CommunityData:Northwestern VPN: Difference between revisions
| (3 intermediate revisions by 2 users not shown) | |||
| Line 26: | Line 26: | ||
==== OpenSSL error ==== | ==== OpenSSL error ==== | ||
If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because | If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because our setup relies on Python library that is using an older deprecated ("unsafe") protocol. Until we get it fixed on the server, you need to disable checking on your local machine. | ||
The simplest thing (described in [https://stackoverflow.com/a/72245418 this stackoverflow suggestion]). Basically, it should be possible to add this line to the following files (after the fourth line): <code>openconnect_command-general.sh</code>, <code>openconnect_command-http.sh</code>, <code>openconnect_command-ssh.sh</code>: | |||
:<code>export OPENSSL_CONF=./openssl.conf</code> | |||
<code> | The downside to this is that will require that the command be run ''from the local directory''. Alternatively, you can put the full path to the <code>openssl.conf</code> file that is shipped with the repository into the line above (e.g., <code>/home/mako/bin/nu-vpn-proxy/openssl.conf</code>). | ||
Another option is to change your systemwide OpenSSL configuration as described in comment 7 on [https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834 this bug report]. This is probably more dangerous. | |||
==== Openconnect error ==== | ==== Openconnect error ==== | ||
| Line 38: | Line 40: | ||
The other error that you may get is: <code>Failed to parse server response</code> | The other error that you may get is: <code>Failed to parse server response</code> | ||
If you get this error, it's likely because there | If you get this error, it's likely because there was a bug in openconnect. The bug seems to have begun in openconnect 8.2 and been fixed at some point before openconnect 9.0. Basically,that breaks when upgrading to openconnect version 8.20+ but less than 9.0. | ||
If you can upgrade to 9.0, that is best. If you cannot easily do this, it is likely best to downgrade to 8.1. | |||
Instructions for Ubuntu: | Instructions for Ubuntu: | ||
Latest revision as of 21:55, 28 June 2023
NUIT instructions (works for most)[edit]
Northwestern IT has instructions for how to set up VPN on multiple operating systems using the GlobalConnect client. For most people, their instructions should work fine.
Alternative Linux option[edit]
Mako has built an alternative configuration (suitable for anybody running Debian or Ubuntu is) that doesn't require the GlobalConnect client. This has two main benefits: (1) it doesn't require installing the normal client which includes a proprietary sort of spyware tool that sends details on what packages are installed to NU every time you use it, and (2) it allows you to proxy only a single ssh connection and not your entire Internet connection. Folks who are not at NU may want to use this.
To install it you can download the software from the CDSC Git repository like:
git clone git@code.communitydata.science:nu-vpn-proxy
Details on how to set use that code are up are in the README-CDSC file in that repostiroy.
There are two modes supported by the scripts:
- A mode that proxies only for SSH connections to kibo.
- A mode that proxies your entire connection.
Please commit any changes to the code and/or or the documentation in the git repository.
Troubleshooting[edit]
New versions of openconnect and openssl can cause a few issues.
OpenSSL error[edit]
If you get an error saying "UNSAFE_RENEGOTIATION DISABLED", this is because our setup relies on Python library that is using an older deprecated ("unsafe") protocol. Until we get it fixed on the server, you need to disable checking on your local machine.
The simplest thing (described in this stackoverflow suggestion). Basically, it should be possible to add this line to the following files (after the fourth line): openconnect_command-general.sh, openconnect_command-http.sh, openconnect_command-ssh.sh:
export OPENSSL_CONF=./openssl.conf
The downside to this is that will require that the command be run from the local directory. Alternatively, you can put the full path to the openssl.conf file that is shipped with the repository into the line above (e.g., /home/mako/bin/nu-vpn-proxy/openssl.conf).
Another option is to change your systemwide OpenSSL configuration as described in comment 7 on this bug report. This is probably more dangerous.
Openconnect error[edit]
The other error that you may get is: Failed to parse server response
If you get this error, it's likely because there was a bug in openconnect. The bug seems to have begun in openconnect 8.2 and been fixed at some point before openconnect 9.0. Basically,that breaks when upgrading to openconnect version 8.20+ but less than 9.0.
If you can upgrade to 9.0, that is best. If you cannot easily do this, it is likely best to downgrade to 8.1.
Instructions for Ubuntu:
1. Uninstall openconnect and libopenconnect5
sudo apt remove openconnect libopenconnect5
2. Download version 8.10
cd ~/Some/dir wget https://www.infradead.org/openconnect/download/openconnect-8.10.tar.gz tar -xvf ./openconnect-8.10.tar.gz cd ./openconnect-8.10
3. Install openconnect following these instructions
./configure make make install
4. Cross your fingers and try to connect to the VPN again (e.g., with ssh kibo).
