Editing CommunityData:Northwestern VPN

From CommunityData

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 3: Line 3:
Northwestern IT has instructions for how to set up VPN on multiple operating systems using the GlobalConnect client. For most people, [https://kb.northwestern.edu/94726 their instructions] should work fine.
Northwestern IT has instructions for how to set up VPN on multiple operating systems using the GlobalConnect client. For most people, [https://kb.northwestern.edu/94726 their instructions] should work fine.


== Alternative Linux option ==
== Alternative Linux configuration options (may be deprecated after April 1, 2020) ==


[[Mako]] has built an alternative configuration (suitable for anybody running Debian or Ubuntu is) that doesn't require the GlobalConnect client. This has two main benefits: (1) it doesn't require installing the normal client which includes a proprietary sort of spyware tool that sends details on what packages are installed to NU every time you use it, and (2) it allows you to proxy only a single ssh connection and ''not'' your entire Internet connection. Folks who are not at NU may want to use this.
'''The following used to work before NU migrated all VPN connections to GlobalConnect. It may or may not work anymore with GlobalConnect and should be tested/revised accordingly.'''  


To install it you can download the software from the [[CommunityData:Git|CDSC Git repository]] like:
Depending on your setup, the Linux instructions may be a bit lacking. Here are step-by-step instructions for Ubuntu 18.04. It should be similar for other Debian-based systems and very similar if you are using Gnome 3.  Alternatively, you can connect to Kibo using the [[ CommunityData:Northwestern VPN#SSH Config | configuration]] that mako developed.


git clone git@code.communitydata.science:nu-vpn-proxy
<code>
sudo apt install network-manager-openconnect-gnome
</code>


Details on how to set use that code are up are in the <code>README-CDSC</code> file in that repostiroy.
Open Settings > Networks > Add VPN


There are two modes supported by the scripts:
[[File:Add-vpn.png|500px]]


# A mode that proxies '''only''' for SSH connections to kibo.
Choose the openconnect option
# A mode that proxies your  entire connection.


Please commit any changes to the code and/or or the documentation in the git repository.
[[File:Anyconnect-vpn.png|500px]]


Edit the settings:


=== Troubleshooting ===
Gateway: `vpn-nu.vpn.northwestern.edu`
Token mode: `TOTP -- manually entered`


New versions of openconnect and openssl can cause a few issues.
[[File:Vpn-settings.png|500px]]


==== OpenSSL error ====
Click connect and log in using your NU netid and password
If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because our setup relies on Python library that is using an older  deprecated ("unsafe") protocol. Until we get it fixed on the server, you need to disable checking on your local machine.


The simplest thing (described in [https://stackoverflow.com/a/72245418 this stackoverflow suggestion]). Basically, it should be possible to add this line to the following files (after the fourth line): <code>openconnect_command-general.sh</code>, <code>openconnect_command-http.sh</code>, <code>openconnect_command-ssh.sh</code>:
[[File:Vpn-connect.png|500px]]


:<code>export OPENSSL_CONF=./openssl.conf</code>
=== SSH Config ===


The downside to this is that will require that the command be run ''from the local directory''. Alternatively, you can put the full path to the <code>openssl.conf</code> file that is shipped with the repository into the line above (e.g., <code>/home/mako/bin/nu-vpn-proxy/openssl.conf</code>).
To connect to kibo using ssh.  


Another option is to change your systemwide OpenSSL configuration as described in comment 7 on [https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834 this bug report]. This is probably more dangerous.
1. Install netcat-bsd and ocproxy


==== Openconnect error ====
  sudo apt install ocproxy netcat-openbsd


The other error that you may get is: <code>Failed to parse server response</code>
2. Add the following to your ~/.ssh/config. Replace <YOUR NU USERNAME>.


If you get this error, it's likely because there was a bug in openconnect. The bug seems to have begun in openconnect 8.2 and been fixed at some point before openconnect 9.0. Basically,that breaks when upgrading to openconnect version 8.20+ but less than 9.0.
  Host kibo kibo.soc.northwestern.edu
    Hostname kibo.soc.northwestern.edu
    User <YOUR NU USERNAME>
    ProxyCommand ~/bin/nu-vpn-proxy %h %p


If you can upgrade to 9.0, that is best. If you cannot easily do this, it is likely best to downgrade to 8.1.
3. Create the file ~/bin/nu-vpn-proxy with the following. Replace <YOUR NU NETID> and <YOUR NU PASSWORD>.  


Instructions for Ubuntu:


1. Uninstall <code>openconnect</code> and <code>libopenconnect5</code>
    #!/bin/bash
   
    # connects to SSH through openconnect and VPN
    # for use with ProxyCommand in SSH
   
    # first run openconnect
   
    /sbin/start-stop-daemon --pidfile /tmp/nu-vpn-openconnect.pid --make-pidfile -b -S --startas /bin/bash -- -c '/usr/sbin/openconnect --reconnect-timeout 60 --script-tun --script "ocproxy -D 9052" --user <YOUR NU NETID> vpn-nu.vpn.northwestern.edu < <(echo <YOUR NU PASSWORD>)' &
   
    sleep 3
   
    # kill connection on exit
    function cleanup {
      /sbin/start-stop-daemon --stop --pidfile /tmp/nu-vpn-openconnect.pid
    }
    trap cleanup EXIT
   
    # redirect traffic (standard input and output) through VPN
    /bin/nc.openbsd -X 5 -x 127.0.0.1:9052 $1 $2


    sudo apt remove openconnect libopenconnect5
Make the file executable using <code> chmod +x ~/bin/nu-vpn-proxy </code>


2. Download version 8.10
Now you should be able to login to kibo. <code> ssh kibo </code>.
 
    cd ~/Some/dir
    wget https://www.infradead.org/openconnect/download/openconnect-8.10.tar.gz
    tar -xvf ./openconnect-8.10.tar.gz
    cd ./openconnect-8.10
 
3. Install openconnect following [https://www.infradead.org/openconnect/building.html these instructions]
 
    ./configure
    make
    make install
 
4. Cross your fingers and try to connect to the VPN again (e.g., with <code>ssh kibo</code>).
Please note that all contributions to CommunityData are considered to be released under the Attribution-Share Alike 3.0 Unported (see CommunityData:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.communitydata.science/CommunityData:Northwestern_VPN"
Attribution-Share Alike 3.0 Unported
Powered by MediaWiki