I don’t have good luck with UNC-Chapel Hill’s VPN installation guide for Linux systems (KB0010220, login required). After several tests with Cisco AnyConnect provided in the KB post, they all end up with the following message:
$ sudo /opt/cisco/anyconnect/bin/vpn connect vpn.unc.edu
>> error: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Fortunately, we can use OpenConnect to replace AnyConnect on this. First, since the VPN is self-signed, we will need to trust it anyway, by obtaining the server certificate with the highlight line (
$ openconnect vpn.unc.edu
Connected to 18.104.22.168:443
SSL negotiation with vpn.unc.edu
Server certificate verify failed: signer not found
Certificate from VPN server "vpn.unc.edu" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.unc.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Error: Server asked us to run CSD hostscan.
You need to provide a suitable --csd-wrapper argument.
Failed to complete authentication
Then, we can connect to the VPN with the following command:
# servercert could change, please replace with latest cert by above result.
$ openconnect \
--csd-wrapper /usr/lib/openconnect/csd-post.sh \
--servercert "pin-sha256:JqX8OOWTTFXN+l7HMShXFqmqwnkvy5g1sSpLhiExKdk=" \
UNCCampus and your Onyen account name, password, and 2FA option (prefer
push). You may need
sudo for openconnect command if you received permission denied after all.