openconnect VPN for Linux using Duo Authentication

This document demonstrates how to install the openconnect VPN client for Linux and configure it to access the Rice Network. The instructions provided in this document are intended for Rice staff, students, and faculty who are using Linux desktop/laptops and is completely unsupported. The use case if and only if the AnyConnect Cisco client doesn't work for you.

Warning:

This may not work. Can fail to work at any time. This is advanced Linux usage. No support is provided. You have been warned.


Requirements:

  • Linux machine and having root privileges.
  • Enrollment with Duo. If you have not yet enrolled, go to the Duo Enrollment Guide for instructions.  

Procedure:


As root
Step 1:
  • CentOS/Red Hat
    • yum install openconnect vpn-script
    • There may be some network-manager/KDE/Gnome tooling as well.
  • Debian/Ubuntu
    • apt-get install vpnc-scripts openconnect
    • There may be some network-manager/KDE/Gnome tooling as well.
Step 2: One of the following may work. Replace netID with your netID in one of the following commands.
  • Runs in the background
    • openconnect -b --quiet --user=netID --authgroup=RiceNet connect.rice.edu
    • openconnect -b --quiet --no-dtls --user=netID --authgroup=RiceNet connect.rice.edu
  • Runs in the foreground
    • openconnect --no-dtls connect.rice.edu
Step 3: Enter your NetID Password and choose from the options below for the Second Password field and click Connect.

Second Password Options (pin, push, phone, sms):

Type…

To…

pin

Log in using a pin, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator.

Examples:  To use the pin “123456," type 123456

push

Push a login request to your registered phone (if you have Duo Mobile installed and activated on your iOS, or Windows phone device). Just review the request and select Approve to log in.

phone

Authenticate via callback to your registered phone.

sms

Sends an SMS message with a new batch of passcodes to your registered device.  Your initial login attempt will fail.  Login again with one of the new passcodes.



Note:  You can add a number to any of these options if you have more than one registered device. For example, push2 will send a login request to your second registered phone. To learn more about the Duo options, please click on Duo Guide to Two-Factor Authentication

Step 4: You will have to wait while the client sets things up on your machine which is highly dependent on your situation.

Step 5: See if it works by performing a test to a campus resource for which you needed VPN.


To disconnect as root from VPN:

Step 1: pkill -SIGINT openconnect


N.B.

There is some testing which shows you may benefit in your home network if you use something in the 192.168.X.X space as it most likely will not collide with campus networks. This document cannot help you do that.







Keywords:openconnect, VPN, Linux, DIY   Doc ID:113148
Owner:Joseph G.Group:Rice University
Created:2021-08-18 16:01 CDTUpdated:2021-08-25 10:25 CDT
Sites:Rice University
Feedback:  0   0