CommunityData:Northwestern VPN

From CommunityData

NUIT instructions (works for most)[edit]

Northwestern IT has instructions for how to set up VPN on multiple operating systems using the GlobalConnect client. For most people, their instructions should work fine.

Alternative Linux option[edit]

Mako has built an alternative configuration (suitable for anybody running Debian or Ubuntu is) that doesn't require the GlobalConnect client. This has two main benefits: (1) it doesn't require installing the normal client which includes a proprietary sort of spyware tool that sends details on what packages are installed to NU every time you use it, and (2) it allows you to proxy only a single ssh connection and not your entire Internet connection. Folks who are not at NU may want to use this.

To install it you can download the software from the CDSC Git repository like:

git clone git@code.communitydata.science:nu-vpn-proxy

Details on how to set use that code are up are in the README-CDSC file in that repostiroy.

There are two modes supported by the scripts:

  1. A mode that proxies only for SSH connections to kibo.
  2. A mode that proxies your entire connection.

Please commit any changes to the code and/or or the documentation in the git repository.


Troubleshooting[edit]

New versions of openconnect and openssl can cause a few issues.

OpenSSL error[edit]

If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because our setup relies on Python library that is using an older deprecated ("unsafe") protocol. Until we get it fixed on the server, you need to disable checking on your local machine.

The simplest thing (described in this stackoverflow suggestion). Basically, it should be possible to add this line to the following files (after the fourth line): openconnect_command-general.sh, openconnect_command-http.sh, openconnect_command-ssh.sh:

export OPENSSL_CONF=./openssl.conf

The downside to this is that will require that the command be run from the local directory. Alternatively, you can put the full path to the openssl.conf file that is shipped with the repository into the line above (e.g., /home/mako/bin/nu-vpn-proxy/openssl.conf).

Another option is to change your systemwide OpenSSL configuration as described in comment 7 on this bug report. This is probably more dangerous.

Openconnect error[edit]

The other error that you may get is: Failed to parse server response

If you get this error, it's likely because there was a bug in openconnect. The bug seems to have begun in openconnect 8.2 and been fixed at some point before openconnect 9.0. Basically,that breaks when upgrading to openconnect version 8.20+ but less than 9.0.

If you can upgrade to 9.0, that is best. If you cannot easily do this, it is likely best to downgrade to 8.1.

Instructions for Ubuntu:

1. Uninstall openconnect and libopenconnect5

   sudo apt remove openconnect libopenconnect5

2. Download version 8.10

   cd ~/Some/dir
   wget https://www.infradead.org/openconnect/download/openconnect-8.10.tar.gz
   tar -xvf ./openconnect-8.10.tar.gz
   cd ./openconnect-8.10

3. Install openconnect following these instructions

   ./configure
   make
   make install

4. Cross your fingers and try to connect to the VPN again (e.g., with ssh kibo).