X Close

UCLDH Blog

Menu

Tutorial: How to Access UCL’s Virtual Private Network Using Linux

By Rudolf Ammann, on 18 September 2015

Tux

Tux, interpreted by the author, ca. 2002

Some of this university’s computational infrastructure is tucked away behind a VPN login: If you’re trying to reach it from the outside, you need to establish a Virtual Private Network connection to get through. This may be more onerous for users of a Linux operating system than it is for those who rely on Microsoft or Apple products, especially since UCL insists that VPN connections may only be established using one particular VPN client, Cisco’s AnyConnect. This client has its problems, but it also comes with a superior FOSS alternative: OpenConnect.

I will discuss the use of the two clients in turn.

AnyConnect

UCL’s How to set up a VPN connection for Linux tutorial offers instructions on how to install the AnyConnect client. The tutorial does not mention that AnyConnect will fail to work when it is run with restricted privileges. Neither does it mention that AnyConnect, when it attempts to establish a VPN connection while running with restricted privileges, is likely to hang indefinitely, consuming all available CPU, flooding all available RAM, and eventually bringing the system to its knees — unless the runaway process is killed in good time.

To work as advertised, AnyConnect needs to run as root or under sudo. So, once the application is installed, open a terminal and launch it by issuing the following command:

$ sudo /opt/cisco/anyconnect/bin/vpnui

Once you’ve entered your sudo password, this command should pop up a dialog with a single ‘Connect to:’ field. Type ‘vpn.ucl.ac.uk’ into this field, but be prepared to deal with further complications, as you may need to lift a block and ignore a warning before AnyConnect will establish a connection with UCL’s VPN.

UCL’s VPN uses what seems like a legitimate SSL certificate issued by Terena:

$ openssl s_client -connect vpn.ucl.ac.uk:443 |& sed -n '/^issuer=/s/.*CN=//p'
TERENA SSL CA

AnyConnect may not recognise this certificate and respond with an error message that reads: ‘Untrusted VPN Server Blocked!’ To work past this barrier, hit the ‘Change Setting…’ button, which will take you to AnyConnect’s Preferences dialog. In that dialog, untick the ‘Block connections to untrusted servers’ option and hit the ‘Close’ button.

Close and restart the application, then type ‘vpn.ucl.ac.uk’ into the ‘Connect to’ field and hit the ‘Connect’ button. This will trigger a warning: ‘Security Warning: Untrusted VPN Server Certificate!’ Ignore this warning and hit the ‘Connect Anyway’ button!

The next dialog will have RemoteAccess pre-entered into the ‘Group’ field. Supply your Username and Password, hit the ‘Connect’ button, and you’re in!

In theory, it should be possible either to export the Terena certificate as a .pem file from the Firefox Certificate Manager or to download it from Terena’s repository and copy it to /opt/.cisco/certificates/ca/, the directory in which AnyConnect stores its certificates. This should cause the software to recognise the certificate and to stop returning error messages. I have not been able to make this work, however, and not for lack of trying.

OpenConnect

The command-line utility OpenConnect offers an alternative to the above procedure.

You will need to install both OpenConnect and cURL. Binaries of both should be available for your distro of choice via the usual package management.

OpenConnect will need to invoke a shell script that is known as a ‘CSD-wrapper‘, which uses cURL to handle the transfer of data with URL syntax.

Copy the following script (which is adapted from here) into a plain text file, save the file as csd-wrapper.sh, and render it executable:

#!/bin/sh
#set -x

platform_version="x86x64"
device_type="Linux-x86"
device_uniqueid="AAAAAAA"

# delete the csdXXXXXX temp files so they don't start piling up
rm -f $1

exec curl \
--globoff \
--insecure \
--user-agent "AnyConnect Linux" \
--header "X-Transcend-Version: 1" \
--header "X-Aggregate-Auth: 1" \
--header "X-AnyConnect-Identifier-Platform: linux" \
--header "X-AnyConnect-Identifier-PlatformVersion: $platform_version" \
--header "X-AnyConnect-Identifier-DeviceType: $device_type" \
--header "X-AnyConnect-Identifier-Device-UniqueID: $uniqueid" \
--cookie "sdesktop=$CSD_TOKEN" \
--data-ascii @- "https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml" <<END
endpoint.feature="failure";
endpoint.os.version="Linux";
END

Then issue the following command to establish the VPN connection:

$ sudo openconnect vpn.ucl.ac.uk --csd-wrapper /path/to/csd-wrapper.sh

The network should now prompt you for your username and password. Supply those, and you’re in!

Of course, you might object that running OpenConnect under sudo is less than desirable from a security perspective, and you’d be entirely right about that. There’s a workaround available.

______

Thanks to Emma Cardinal-Richards at UCL’s Information Services Division and to security analyst Dr Name Withheld from W., both of whom provided valuable assistance towards solving this issue!

Dr Rudolf Ammann is the UCLDH Designer at Large and a research associate at the UCL Department of Information Studies. He runs the Arkstack consultancy.

Filed under Uncategorized

4 Responses to “Tutorial: How to Access UCL’s Virtual Private Network Using Linux”

  • 1
    Luke wrote on 5 November 2020:

    Thank you Rudolf Ammann for sharing the csd-wrapper I have found it very useful.

    To save a line you can use
    openconnect vpn.ucl.ac.uk –csd-wrapper .csd-wrapper.sh –user=YOUR_USERNAME

    and have your username pre-typed.
    You could also have your password pre-typed too (although this is obviously bad practice and shouldn’t be done):

    echo “YOUR_PASSWORD” | openconnect vpn.ucl.ac.uk –csd-wrapper .csd-wrapper.sh –user=YOUR_USERNAME

    Occasionally openconnect will fail and it will be a real pain to fix. It took me a long time to figure out but this is the fix on macOS:
    Whenever openconnect breaks your internet run this script.sh (remember to chmod 775)

    #!/bin/bash

    PATTERN=”State:/Network/Service/utun[0-9]+/DNS”
    REMOVE_RECORD_CMD=””
    REMOVE_RECORD_MSG=”RECORDS TO REMOVE:\n”

    sudo pkill openconnect

    RECORDS=`scutil <<EOF
    list $PATTERN
    quit
    EOF`

    for RECORD in `echo $RECORDS`; do
    if [[ "$RECORD" =~ "State" ]]; then
    REMOVE_RECORD_CMD="${REMOVE_RECORD_CMD}remove $RECORD \n"
    REMOVE_RECORD_MSG="${REMOVE_RECORD_MSG}$RECORD \n"
    fi
    done

    if [ "x$REMOVE_RECORD_CMD" != "x" ]; then
    printf "$REMOVE_RECORD_MSG"
    sudo scutil <<EOF
    `printf "$REMOVE_RECORD_CMD"`
    quit
    EOF
    fi

  • 2
    Adrian Vazquez wrote on 23 January 2021:

    For OpenConnect, after running the command it ask first also the group. In my case is RemoteAccess.

    You can see the groups in https://vpn4.ucl.ac.uk/ .Click download and later login

  • 3
    Mateusz Bieniek wrote on 15 February 2021:

    Is passing password via a restricted password file a good practice?
    openconnect -vv vpn.ucl.ac.uk –csd-wrapper path/csdwrapper.sh –user ucluser –authgroup RemoteAccess –passwd-on-stdin < /path/chmod500/vpnpassword

  • 4
    Andreas Korn wrote on 1 April 2021:

    Thanks for this useful script.
    To automate the group you can use –authgroup in a similar manner as –user above:
    sudo openconnect vpn.ucl.ac.uk –authgroup RemoteAccess –csd-wrapper ./csd-wrapper.sh

Leave a Reply

  • Recent Blog Posts