GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → HenrikBengtsson → ucsf-vpn

HenrikBengtsson / ucsf-vpn

Licence: other
Linux command-line client to manage a UCSF VPN connection

Programming Languages

shell
77523 projects
Makefile
30231 projects

Labels

linuxcliclientcommand-lineyubikeyvpnopenconnect2faduoucsf

Projects that are alternatives of or similar to ucsf-vpn

openconnect-gui-menu-bar
OpenConnect Menu Bar - Connect/Disconnect/Status - for Mac OS X (supports Duo push/sms/phone, or Yubikey, Google Authenticator, Duo, or any TOTP)
Stars: ✭ 56 (+86.67%)
Mutual labels:  yubikey, vpn, openconnect, duo
pan-globalprotect-okta
PaloAlto Networks GlobalProtect VPN (integrated with OKTA) command-line client
Stars: ✭ 85 (+183.33%)
Mutual labels:  vpn, openconnect
vpns
A collection of vpns
Stars: ✭ 112 (+273.33%)
Mutual labels:  vpn, openconnect
yubi-oath-vpn
Simply insert your Yubikey and connect automatically to your TOTP-2FA-VPN.
Stars: ✭ 15 (-50%)
Mutual labels:  vpn, 2fa
duo go
An implementation of the Duo Security Web SDK in Go/Golang.
Stars: ✭ 12 (-60%)
Mutual labels:  2fa, duo
Tailscale
The easiest, most secure way to use WireGuard and 2FA.
Stars: ✭ 6,157 (+20423.33%)
Mutual labels:  vpn, 2fa
openconnect-installer
Automatically set up an Openconnect/Anyconnect VPN server(ocserv) with Let's Encrypt with just one command in CentOS 8.
Stars: ✭ 64 (+113.33%)
Mutual labels:  vpn, openconnect
Yubikey Full Disk Encryption Secure Boot Uefi
Tutorial to create full disk encryption with YubiKey, encrypted boot partition and secure boot with UEFI
Stars: ✭ 62 (+106.67%)
Mutual labels:  yubikey, 2fa
Streisand
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
Stars: ✭ 22,605 (+75250%)
Mutual labels:  vpn, openconnect
tauri-plugin-authenticator
An official Tauri plugin for using a yubikey in your Tauri App
Stars: ✭ 42 (+40%)
Mutual labels:  yubikey, 2fa
Authelia
The Single Sign-On Multi-Factor portal for web apps
Stars: ✭ 11,094 (+36880%)
Mutual labels:  yubikey, 2fa
Yubikey Manager Qt
Cross-platform application for configuring any YubiKey over all USB interfaces.
Stars: ✭ 137 (+356.67%)
Mutual labels:  yubikey, 2fa
Python Fido2
Provides library functionality for FIDO 2.0, including communication with a device over USB.
Stars: ✭ 222 (+640%)
Mutual labels:  yubikey
NordVPN-switcher
Rotate between different NordVPN servers with ease. Works both on Linux and Windows without any required changes to your code!
Stars: ✭ 143 (+376.67%)
Mutual labels:  vpn
Wincryptsshagent
Using a Yubikey for SSH Authentication on Windows Seamlessly
Stars: ✭ 218 (+626.67%)
Mutual labels:  yubikey
Go Ykpiv
Golang interface to manage Yubikeys, including a crypto.Signer & crypto.Decrypter interface
Stars: ✭ 196 (+553.33%)
Mutual labels:  yubikey
all
ⱱ ƥ ŋ
Stars: ✭ 81 (+170%)
Mutual labels:  vpn
mitome.in
Explore OpenPGP and other cryptography as an alternative for seals (mitome-in)
Stars: ✭ 30 (+0%)
Mutual labels:  yubikey
Nginx Sso
SSO authentication provider for the auth_request nginx module
Stars: ✭ 195 (+550%)
Mutual labels:  yubikey
Yubioath Android
Yubico Authenticator for Android
Stars: ✭ 176 (+486.67%)
Mutual labels:  yubikey
View All Similar Projects ➔

shellcheck

For recent updates, see NEWS.

A UCSF VPN Client for Linux

The ucsf-vpn CLI command is a Linux-only tool for connecting to and disconnecting from the UCSF VPN server. It is based on the official UCSF instructions provided by the UCSF IT with additional instructions obtained through private communication.

Connect to the VPN

To connect to the UCSF VPN, call:

$ ucsf-vpn start --user=alice --token=prompt
WARNING: This action ('ucsf-vpn start') requires administrative ("sudo") rights.
Enter the password for your account ('alice84') on your local computer ('alice-laptop'):
Enter your UCSF Active Directory password: <password>
Enter 'push' (default), 'phone', 'sms', a 6 or 7 digit Duo token, or press your YubiKey: <six-digit token>
OK: OpenConnect status: 'openconnect' process running (PID=14549)
OK: Public IP information: ip=128.218.43.42, hostname=, org=AS5653 University of California San Francisco
OK: Connected to the VPN

If you have problems connecting to the VPN using ucsf-vpn, make sure you use the correct username and password by logging in via the UCSF VPN web proxy.

Alternatively to command-line options, the username and password can also be specified in file ~/.netrc (or the file that environment variable NETRC specifies). See ucsf-vpn --help for more details. With a properly setup ~/.netrc entry, you can connect to the UCSF VPN using:

$ ucsf-vpn start
NOTE: Open the Duo Mobile app on your smartphone or tablet to confirm ...

after approving the push notification on your Duo Mobile app (the default is --token=push).

Disconnect from the VPN

To disconnect from the UCSF VPN, call:

$ ucsf-vpn stop
OK: OpenConnect status: No 'openconnect' process running
OK: Public IP information: ip=123.145.254.42, hostname=123.145.254.42.fiber.dynamic.sonic.net, org=AS46375 Sonic Telecom LLC
OK: Not connected to the VPN

Check status on VPN connection

To check whether you are connected to the UCSF VPN or not, call:

$ ucsf-vpn status
OpenConnect status: 'openconnect' process running (PID=17419)
Public IP information: ip=128.218.43.42, hostname=, org=AS5653 University of California San Francisco
Connected to the VPN

To get full details of your current internet connection in JSON format, call:

$ ucsf-vpn details
{
  "ip": "128.218.43.42",
  "city": "San Francisco",
  "region": "California",
  "country": "US",
  "loc": "37.7749,-122.4194",
  "org": "AS5653 University of California San Francisco",
  "postal": "94103",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
}

Installation

The ucsf-vpn script is distributed under GPL (>= 2.1) and the source code is available at https://github.com/HenrikBengtsson/ucsf-vpn/. To "install" it, just do

$ curl -O https://raw.githubusercontent.com/HenrikBengtsson/ucsf-vpn/master/bin/ucsf-vpn
$ chmod ugo+x ucsf-vpn

Full command-line help

Connect to and Disconnect from the UCSF VPN

Usage:
 ucsf-vpn <command> [flags] [options]

Commands:
 start            Connect to VPN
 stop             Disconnect from VPN
 restart          Disconnect and reconnect to VPN
 toggle           Connect to or disconnect from VPN
 status           Display VPN connection status
 details          Display connection details in JSON format
 log              Display log file
 troubleshoot     Scan log file for errors (only for '--method=pulse')

Options:
 --token=<token>  One-time two-factor authentication (2FA) token or method:
                   - 'prompt' (user is prompted to enter the token),
                   - 'push' ("approve and confirm" in Duo app; default),
                   - 'phone' (receive phone call and "press any key"),
                   - 'sms' (receive code via text message),
                   -  6 or 7 digit token (from Duo app), or
                   -  44-letter YubiKey token ("press YubiKey")
 --user=<user>    UCSF Active Directory ID (username)
 --pwd=<pwd>      UCSF Active Directory ID password

 --server=<host>  VPN server (default is 'remote.ucsf.edu')
 --realm=<realm>  VPN realm (default is 'Dual-Factor Pulse Clients')
 --url=<url>      VPN URL (default is https://{{server}}/pulse)
 --method=<mth>   Either 'openconnect' (default) or 'pulse'
 --protocol=<ptl> VPN protocol, e.g. 'nc' (default) and 'pulse'
 --validate=<how> Either 'ipinfo', 'pid', or 'pid,ipinfo'
 --theme=<theme>  Either 'cli' (default) or 'none'

Flags:
 --verbose        More verbose output
 --help           Display full help
 --version        Display version
 --full           Display more version information
 --force          Force command

Examples:
 ucsf-vpn --version --full
 ucsf-vpn start --user=alice --token=push
 ucsf-vpn stop
 UCSF_VPN_TOKEN=prompt ucsf-vpn start --user=alice --pwd=secrets
 ucsf-vpn start


Environment variables:
 UCSF_VPN_METHOD       Default value for --method
 UCSF_VPN_PROTOCOL     Default value for --protocol
 UCSF_VPN_SERVER       Default value for --server
 UCSF_VPN_TOKEN        Default value for --token
 UCSF_VPN_THEME        Default value for --theme
 UCSF_VPN_VALIDATE     Default value for --validate
 UCSF_VPN_PING_SERVER  Ping server to validate internet (default: 9.9.9.9)
 UCSF_VPN_EXTRAS       Additional arguments passed to OpenConnect

Commands and Options for Pulse Security Client only (--method=pulse):
 open-gui         Open the Pulse Secure GUI
 close-gui        Close the Pulse Secure GUI (and any VPN connections)

 --gui            Connect to VPN via Pulse Secure GUI
 --no-gui         Connect to VPN via Pulse Secure CLI (default)
 --speed=<factor> Control speed of --gui interactions (default is 1.0)

Any other options are passed to Pulse Secure CLI as is (only --no-gui).

User credentials:
If user credentials (--user and --pwd) are neither specified nor given
in ~/.netrc, then you will be prompted to enter them. To specify them
in ~/.netrc file, use the following format:

  machine remote.ucsf.edu
      login alice
      password secrets

For security, the ~/.netrc file should be readable only by
the user / owner of the file. If not, then 'ucsf-vpn start' will
set its permission accordingly (by calling chmod go-rwx ~/.netrc).

Requirements:
* Requirements when using OpenConnect (CLI):
  - OpenConnect (>= 7.08) (installed: 8.05-1)
  - sudo
* Requirements when using Junos Pulse Secure Client (GUI):
  - Junos Pulse Secure client (>= 5.3) (installed: 5.3-3-Build553)
  - Ports 4242 (UDP) and 443 (TCP)
  - `curl`
  - `xdotool` (when using 'ucsf-vpn start --method=pulse --gui')
  - No need for sudo rights

VPN Protocol:
Different versions of OpenConnect support different VPN protocols.
Using '--protocol=nc' (default) has been confirmed to work when using
OpenConnect 7.08, and '--protocol=pulse' for OpenConnect 8.10.
The 'nc' protocol specifies the old "Juniper Network Connect" protocol,
and 'pulse' the newer "Pulse Secure" protocol.  For older version of
OpenConnect that recognizes neither, specify '--protocol=juniper',
which will results in using 'openconnect' legacy option '--juniper'.

Pulse Secure GUI configuration:
Calling 'ucsf-vpn start --method=pulse --gui' will, if missing,
automatically add a valid VPN connection to the Pulse Secure GUI
with the following details:
 - Name: UCSF
 - URL: https://remote.ucsf.edu/pulse
You may change the name to you own liking.

Troubleshooting:
* Verify your username and password at https://remote.ucsf.edu/.
  This should be your UCSF Active Directory ID (username); neither
  MyAccess SFID (e.g. 'sf*****') nor UCSF email address will work.
* If you are using the Pulse Secure client (`ucsf-vpn --method=pulse`),
  - Make sure ports 4242 & 443 are not used by other processes
  - Make sure 'https://remote.ucsf.edu/pulse' is used as the URL
  - Run 'ucsf-vpn troubleshoot' to inspect the Pulse Secure logs

Useful resources:
* UCSF VPN information:
  - https://software.ucsf.edu/content/vpn-virtual-private-network
* UCSF Web-based VPN Interface:
  - https://remote-vpn01.ucsf.edu/ (preferred)
  - https://remote.ucsf.edu/
* UCSF Two-Factory Authentication (2FA):
  - https://it.ucsf.edu/services/duo-two-factor-authentication
* UCSF Managing Your Passwords:
  - https://it.ucsf.edu/services/managing-your-passwords

Version: 5.5.1
Copyright: Henrik Bengtsson (2016-2022)
License: GPL (>= 2.1) [https://www.gnu.org/licenses/gpl.html]
Source: https://github.com/HenrikBengtsson/ucsf-vpn

Required software

OpenConnect (default)

The uscf-vpn tool requires:

  1. OpenConnect (>= 7.08)
  2. Curl
  3. Bash
  4. Admin rights (sudo). If not, use the below Pulse Secure Client approach instead

OpenConnect (>= 7.08) is available on for instance Ubuntu 18.04 LTS (Bionic Beaver), but not on older LTS version. For instance, Ubuntu 16.04 (Xenial Xerus) only provides OpenConnect 7.06, which fails to connect with an error. There is a confirmed way to force install this on to Ubuntu 16.04 from the Ubuntu 17.04 (Zesty) distribution, but it is not clear whether such an installation leaves the system in a stable state or not. Moreover, due to library dependencies, it appears not possible to have OpenConnect 7.08 and Pulse Secure 5.3-3 installed at the same time.

Pulse Secure Client (legacy)

If you don't have OpenConnect (>= 7.08) you can use ucsf-vpn --method=pulse (or set environment variable UCSF_VPN_METHOD=pulse) to connect to the UCSF VPN using the Junos Pulse Secure client (Pulse Secure, LLC). That software, which is a closed-source proprietary software (*), can be downloaded from UCSF website:

Access to that page requires UCSF MyAccess Login (but no UCSF VPN).

Note: ucsf-vpn --method=pulse is just a convenient wrapper script around the Pulse Secure client. It is assumed that pulsesvc is available under /usr/local/pulse/. If not, set PULSEPATH to the folder where it is installed.

Privacy

The ucsf-vpn software pings 9.9.9.9 (https://www.quad9.net/; a nonprofit organization) to check whether there is a working internet connection or not. Environment variable UCSF_VPN_PING_SERVER can be use to specify a different ping server, e.g. UCSF_VPN_PING_SERVER=www.ucsf.edu.

The ucsf-vpn software also queries the https://ipinfo.io/ service to infer whether a VPN connection is established or not, and to provide public IP information on your current internet connection. To disable this check, use --validate=pid, or environment variable UCSF_VPN_VALIDATE=pid, which uses the PID file of OpenConnect to decide whether a VPN connection is established or not. This only works for --method=openconnect.

The ucsf-vpn software neither collects nor stores your local or UCSF credentials.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].