Re: [vox-tech] UC Davis VPN using openconnect
On 4/19/19 10:32 PM, Aleksandr Michuda wrote: > Hi! Just to be clear, are you saying you can remote into your work computer > from > home with ssh using ipv6 as long as your connected to the library VPN? ssh seems to work fine to campus on IPv4, but is blocked from home -> vpn -> campus -> internet. So I can't ssh from home to random internet servers over ssh unless I use IPv6. ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Hi! Just to be clear, are you saying you can remote into your work computer from home with ssh using ipv6 as long as your connected to the library VPN? On Fri, Apr 19, 2019, 10:23 PM Bill Broadley wrote: > > Good news, I just tried openconnect and it just worked. > > Left is my home machine on comcast in davis. > > Kona is my work machine on campus. > > bill@left:~$ date; ssh -4 kona > Fri Apr 19 22:11:00 PDT 2019 > Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-47-generic x86_64) > Last login: Fri Apr 19 22:11:00 2019 from 128.120.234.60 > > 128.120.234.60 is a campus IP (provided by the VPN) and is not my comcast > IP. > > Same directions from my post in 2016: > >sudo apt install openconnect >sudo /usr/sbin/openconnect --juniper vpn.library.ucdavis.edu > > Sadly they block IPv4 ssh (port 22) to the internet. Gmail, youtube, and > random > sites seem to work. > > They however do not block IPv6 ssh to the internet... "Shhh. Be vewy vewy > quiet," > ___ > vox-tech mailing list > [email protected] > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Good news, I just tried openconnect and it just worked. Left is my home machine on comcast in davis. Kona is my work machine on campus. bill@left:~$ date; ssh -4 kona Fri Apr 19 22:11:00 PDT 2019 Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-47-generic x86_64) Last login: Fri Apr 19 22:11:00 2019 from 128.120.234.60 128.120.234.60 is a campus IP (provided by the VPN) and is not my comcast IP. Same directions from my post in 2016: sudo apt install openconnect sudo /usr/sbin/openconnect --juniper vpn.library.ucdavis.edu Sadly they block IPv4 ssh (port 22) to the internet. Gmail, youtube, and random sites seem to work. They however do not block IPv6 ssh to the internet... "Shhh. Be vewy vewy quiet," ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Yeah, it's light years ahead of Winbloze in the general sense-- but much depends on getting current updates obviously. As the prevalence of the Linux kernel has shot up with the onset of the worrying "IoT" for example, script kiddies who once relied on ubiquitous Win worms & viruses are now utilising known Linux exploits as well. Listening to the BSD podcast, though way nerdier / more technical than something like LinuxVoice, I notice how they enjoy taking jabs at Linux for being a sprawling mess & hence necessarily less secure. And I actually just remembered something I'd meant to include in that last response.. maybe you don't need it now, but if you're ever stuck falling back on the unencrypted connection, one free VPN equivalent you can try is what now is part of the regular Opera browser.. I was trying this when it came in the Developers' Release only, but I guess they got all the kinks out. Usually wouldn't plug a non-OpenSource app like this, but at least they have a solid Linux version available. Of course, it only applies its "VPN" to the Opera browsing.. I'm curious as to its inner workings actually, & whether anyone has taken a close look whether it's "leaking" anything in the clear, and whether an equivalent to "torify" could be written so as to move all of one's traffic thru the encryption vs just the web browsing.. Good to hear you sorted your issue though! 20. Jan 2017 12:44 by [email protected]: > > Sorry for the late reply. It's a shame that using it on openconnect doesn't > work, but I was able to get the Pulse client working. My problem is that I'm > using Arch Linux but was unable to get it working even after I converted the > .deb file. But finally tweaked the script and it seems to be working now... > Thank you for the help and insight! Hopefully, openconnect will work on it at > some point... seems a bit sad that we have to use something inferior, > especially in the security department, which Linux (with my very limited > knowledge of it) is supposed to be stellar at. > On Tue, Jan 17, 2017 at 8:17 PM T. Mark <> [email protected]> > wrote: > >> >> >> Just wondering if you're still looking for a solution.. you might consider >> a 3rd party VPN. (And just use their "ucd-guest" unencrypted connection to >> get to it.) Quite awhile back when I didnt want creepy strangers even >> seeing the fact that I was connecting to my stockbroker (over public >> hotspots which was all I had access to) I resorted to a provider stated as >> trustworthy by a long, longtime radio show. (I'll refrain from naming them >> in case doing so might result in a demand spike with resulting price >> increase, as I might one day be able to afford it again.) Something like >> $5/mo for the most minimal service, SSH tunnelling, which I'd use via >> >> ssh -L 5000:>> 127.0.0.1:1080>> >> [email protected] >> >> or so.. the full-fledged VPN service is a bit more. Hit me up off-list for >> their url, and if anyone else has thoughts on good services (good call on >> digitalocean btw-- used by at least a couple podcasts I know of) let me/us >> know, by all means. >> >> -- >> https://twitter.com/linuxusergroup >> >> 20. Dec 2016 21:43 by >> [email protected]>> : >> >> >>> Hi >>> >>> Thanks Bill for the explanation! But I am not sure I fully understood your >>> answer: is the issue coming from openconnect, or from how the library guys >>> did setup the certificate? What is weird is that it used to work for a >>> while, and then not anymore. In the latter case, will asking the >>> #openconnect people help resolve the situation? >>> >>> Thanks!! >>> >>> Matthieu >>> >>> On Sat, Dec 17, 2016 at 12:27 AM, Bill Broadley <>>> [email protected]>>> > >>> wrote: >>> > I hit the same error yesterday. Bill said the Library broke it somehow. > The 'Official' Pulse client is working on Linux. And someone I chatted > with yesterday had an interested SSH port forwarding method of VPN, if > you have access to a server on campus. The first time I tried it, I stopped by the openconnect irc channel and worked with (I think) the primary dev. We tracked it down to a SSL problem, which I could even confirm with a browser. I reported that to the library, and they tweaked the SSL cert (it wasn't properly signed). I lobbied for them to support openconnect since it was compatible, a signed binary, 64 bit, and open source. The pulse client seems like some orphaned juniper project that some 3rd party is trying to make some money off of. They haven't even recompiled for 64 bit since. What's worse is that the binary includes an old SSL library with known exploits, turns out that you need a fairly new openssl library which actually emulates the broken behavior, but doesn't allow the exploit. Kinda sad that campus is standardizing
Re: [vox-tech] UC Davis VPN using openconnect
Sorry for the late reply. It's a shame that using it on openconnect doesn't work, but I was able to get the Pulse client working. My problem is that I'm using Arch Linux but was unable to get it working even after I converted the .deb file. But finally tweaked the script and it seems to be working now... Thank you for the help and insight! Hopefully, openconnect will work on it at some point... seems a bit sad that we have to use something inferior, especially in the security department, which Linux (with my very limited knowledge of it) is supposed to be stellar at. On Tue, Jan 17, 2017 at 8:17 PM T. Mark wrote: > > > Just wondering if you're still looking for a solution.. you might > consider a 3rd party VPN. (And just use their "ucd-guest" unencrypted > connection to get to it.) Quite awhile back when I didnt want creepy > strangers even seeing the fact that I was connecting to my stockbroker > (over public hotspots which was all I had access to) I resorted to a > provider stated as trustworthy by a long, longtime radio show. (I'll > refrain from naming them in case doing so might result in a demand spike > with resulting price increase, as I might one day be able to afford it > again.) Something like $5/mo for the most minimal service, SSH > tunnelling, which I'd use via > >ssh -L 5000:127.0.0.1:1080 [email protected] > > or so.. the full-fledged VPN service is a bit more. Hit me up off-list > for their url, and if anyone else has thoughts on good services (good call > on digitalocean btw-- used by at least a couple podcasts I know of) let > me/us know, by all means. > > -- > https://twitter.com/linuxusergroup > > 20. Dec 2016 21:43 by [email protected]: > > > Hi > > Thanks Bill for the explanation! But I am not sure I fully understood your > answer: is the issue coming from openconnect, or from how the library guys > did setup the certificate? What is weird is that it used to work for a > while, and then not anymore. In the latter case, will asking the > #openconnect people help resolve the situation? > > Thanks!! > > Matthieu > > On Sat, Dec 17, 2016 at 12:27 AM, Bill Broadley wrote: > > > > I hit the same error yesterday. Bill said the Library broke it somehow. > > The 'Official' Pulse client is working on Linux. And someone I chatted > > with yesterday had an interested SSH port forwarding method of VPN, if > > you have access to a server on campus. > > The first time I tried it, I stopped by the openconnect irc channel and > worked > with (I think) the primary dev. We tracked it down to a SSL problem, > which I > could even confirm with a browser. > > I reported that to the library, and they tweaked the SSL cert (it wasn't > properly signed). > > I lobbied for them to support openconnect since it was compatible, a signed > binary, 64 bit, and open source. The pulse client seems like some orphaned > juniper project that some 3rd party is trying to make some money off of. > They > haven't even recompiled for 64 bit since. What's worse is that the binary > includes an old SSL library with known exploits, turns out that you need a > fairly new openssl library which actually emulates the broken behavior, but > doesn't allow the exploit. > > Kinda sad that campus is standardizing on an orphaned insecure unsigned > binary > for such a critical piece of security infrastructure. > > In any case the #openconnect folks were really helpful, if you want to try > to > get it working again I suggest trying there. > > > > ___ > vox-tech mailing list > [email protected] > http://lists.lugod.org/mailman/listinfo/vox-tech > > > ___ > vox-tech mailing list > [email protected] > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Just wondering if you're still looking for a solution.. you might consider a 3rd party VPN. (And just use their "ucd-guest" unencrypted connection to get to it.) Quite awhile back when I didnt want creepy strangers even seeing the fact that I was connecting to my stockbroker (over public hotspots which was all I had access to) I resorted to a provider stated as trustworthy by a long, longtime radio show. (I'll refrain from naming them in case doing so might result in a demand spike with resulting price increase, as I might one day be able to afford it again.) Something like $5/mo for the most minimal service, SSH tunnelling, which I'd use via ssh -L 5000:127.0.0.1:1080 [email protected] or so.. the full-fledged VPN service is a bit more. Hit me up off-list for their url, and if anyone else has thoughts on good services (good call on digitalocean btw-- used by at least a couple podcasts I know of) let me/us know, by all means. -- https://twitter.com/linuxusergroup 20. Dec 2016 21:43 by [email protected]: > Hi > > Thanks Bill for the explanation! But I am not sure I fully understood your > answer: is the issue coming from openconnect, or from how the library guys > did setup the certificate? What is weird is that it used to work for a while, > and then not anymore. In the latter case, will asking the #openconnect > people help resolve the situation? > > Thanks!! > > Matthieu > > On Sat, Dec 17, 2016 at 12:27 AM, Bill Broadley <> [email protected]> > wrote: > >> >> > I hit the same error yesterday. Bill said the Library broke it somehow. >> > The 'Official' Pulse client is working on Linux. And someone I chatted >> > with yesterday had an interested SSH port forwarding method of VPN, if >> > you have access to a server on campus. >> >> The first time I tried it, I stopped by the openconnect irc channel and >> worked >> with (I think) the primary dev. We tracked it down to a SSL problem, which I >> could even confirm with a browser. >> >> I reported that to the library, and they tweaked the SSL cert (it wasn't >> properly signed). >> >> I lobbied for them to support openconnect since it was compatible, a signed >> binary, 64 bit, and open source. The pulse client seems like some orphaned >> juniper project that some 3rd party is trying to make some money off of. >> They >> haven't even recompiled for 64 bit since. What's worse is that the binary >> includes an old SSL library with known exploits, turns out that you need a >> fairly new openssl library which actually emulates the broken behavior, but >> doesn't allow the exploit. >> >> Kinda sad that campus is standardizing on an orphaned insecure unsigned >> binary >> for such a critical piece of security infrastructure. >> >> In any case the #openconnect folks were really helpful, if you want to try to >> get it working again I suggest trying there. >> >> >> >> ___ >> vox-tech mailing list >> [email protected] >> http://lists.lugod.org/mailman/listinfo/vox-tech >> > >___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Sad, and typical! I've moaned on pretty much at length here on the list about UCD's pro-monopoly computing-- indeed ridiculous that there has never been conscientious folk in the CS Dept to enough of a degree to get some FOSS support/adoption going on. I mean, not even support for wireless printing from a Mac in the library?? You'd think they could wrangle someone who knows BSD (that's what I coded C on when attending there eons ago.) Inept, yet tuition (& especially housing costs) continue up thru the stratosphere. (Oh wait-- this is a Linux list. Bon voyage to Linux Luddites Podcast btw.. I've recently spent more time, anyways, listening to BSDnow which is top-notch, so plenty else to do.) Best wishes to all.. -- https://twitter.com/linuxusergroup 17. Dec 2016 07:27 by [email protected]: >> I hit the same error yesterday. Bill said the Library broke it somehow. >> The 'Official' Pulse client is working on Linux. And someone I chatted >> with yesterday had an interested SSH port forwarding method of VPN, if >> you have access to a server on campus. > > The first time I tried it, I stopped by the openconnect irc channel and worked > with (I think) the primary dev. We tracked it down to a SSL problem, which I > could even confirm with a browser. > > I reported that to the library, and they tweaked the SSL cert (it wasn't > properly signed). > > I lobbied for them to support openconnect since it was compatible, a signed > binary, 64 bit, and open source. The pulse client seems like some orphaned > juniper project that some 3rd party is trying to make some money off of. They > haven't even recompiled for 64 bit since. What's worse is that the binary > includes an old SSL library with known exploits, turns out that you need a > fairly new openssl library which actually emulates the broken behavior, but > doesn't allow the exploit. > > Kinda sad that campus is standardizing on an orphaned insecure unsigned binary > for such a critical piece of security infrastructure. > > In any case the #openconnect folks were really helpful, if you want to try to > get it working again I suggest trying there. > > > > ___ > vox-tech mailing list > [email protected] > http://lists.lugod.org/mailman/listinfo/vox-tech___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
Hi Thanks Bill for the explanation! But I am not sure I fully understood your answer: is the issue coming from openconnect, or from how the library guys did setup the certificate? What is weird is that it used to work for a while, and then not anymore. In the latter case, will asking the #openconnect people help resolve the situation? Thanks!! Matthieu On Sat, Dec 17, 2016 at 12:27 AM, Bill Broadley wrote: > > > I hit the same error yesterday. Bill said the Library broke it somehow. > > The 'Official' Pulse client is working on Linux. And someone I chatted > > with yesterday had an interested SSH port forwarding method of VPN, if > > you have access to a server on campus. > > The first time I tried it, I stopped by the openconnect irc channel and > worked > with (I think) the primary dev. We tracked it down to a SSL problem, > which I > could even confirm with a browser. > > I reported that to the library, and they tweaked the SSL cert (it wasn't > properly signed). > > I lobbied for them to support openconnect since it was compatible, a signed > binary, 64 bit, and open source. The pulse client seems like some orphaned > juniper project that some 3rd party is trying to make some money off of. > They > haven't even recompiled for 64 bit since. What's worse is that the binary > includes an old SSL library with known exploits, turns out that you need a > fairly new openssl library which actually emulates the broken behavior, but > doesn't allow the exploit. > > Kinda sad that campus is standardizing on an orphaned insecure unsigned > binary > for such a critical piece of security infrastructure. > > In any case the #openconnect folks were really helpful, if you want to try > to > get it working again I suggest trying there. > > > > ___ > vox-tech mailing list > [email protected] > http://lists.lugod.org/mailman/listinfo/vox-tech > ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
> I hit the same error yesterday. Bill said the Library broke it somehow. > The 'Official' Pulse client is working on Linux. And someone I chatted > with yesterday had an interested SSH port forwarding method of VPN, if > you have access to a server on campus. The first time I tried it, I stopped by the openconnect irc channel and worked with (I think) the primary dev. We tracked it down to a SSL problem, which I could even confirm with a browser. I reported that to the library, and they tweaked the SSL cert (it wasn't properly signed). I lobbied for them to support openconnect since it was compatible, a signed binary, 64 bit, and open source. The pulse client seems like some orphaned juniper project that some 3rd party is trying to make some money off of. They haven't even recompiled for 64 bit since. What's worse is that the binary includes an old SSL library with known exploits, turns out that you need a fairly new openssl library which actually emulates the broken behavior, but doesn't allow the exploit. Kinda sad that campus is standardizing on an orphaned insecure unsigned binary for such a critical piece of security infrastructure. In any case the #openconnect folks were really helpful, if you want to try to get it working again I suggest trying there. ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] UC Davis VPN using openconnect
On 12/15/2016 02:43 PM, Aleksandr Michuda wrote: > Hi, > > I've been trying to connect to the UC Davis library VPN and seem to be > having trouble. Below is the error that I get: > > Connected to HTTPS on vpn.library.ucdavis.edu > Got HTTP response: HTTP/1.1 400 Bad Request > Unexpected 400 result from server > Creating SSL connection failed > > This seems like the same problem that Matthieu Stigler was having a > few months ago: > > http://lists.lugod.org/pipermail/vox-tech/2016-September/017053.html > > I've followed the instructions outlined here: > > http://lists.lugod.org/pipermail/vox-tech/2016-June/017043.html > > But the error persists. Can anyone please help me on this issue? > > > Thank you > I hit the same error yesterday. Bill said the Library broke it somehow. The 'Official' Pulse client is working on Linux. And someone I chatted with yesterday had an interested SSH port forwarding method of VPN, if you have access to a server on campus. Maybe Bill can chime in. Thanks, Alex ___ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
