By Rudolf Ammann, on 18 September 2015
Some of this university’s computational infrastructure is tucked away behind a VPN login: If you’re trying to reach it from the outside, you need to establish a Virtual Private Network connection to get through. This may be more onerous for users of a Linux operating system than it is for those who rely on Microsoft or Apple products, especially since UCL insists that VPN connections may only be established using one particular VPN client, Cisco’s AnyConnect. This client has its problems, but it also comes with a superior FOSS alternative: OpenConnect.
I will discuss the use of the two clients in turn.
UCL’s How to set up a VPN connection for Linux tutorial offers instructions on how to install the AnyConnect client. The tutorial does not mention that AnyConnect will fail to work when it is run with restricted privileges. Neither does it mention that AnyConnect, when it attempts to establish a VPN connection while running with restricted privileges, is likely to hang indefinitely, consuming all available CPU, flooding all available RAM, and eventually bringing the system to its knees — unless the runaway process is killed in good time.
To work as advertised, AnyConnect needs to run as root or under sudo. So, once the application is installed, open a terminal and launch it by issuing the following command:
$ sudo /opt/cisco/anyconnect/bin/vpnui
Once you’ve entered your sudo password, this command should pop up a dialog with a single ‘Connect to:’ field. Type ‘vpn.ucl.ac.uk’ into this field, but be prepared to deal with further complications, as you may need to lift a block and ignore a warning before AnyConnect will establish a connection with UCL’s VPN.
UCL’s VPN uses what seems like a legitimate SSL certificate issued by Terena:
$ openssl s_client -connect vpn.ucl.ac.uk:443 |& sed -n '/^issuer=/s/.*CN=//p' TERENA SSL CA
AnyConnect may not recognise this certificate and respond with an error message that reads: ‘Untrusted VPN Server Blocked!’ To work past this barrier, hit the ‘Change Setting…’ button, which will take you to AnyConnect’s Preferences dialog. In that dialog, untick the ‘Block connections to untrusted servers’ option and hit the ‘Close’ button.
Close and restart the application, then type ‘vpn.ucl.ac.uk’ into the ‘Connect to’ field and hit the ‘Connect’ button. This will trigger a warning: ‘Security Warning: Untrusted VPN Server Certificate!’ Ignore this warning and hit the ‘Connect Anyway’ button!
The next dialog will have RemoteAccess pre-entered into the ‘Group’ field. Supply your Username and Password, hit the ‘Connect’ button, and you’re in!
In theory, it should be possible either to export the Terena certificate as a .pem file from the Firefox Certificate Manager or to download it from Terena’s repository and copy it to /opt/.cisco/certificates/ca/, the directory in which AnyConnect stores its certificates. This should cause the software to recognise the certificate and to stop returning error messages. I have not been able to make this work, however, and not for lack of trying.
The command-line utility OpenConnect offers an alternative to the above procedure.
You will need to install both OpenConnect and cURL. Binaries of both should be available for your distro of choice via the usual package management.
OpenConnect will need to invoke a shell script that is known as a ‘CSD-wrapper‘, which uses cURL to handle the transfer of data with URL syntax.
Copy the following script (which is adapted from here) into a plain text file, save the file as csd-wrapper.sh, and render it executable:
#!/bin/sh #set -x platform_version="x86x64" device_type="Linux-x86" device_uniqueid="AAAAAAA" # delete the csdXXXXXX temp files so they don't start piling up rm -f $1 exec curl \ --globoff \ --insecure \ --user-agent "AnyConnect Linux" \ --header "X-Transcend-Version: 1" \ --header "X-Aggregate-Auth: 1" \ --header "X-AnyConnect-Identifier-Platform: linux" \ --header "X-AnyConnect-Identifier-PlatformVersion: $platform_version" \ --header "X-AnyConnect-Identifier-DeviceType: $device_type" \ --header "X-AnyConnect-Identifier-Device-UniqueID: $uniqueid" \ --cookie "sdesktop=$CSD_TOKEN" \ --data-ascii @- "https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml" <<END endpoint.feature="failure"; endpoint.os.version="Linux"; END
Then issue the following command to establish the VPN connection:
$ sudo openconnect vpn.ucl.ac.uk --csd-wrapper /path/to/csd-wrapper.sh
The network should now prompt you for your username and password. Supply those, and you’re in!
Of course, you might object that running OpenConnect under sudo is less than desirable from a security perspective, and you’d be entirely right about that. There’s a workaround available.