Accessing the Off-Campus VPN

From RHLUG Wiki
Jump to: navigation, search

Accessing the Junos PulseSecure VPN in Linux

Writing this because these instructions are hard to find on the knowledgebase website (probably because of the way it is set up in general - can't really browse the articles), and because this is intended to be easy to follow.

Here's the link ("sslvpn" [all 1 word] or "openconnect" gave the right results): https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01093/en-us

You can try this on eduroam if you want to see how it works.

1. Installing the openconnect and network-manager-openconnect/networkmanager-openconnect packages.

On Ubuntu, Debian, or similar, run: sudo apt-get install openconnect network-manager-openconnect.

On Arch Linux or Manjaro, run: sudo pacman -S openconnect networkmanager-openconnect.

You might want both packages just in case something goes wrong with the command line or you prefer using the NetworkManager method sometime.

NOTE that (as of 3/8/19) network-manager-openconnect is the package name on Ubuntu and similar distros, and networkmanager-openconnect is the package name on Arch Linux and similar distros. Note the extra - between network and manager is missing from the Arch Linux and similar distros one.

2. Connecting to the VPN either through the NetworkManager GUI (part (a)) or through the command line (part (b)).

a) NetworkManager GUI method:

In KDE 5.15 (or similar desktop environment), click on the WiFi icon in the taskbar, then click the settings icon in the top-right corner. You should see a window appear, where at the top it says "Edit Your Network Connections".

Click the + button in the left panel with the list of networks. It should be located in the bottom-right of that panel.

Screenshot 20190308 220630.png

Now, click on "Juniper SSL VPN / Pulse Connect Secure (openconnect)".

For "Gateway", type in sslvpn.rose-hulman.edu.

WARNING: If you select "Allow Cisco Secure Desktop trojan" for any Junos PulseSecure VPN connection in NetworkManager, and connect to that network, that has [weak security http://www.infradead.org/openconnect/csd.html]. This is insecure and compromises the security of your personal data. Do not select this unless you absolutely cannot connect in any other way.

(Optional) In "Connection name:" you can say something like "Rose-Hulman Off Campus VPN" or "Rose-Hulman SSLVPN" or something like that so you remember. The default name is "New vpn connection".

Now, click "Save". Click on the wifi icon again in the taskbar. In the list of wifi networks/connections, click on whatever you named your VPN connection (it should have a "shield" icon next to it). Then click "Connect".

A dialog should appear saying "For accessing the vpn connection [Your VPN connection name you typed in above] you need to provide secrets below:".

Click on the globe icon. It should say "contacting host, please wait". Then, a new item called "frmLogin" should appear in a box. ("frmLogin" means "the login form" from the SSLVPN connection configuration itself [which was done on the backend servers that run this VPN], neat fact: frm___ for form ___ (where ___ is the name of the variable) or dbl___ for double ___ is the variable naming convention of some .NET coders).

Now, for which "realm" you are in, you will be under "Users". You will always select "Users" because you are a user on the Rose internal network.

Enter your username (this time is one of the ONLY times where you CANNOT include the @rose-hulman.edu. I tried it and it did not work.) and your Rose password.

You can click "Store passwords" if you want for convenience above this box.

Screenshot 20190308 221913.png

Then click "Login" at the bottom of this box. The box will close up slightly. This is normal -- wait a few seconds. It is connecting to the network.

When the box closes, you are now connected. You can disconnect by going to the wifi icon->your VPN name->disconnect.

b) Command line method

In a command line, type in

sudo openconnect --juniper sslvpn.rose-hulman.edu.

Type your root password in the prompt. (NOTE: password characters or * do not show for security reasons. This is the standard in Linux/Unix command line utilities and in openconnect.)

Now the "login form" (technically a command line input prompt with your credentials to login), frmLogin, will appear. ("frmLogin" means "the login form" from the SSLVPN connection configuration itself [which was done on the backend servers that run this VPN], neat fact: frm___ for form ___ (where ___ is the name of the variable) or dbl___ for double ___ is the variable naming convention of some .NET coders).

Now a prompt will appear saying which "realm" you are in.

realm [Users|DeltaV|Vendors]:

Type in Users (or users, it worked for me) and then press ENTER.

Now, this prompt will appear:

username:

Enter your Rose network username (this time is one of the ONLY times where you CANNOT include the @rose-hulman.edu. I tried it and it did not work.) and then press ENTER.

Now, this prompt will appear:

password:

Enter your Rose network password and then press ENTER. (NOTE: password characters or * do not show for security reasons. This is the standard in Linux/Unix command line utilities and in openconnect.)

Now the following (or similar) appears:

POST https://sslvpn.rose-hulman.edu/dana-na/auth/url_default/login.cgi Got HTTP response: HTTP/1.1 302 Moved GET https://sslvpn.rose-hulman.edu/dana/home/starter0.cgi?check=yes Connected as [SOME ROSE-HULMAN INTERNAL PUBLIC IP ADDRESS], using SSL, with ESP + LZO in progress ESP session established with server

When ESP session established with server appears, you are connected.

(For command-line only users without a Desktop Environment: If you are doing this in a tty (Ctrl+Alt+F_, where _ is a number between 1 and 9), you must have another shell open if you want to do something else while running the VPN, or use tmux, a terminal multiplexer, or similar, to have multiple terminal windows open at once.)

Press Ctrl+C at any time to disable the connection.

When you do this, the following (or similar) will appear: GET https://sslvpn.rose-hulman.edu/dana-na/auth/logout.cgi SSL negotiation with sslvpn.rose-hulman.edu Connected to HTTPS on sslvpn.rose-hulman.edu Got HTTP response: HTTP/1.1 302 Moved Logout successful. User cancelled (SIGINT/SIGTERM); exiting.

When User cancelled (SIGINT/SIGTERM); exiting. appears, you are now disconnected.

Accessing the OpenVPN Connection

As an alternative to Junos PulseSecure, RHLUG (at least used to) provide an OpenVPN connection for convenience.

Unfortunately, it got taken down.

For instructions on using OpenVPN in general if you're curious, see VPN.