Linux and OpenConnect VPN client
Below are a set of quick-and-dirty instructions from helping a user get to licenses from Linux on the VPN...will clean these up later:
Add users or groups to /etc/sudoers:
Download a PKCS12 personal certificate.
(http://its.virginia.edu/identity/certificate/, manual method).
Extract the PKCS12 into its constituent parts.
I used openssl on my aab3w.p12 file:
* CA cert: openssl pkcs12 -in aab3w.p12 -nodes -cacerts -outuva_cacert.pem * Cert: openssl pkcs12 -in aab3w.p12 -nodes -clcerts -out aab3w_cert.pem * Key: openssl pkcs12 -in aab3w.p12 nodes -nocerts -out aab3w_key.pem
4. Run openconnect:
sudo openconnect -c aab3w_cert.pem -k aab3w_key.pem --cafile=uva_cacert.pem https://uva-anywhere-1.itc.virginia.edu
- The need to explicitly add users/groups to sudoers seems to vary by
distro. (The issue seems to be the ability of a normal user to read and write to a dynamically generated TUN device. If a normal user can do that, openconnect will work fine as a normal user.)
- The sudoers step does not appear necessary when using the
openconnect plugin for NetworkManager.
- Some versions of openconnect seem to handle PKCS12 certificates out
of the box. Fedora 18's version did not. PEM always seems to work fine.
- Keep the permissions on the PEM file that are applied by openssl.
- Openconnect takes the -v option for verbose debugging, and -b to
background the process.