Linux/BSD - OpenConnect
Use of the VPN is required to access department resources from off-campus. This provides greater security than if department-operated systems were exposed directly to the Internet.
With the current deployment, we suggest the use of a script solution called openconnect-sso which leverages the open-source compatible client known as OpenConnect. This document details leveraging the openconnect-sso tool directly from the command line.
Installing OpenConnect
The OpenConnect client is not usually pre-installed on most Linux distributions nor many other Unix-like operating systems. The exact package names can vary from distribution to distribution, but here are some common ones, along with their easy copy/paste install lines:
Debian / Ubuntu and derivatives
sudo apt install openconnect
Fedora
sudo dnf install openconnect
Arch and derivatives
sudo pacman -S openconnect
pkgsrc (NetBSD / Multiple operating systems)
cd /usr/pkgsrc/net/openconnect && sudo make install clean clean-depends
pkgin (NetBSD / Multiple operating systems)
sudo pkgin install openconnect
OpenBSD
doas pkg_add openconnect
FreeBSD
sudo pkg install openconnect
Using your distribution’s package manager, install the package and proceed to Connect to the VPN.
Setting up openconnect-sso
Directions shown in this section are for Debian / Ubuntu and derivatives.
First update your packages and install the pre-requisites.
sudo apt-get update
sudo apt-get install pipx python3-pip python3-venv -y
Now ensure that pipx is in your path.
which pipx
If there is no output from the command then continue to the next step. If you do get output skip to appending the correct entry into your path.
Find pipx in your local path.
user@host:~$ find ./ -iname \*pipx\*
find: ‘./.dbus’: Permission denied
find: ‘./.cache/dconf’: Permission denied
find: ‘./.cache/doc’: Permission denied
./.local/lib/python3.6/site-packages/pipx-0.16.4.dist-info
./.local/lib/python3.6/site-packages/pipx
./.local/lib/python3.6/site-packages/pipx/pipx_metadata_file.py
./.local/lib/python3.6/site-packages/pipx/__pycache__/pipx_metadata_file.cpython-36.pyc
./.local/bin/pipx
Notice the last entry which is a file named pipx.
If you found the entry from the find you can proceed to append the correct entry into your path.
If no entry existed you would need to append this into your .bashrc file (or whatever editor you use).
user@host:~$ echo 'export PATH=${PATH}:~/.local/bin' >> ~/.bashrc
Next you must proceed append the correct entry into your path.
For this example the entry we want is ./.local/bin/pipx.
user@host:~$ export PATH=${PATH}:~/.local/bin
user@host:~$ which pipx
.local/bin/pipx
Now install openconnect-sso.
pipx install "openconnect-sso[full]"
Connect to the VPN with openconnect-sso
When you are ready to establish a connection you have to choose whether you want all traffic to go over your VPN (Full Tunnel) or only traffic destined for WWU address space (Split Tunnel).
For Full Tunnel use:
openconnect-sso --server remotevpn.wwu.edu/fullmfa --user $USERNAME@wwu.edu
For Split Tunnel use:
openconnect-sso --server remotevpn.wwu.edu/splitmfa --user $USERNAME@wwu.edu
You will be prompted for your password. After this a window will pop up to request your second factor of authentication.
Note
The $VARIABLE syntax in the following lines means you need to replace the $VARIABLE (including the $) with what you want the value to be.
$USERNAME is your WWU Universal Account username.
Please be aware that this window will need to remain open for the tunnel to remain connected. Unfortunately openconnect-sso does not have a background flag the way OpenConnect does.