How to use open source openconnect for UiB VPN
Cisco AnyConect is an unethical software. First, it is proprietary and closed source code, although the nature of its functioning makes it capable to control all the user's network traffic. Even worse, Cisco AnyConnect implements controversial functionality making it technically a kind of malware: the so called "posture" (HostScan) service is scanning the user's device and (steals?) sends various information out (Cisco said this is done "to improve security," e.g. to avoid non-certified and unauthorized devices), Cisco VPN client can officially download and install spyware trojan on the user's device (Cisco also advertises the trojan as a tool to "improve security"). Also, the VPN client can reroute the network settings in arbitrary way without the user's consent and knowledge. All this is a serious security and privacy threat. (And Cisco products have a bad history of serious security flaws that look like backdoors.)
It can be justified to run Cisco AnyConnect on a corporate-owned machine (understanding the consequences for the user's privacy and security). But installing it on the user's owned private devices should be avoided.
Openconnect is an open source SSL VPN client that supports several protocols including Cisco AnyConnect. It can be used as an alternative to proprietary Cisco software that may in some installation include controversial and undesirable functions such as uncontrollable network re-routing, proprietary scanning module, installable spyware trojan etc.
For more information go to the Opeconnect web site: https://www.infradead.org/openconnect/.
Install openconnect from the standard Linux repository, e.g. in case of Ubuntu/Debian use:
apt install openconnect network-manager-openconnect \ network-manager-openconnect-gnome
To connect to the vpn, go to the network configuration entry, then add a new VPN connection, choosing Cisco AnyConnect Compatible VPN (openconnect) in the list.
To connect to the UiB VPN one needs this:
- Server gateway:
- UiB username (short name, in the following examples
Basic connect using command line
The simplest command to connect to UiB network is:
sudo openconnect --user zzz000 vpn3.uib.no
sudo is required to set up the
tun device (It is, however,
possible to configure openconnect to run as unprivileged user, see
There are also a few useful options:
--backgroundrun openconnect at the background
--syslogsend messages to the system log
--pid-file /var/run/openconnect.piduse specific pid file, then it is easy to switch off the background vpn using this command:
kill $(cat /var/run/openconnect.pid)assuming process pid is saved to
These options result in this command:
sudo openconnect --background --syslog --pid-file /var/run/openconnect.pid \ --user zzz000 vpn3.uib.no
Connect using graphical user interface
Most Linux desktop environments (e.g. Gnome, xfce etc ) have graphical utility that is accessible in the system tray. To configure it use:
- VPN protocol: Cisco AnyConnect
- Software token authentication: TOTP
Other options should be left intact.
At login, the GUI program will ask the University user name and password. Enter and press Login
Then, Microsoft authentication code will be sent via SMS on the mobile phone.
There may be a caveat: DNS might not work with the default configuration
(web sites are inaccessible by their http names). If this is the case,
go to IPv4 settings and manually configure DNS servers, such as Google DNS
and then to IPv6 settings and enter DNS servers manually, e.g. Google DNS
Now UiB VPN should work in a private way. Openconnect turns out to be a useful tool to connect to the UiB network in a simple and straightforward way.
Openconnect also works on Microsoft Windows. If you are using Chocolatey then there is a port that can installed be using this command:
choco install openconnect-gui
Disclaimer: I did not try it.
Opeconnect web site with source code, documentation etc: https://www.infradead.org/openconnect/.
Microsoft Windows port: https://openconnect.github.io/openconnect-gui/
Tim Hårek Andreassen had a similar howto in his blog: https://timharek.no/blog/uib-vpn-without-cisco/ Note: My openconnect was experience even more straightforward, e.g. in my case no certificate configuration was necessary.