My organisation provides vpn access using cisco anyconnect. I use a linux system and I can connect to vpn using openconnect. I have to use openconnect because anyconnect on linux is not compatible with the authentication method used by the organisation, but openconnect is.
I am an admin and thus have root access on my own work provided system but have no access to the vpn servers as that is handled by a different department. And I have not say into requesting changes to make it more linux friendly.
Recently a scan was implemented which checks for the existence of a certain text file and a certain binary. Since I use openconnect the scan fails however the files are present. I use a csd-wrapper script with openconnect to provide necessary information.
My question is how do I change the csd-wrapper script to tell the remote vpn server the required text file and binary are in place?
Edit: I have a partial solution which looks like it will satisfy the scans. However since it depends on downloading binaries from the vpn server and running those, as opposed to posting data yourself, it is insecure.
The openconnect project provides a few helpful scripts:
https://gitlab.com/openconnect/openconnect/-/tree/master/trojans
We need this:
https://gitlab.com/openconnect/openconnect/-/blob/master/trojans/csd-wrapper.sh
To connect use the --csd-wrapper argument to run the script and point it to where you downloaded it, it should be executable:
openconnect -c 'XX' --user='username' --authgroup='group' --csd-wrapper=csd-wrapper.sh
One of the reasons this is insecure is because the binaries it downloads can have a trojan, or can be insecure because cisco introduces bugs and security flaws:
My question remains how to find out what to post. I know about:
https://github.com/Gilks/hostscan-bypass
But the cisco anyconnect client won't let me connect when I proxy TLS. It insists the connection is insecure and stops. So I'd have find another way to find out the info it needs to post.
It's worth it to note that doing it this way at least is as close as possible to your organisation's rules since it is doing pretty much what the anyconnect client would do. So there is less or no potential for accidentally violating said rules (if one would care).
Final note, it is bizarre (but totally expected, sadly) that organisations choose to use a vpn solution which is inferior and known to be insecure. Just because it has the "corporate" stamp on it. The anyconnect client at least for linux has not been updated in years and does not support all the authentication methods compared to openconnect (Smart Cards for example). For more discussion see:
To get around TLS proxy issues, simply use a legitimate certificate. You can do this by hosting the hostscan-bypass on a cloud based server (ex. digitalocean, AWS,etc) and pointing a DNS record at it.
AnyConnect will see a valid certificate and allow you to successfully intercept the CSD file.