I don't have good luck with UNC-Chapel Hill's VPN installation guide for Linux systems (KB0010220, login required). After several tests with Cisco AnyConnect provided in the KB post, they all end up with the following message:
$ sudo /opt/cisco/anyconnect/bin/vpn connect vpn.unc.edu
>> error: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Fortunately, we can use OpenConnect to replace AnyConnect on this. First, since the VPN is self-signed, we will need to trust it anyway, by obtaining the server certificate with the highlight line (--servercert ....):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ openconnect vpn.unc.edu POST https://vpn.unc.edu/ Connected to 152.2.255.244:443 SSL negotiation with vpn.unc.edu Server certificate verify failed: signer not found Certificate from VPN server "vpn.unc.edu" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk= Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) XML POST enabled Error: Server asked us to run CSD hostscan. You need to provide a suitable --csd-wrapper argument. Failed to complete authentication |
Then, we can connect to the VPN with the following command:
|
1 2 3 4 5 6 |
# servercert could change, please replace with latest cert by above result. $ openconnect \ --csd-wrapper /usr/lib/openconnect/csd-post.sh \ --servercert "pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=" \ vpn.unc.edu |
With group UNCCampus and your Onyen account name, password, and 2FA option (prefer push). You may need sudo for openconnect command if you received permission denied after all.
Update @ 06/09/2023
Months after this post, the original method shows the following error message:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
☁ vpn [main] ⚡ openconnect vpn.unc.edu --csd-wrapper /usr/lib/openconnect/csd-post.sh --servercert pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk= POST https://vpn.unc.edu/ Connected to 152.2.255.244:443 SSL negotiation with vpn.unc.edu Server certificate verify failed: signer not found Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) XML POST enabled Trying to run CSD Trojan script '/usr/lib/openconnect/csd-post.sh'. -:1.1: Document is empty ^ -:1.1: Document is empty ^ CSD script '/usr/lib/openconnect/csd-post.sh' completed successfully. GET https://vpn.unc.edu/+CSCOE+/sdesktop/wait.html Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://vpn.unc.edu/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.unc.edu Server certificate verify failed: signer not found Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... ^CGET https://vpn.unc.edu/+CSCOE+/sdesktop/wait.html Socket connect canceled Failed to reconnect to host vpn.unc.edu: Interrupted system call Failed to open HTTPS connection to vpn.unc.edu Failed to complete authentication |
At the first glance I thought it is caused by signer not found, and after searching online there were no solution for this from client side. Months later I realized the root cause is the CSD script where it shows -:1.1: Document is empty, this lead to this issue and this workaround.
By the workaround, using the following temporary OpenSSL config should fix this problem:
|
1 2 3 4 5 6 7 |
openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyRenegotiation |
Then, invoke openconnect as the following to connect to the VPN:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
☁ vpn [main] ⚡ OPENSSL_CONF=/tmp/openssl.conf openconnect vpn.unc.edu --csd-wrapper /usr/lib/openconnect/csd-post.sh --servercert pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk= POST https://vpn.unc.edu/ Connected to 152.2.255.244:443 SSL negotiation with vpn.unc.edu Server certificate verify failed: signer not found Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) XML POST enabled Trying to run CSD Trojan script '/usr/lib/openconnect/csd-post.sh'. <?xml version="1.0" encoding="UTF-8"?> <hostscan><status>TOKEN_SUCCESS</status></hostscan> CSD script '/usr/lib/openconnect/csd-post.sh' completed successfully. GET https://vpn.unc.edu/+CSCOE+/sdesktop/wait.html Got HTTP response: HTTP/1.1 302 Moved Temporarily POST https://vpn.unc.edu/ SSL negotiation with vpn.unc.edu Server certificate verify failed: signer not found Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) Enter 'push', 'sms', 'phone', or a Duo app passcode above. For help, call 919-962-HELP or visit https://help.unc.edu University of North Carolina at Chapel Hill VPN Service. Your use is subject to https://policies.unc.edu Unauthorized access is prohibited. Please enter your username and password. GROUP: [AcklandArt|CH-IMS|CPC|CTCAdmin|CampusServices|CampusServicesIT|CampusServicesV|CompSci|Cybermation|Dentistry|ERDS-Dev|ERP-Dev|EnergyServicesADM|EnergyServicesCGS|EnergyServicesCWS|EnergyServicesEDS|FALCS|FO-VideoInsight|FPG|FnA|Full-Tunnel|HInform|HostedDB|IAAdmin|ITS-EA-US|ITS-RC-Duo|ITS-Sys-VPN|ITSAdmin|ITSEdTech|ITSSecurity|Library-LIT|LibraryAtlas|NCTraCS|Nursing|RC-Cust|RENCI|RENCI-ACIS|SAIT-Dev|SILS-ITS-Admins|SOM-IT|SPHFT|SPHFTAdmin|Sheps-Ctr|Telemed|UNCCSLD|UNCCampus|UNCDev|UNCERP|UNCFSA|UNCSNAP|UNCVend|VCRED|VPN-Test-Group|VPNSecurity|WUNC|WXYC]:^Cfgets (stdin): Interrupted system call |
Leave a Reply