patch version is bumped and a new
v*.*.*tag is pushed - The release workflow builds binaries and packages (
.deb,.rpm, Arch.pkg.tar.zst) and uploads them to the releases page
To bump major or minor versions manually:
git tag v2.0.0 && git push origin v2.0.0