Linux and OpenConnect VPN client

From CS Support Wiki
Revision as of 15:33, 18 June 2013 by Jpr9c (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Below are a set of quick-and-dirty instructions from helping a user get to licenses from Linux on the VPN...will clean these up later:

Add users or groups to /etc/sudoers:

<quote>%users ALL=NOPASSWD:=/usr/sbin/openconnect</quote>

Download a PKCS12 personal certificate.

(http://its.virginia.edu/identity/certificate/, manual method).

Extract the PKCS12 into its constituent parts.

I used openssl on my aab3w.p12 file:

     * CA cert: openssl pkcs12 -in aab3w.p12 -nodes -cacerts -outuva_cacert.pem
     * Cert: openssl pkcs12 -in aab3w.p12 -nodes -clcerts -out aab3w_cert.pem
     * Key: openssl pkcs12 -in aab3w.p12 nodes -nocerts -out aab3w_key.pem

4. Run openconnect:

sudo openconnect -c aab3w_cert.pem -k aab3w_key.pem --cafile=uva_cacert.pem https://uva-anywhere-1.itc.virginia.edu

Notes:

  • The need to explicitly add users/groups to sudoers seems to vary by

distro. (The issue seems to be the ability of a normal user to read and write to a dynamically generated TUN device. If a normal user can do that, openconnect will work fine as a normal user.)

  • The sudoers step does not appear necessary when using the

openconnect plugin for NetworkManager.

  • Some versions of openconnect seem to handle PKCS12 certificates out

of the box. Fedora 18's version did not. PEM always seems to work fine.

  • Keep the permissions on the PEM file that are applied by openssl.
  • Openconnect takes the -v option for verbose debugging, and -b to

background the process.