Sergey Budaev

How to use open source openconnect for UiB VPN

Cisco AnyConect is an unethical software. First, it is proprietary and closed source code, although the nature of its functioning makes it capable to control all the user's network traffic. Even worse, Cisco AnyConnect implements controversial functionality making it technically a kind of malware: the so called "posture" (HostScan) service is scanning the user's device and (steals?) sends various information out (Cisco said this is done "to improve security," e.g. to avoid non-certified and unauthorized devices), Cisco VPN client can officially download and install spyware trojan on the user's device (Cisco also advertises the trojan as a tool to "improve security"). Also, the VPN client can reroute the network settings in arbitrary way without the user's consent and knowledge. All this is a serious security and privacy threat. (And Cisco products have a bad history of serious security flaws that look like backdoors.)

It can be justified to run Cisco AnyConnect on a corporate-owned machine (understanding the consequences for the user's privacy and security). But installing it on the user's owned private devices should be avoided.

Openconnect

Openconnect is an open source SSL VPN client that supports several protocols including Cisco AnyConnect. It can be used as an alternative to proprietary Cisco software that may in some installation include controversial and undesirable functions such as uncontrollable network re-routing, proprietary scanning module, installable spyware trojan etc.

For more information go to the Opeconnect web site: https://www.infradead.org/openconnect/.

Install openconnect from the standard Linux repository, e.g. in case of Ubuntu/Debian use:

apt install openconnect network-manager-openconnect \
            network-manager-openconnect-gnome

Server settings

To connect to the vpn, go to the network configuration entry, then add a new VPN connection, choosing Cisco AnyConnect Compatible VPN (openconnect) in the list.

To connect to the UiB VPN one needs this:

• Server gateway: vpn3.uib.no
• UiB username (short name, in the following examples zzz000)

Basic connect using command line

The simplest command to connect to UiB network is:

sudo openconnect --user zzz000 vpn3.uib.no

Note that sudo is required to set up the tun device (It is, however, possible to configure openconnect to run as unprivileged user, see http://www.infradead.org/openconnect/nonroot.html).

There are also a few useful options:

• --background run openconnect at the background
• --syslog send messages to the system log
• --pid-file /var/run/openconnect.pid use specific pid file, then it is easy to switch off the background vpn using this command: kill $(cat /var/run/openconnect.pid) assuming process pid is saved to /var/run/openconnect.pid

These options result in this command:

sudo openconnect --background --syslog --pid-file /var/run/openconnect.pid  \
                 --user zzz000 vpn3.uib.no

Connect using graphical user interface

Most Linux desktop environments (e.g. Gnome, xfce etc ) have graphical utility that is accessible in the system tray. To configure it use:

• VPN protocol: Cisco AnyConnect
• Software token authentication: TOTP

Other options should be left intact.

At login, the GUI program will ask the University user name and password. Enter and press Login

Then, Microsoft authentication code will be sent via SMS on the mobile phone.

There may be a caveat: DNS might not work with the default configuration (web sites are inaccessible by their http names). If this is the case, go to IPv4 settings and manually configure DNS servers, such as Google DNS 8.8.8.8 and 8.8.4.4

and then to IPv6 settings and enter DNS servers manually, e.g. Google DNS 2001:4860:4860::8888, 2001:4860:4860::8844

Now UiB VPN should work in a private way. Openconnect turns out to be a useful tool to connect to the UiB network in a simple and straightforward way.

Microsoft Windows

Openconnect also works on Microsoft Windows. If you are using Chocolatey then there is a port that can installed be using this command:

choco install openconnect-gui

Disclaimer: I did not try it.

References

• Opeconnect web site with source code, documentation etc: https://www.infradead.org/openconnect/.

• Microsoft Windows port: https://openconnect.github.io/openconnect-gui/

• Tim Hårek Andreassen had a similar howto in his blog: https://timharek.no/blog/uib-vpn-without-cisco/ Note: My openconnect was experience even more straightforward, e.g. in my case no certificate configuration was necessary.