EBC Exercise 07 Connecting to Rose VPN

From eLinux.org
Jump to: navigation, search

thumb‎ Embedded Linux Class by Mark A. Yoder

Here are instructions for connecting to Rose-Hulman's VPN. Two methods are presented, one uses the open-source openconnect, the other uses Global Connect. (Rose Global Connect Instructions)


To install openconnect, simply:

bone$ sudo apt update
bone$ sudo apt install openconnect

Once installed make sure you have version 8 or newer.

bone$ openconnect --version
OpenConnect version v8.02-1+deb10u1
Using GnuTLS. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

Run it in the background with the following, using your name instead of mine.

bone$ sudo openconnect --pid-file=/tmp/oc.pid --background --user=yoder@rose-hulman.edu --protocol gp gp.rose-hulman.edu
POST https://gp.rose-hulman.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Enter login credentials
POST https://gp.rose-hulman.edu/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=RADIUS - GlobalProtect
POST https://gp.rose-hulman.edu/ssl-vpn/getconfig.esp
Tunnel timeout (rekey interval) is 720 minutes.
Idle timeout is 600 minutes.
No MTU received. Calculated 1431 for SSL tunnel. No ESP keys received
POST https://gp.rose-hulman.edu/ssl-vpn/hipreportcheck.esp
WARNING: Server asked us to submit HIP report with md5sum 648914735cb358e4739bb5f749ca1c8d.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Set up UDP failed; using SSL instead
Connected as, using SSL, with ESP disabled
Continuing in background; pid 24042

This starts the VPN, runs it in the background, and saves the process id (pid) in /tmp/oc.pid. The Rose IP address in this case is We can then later stop the VPN using the number in the file.

You can verify the IP address with

bone$ pi a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
5: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether c8:a0:30:a6:26:ea brd ff:ff:ff:ff:ff:ff
    inet brd scope global usb0
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1431 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::3eba:b33c:a268:299d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

When you are done with the VPN:

bone$ sudo kill `cat /tmp/oc.pid`
POST https://gp.rose-hulman.edu/ssl-vpn/logout.esp
SSL negotiation with gp.rose-hulman.edu
Connected to HTTPS on gp.rose-hulman.edu
Invalid user name
Logout failed.
RTNETLINK answers: No such process
RTNETLINK answers: No such process
User cancelled (SIGINT/SIGTERM); exiting

Global Connect

The is the method used by Rose's VPN provider.

On the bone, get the installation file and untar it.

bone$ cd /tmp
bone$ VERS=PanGPLinux-5.1.1-c17.tgz
bone$ wget -O $VERS https://roseshare.rose-hulman.edu/storage/u.svc/download.dn/fid/5504766564276453800_3845984564090334472
bone$ tar -xvf $VERS


bone$ sudo apt install ./GlobalProtect_deb_arm-

Run the VPN. Substitute your Rose username for username.

bone$ globalprotect
>> connect -p gp.rose-hulman.edu -u username@rose-hulman.edu
Retrieving configuration...                                            
gp.rose-hulman.edu - Enter login credentials                           

(e.g. username@rose-hulman.edu)
Discovering network...                                                 
>> quit

You are now connected. Find you Rose ip address.

bone$ ip a show gpd0
3: gpd0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet scope global gpd0
       valid_lft forever preferred_lft forever

Disconnect when done.

bone$ globalprotect
>> disconnect
>> quit

thumb‎ Embedded Linux Class by Mark A. Yoder