Using OpenConnect for UNC-CH VPN on Linux

I don’t have good luck with UNC-Chapel Hill’s VPN installation guide for Linux systems (KB0010220, login required). After several tests with Cisco AnyConnect provided in the KB post, they all end up with the following message:

$ sudo /opt/cisco/anyconnect/bin/vpn connect vpn.unc.edu
>> error: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

Fortunately, we can use OpenConnect to replace AnyConnect on this. First, since the VPN is self-signed, we will need to trust it anyway, by obtaining the server certificate with the highlight line (--servercert ....):

$ openconnect vpn.unc.edu
POST https://vpn.unc.edu/
Connected to 152.2.255.244:443
SSL negotiation with vpn.unc.edu
Server certificate verify failed: signer not found

Certificate from VPN server "vpn.unc.edu" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Error: Server asked us to run CSD hostscan.
You need to provide a suitable --csd-wrapper argument.
Failed to complete authentication

$ openconnect vpn.unc.edu

POST https://vpn.unc.edu/

Connected to 152.2.255.244:443

SSL negotiation with vpn.unc.edu

Server certificate verify failed: signer not found

Certificate from VPN server "vpn.unc.edu" failed verification.

Reason: signer not found

To trust this server in future, perhaps add this to your command line:

--servercert pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=

Enter 'yes' to accept, 'no' to abort; anything else to view: yes

Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)

XML POST enabled

Error: Server asked us to run CSD hostscan.

You need to provide a suitable --csd-wrapper argument.

Failed to complete authentication

Then, we can connect to the VPN with the following command:

# servercert could change, please replace with latest cert by above result.

$ openconnect \
     --csd-wrapper /usr/lib/openconnect/csd-post.sh \
     --servercert "pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=" \
     vpn.unc.edu

# servercert could change, please replace with latest cert by above result.

$ openconnect \

--csd-wrapper /usr/lib/openconnect/csd-post.sh \

--servercert "pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=" \

vpn.unc.edu

With group UNCCampus and your Onyen account name, password, and 2FA option (prefer push). You may need sudo for openconnect command if you received permission denied after all.

如果你覺得這篇文章不錯，歡迎打賞

BTH: 35QooNA82isrmQLmpEnqXpJoxeZmaPubPf

ETH：0x4cf61fea5EA842D202B85158d8b5e239C872De46

或是點選下方圖片贊助我一杯咖啡：