Editing CommunityData:Northwestern VPN

== NUIT instructions (works for most) ==

Northwestern IT has instructions for how to set up VPN on multiple operating systems using the GlobalConnect client. For most people, [https://kb.northwestern.edu/94726 their instructions] should work fine.

== Alternative Linux option ==

[[Mako]] has built an alternative configuration (suitable for anybody running Debian or Ubuntu is) that doesn't require the GlobalConnect client. This has two main benefits: (1) it doesn't require installing the normal client which includes a proprietary sort of spyware tool that sends details on what packages are installed to NU every time you use it, and (2) it allows you to proxy only a single ssh connection and ''not'' your entire Internet connection. Folks who are not at NU may want to use this.

To install it you can download the software from the [[CommunityData:Git|CDSC Git repository]] like:

 git clone git@code.communitydata.science:nu-vpn-proxy

Details on how to set use that code are up are in the <code>README-CDSC</code> file in that repostiroy.

There are two modes supported by the scripts:

# A mode that proxies '''only''' for SSH connections to kibo.
# A mode that proxies your  entire connection.

Please commit any changes to the code and/or or the documentation in the git repository.


=== Troubleshooting ===

New versions of openconnect and openssl can cause a few issues.

==== OpenSSL error ====
If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because Northwestern's GlobalProtect setup is using a deprecated ("unsafe") protocol. Until we get it fixed on the server, you need to disable checking on your local machine.

The simplest thing (described in [https://stackoverflow.com/a/72245418 this stackoverflow suggestion]). Basically, it should be possible to add this line to the following files (after the fourth line): <code>openconnect_command-general.sh</code>, <code>openconnect_command-http.sh</code>, <code>openconnect_command-ssh.sh</code>:

:<code>export OPENSSL_CONF=./openssl.conf</code>

The downside to this is that will require that the command be run ''from the local directory''. Alternatively, you can put the full path to the <code>openssl.conf</code> file that is shipped with the repository into the line above (e.g., <code>/home/mako/bin/nu-vpn-proxy/openssl.conf</code>).

Another option is to change your systemwide OpenSSL configuration as described in comment 7 on [https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834 this bug report]. This is probably more dangerous.

==== Openconnect error ====

The other error that you may get is: <code>Failed to parse server response</code>

If you get this error, it's likely because there was a bug in openconnect. The bug seems to have begun in openconnect 8.2 and been fixed at some point before openconnect 9.0. Basically,that breaks when upgrading to openconnect version 8.20+ but less than 9.0.

If you can upgrade to 9.0, that is best. If you cannot easily do this, it is likely best to downgrade to 8.1.

Instructions for Ubuntu:

1. Uninstall <code>openconnect</code> and <code>libopenconnect5</code>

    sudo apt remove openconnect libopenconnect5

2. Download version 8.10

    cd ~/Some/dir
    wget https://www.infradead.org/openconnect/download/openconnect-8.10.tar.gz
    tar -xvf ./openconnect-8.10.tar.gz
    cd ./openconnect-8.10

3. Install openconnect following [https://www.infradead.org/openconnect/building.html these instructions]

    ./configure
    make
    make install

4. Cross your fingers and try to connect to the VPN again (e.g., with <code>ssh kibo</code>).