So I bought a VPS from vpsdime and I wanna create a openconnect server on it but I cannot IP masquerading because of "eth0@if" this?
How can I change this to normal eth0?
sorry for my English, hope you guys understand this.
My organisation provides vpn access using cisco anyconnect. I use a linux system and I can connect to vpn using openconnect. I have to use openconnect because anyconnect on linux is not compatible with the authentication method used by the organisation, but openconnect is.
I am an admin and thus have root access on my own work provided system but have no access to the vpn servers as that is handled by a different department. And I have not say into requesting changes to make it more linux friendly.
Recently a scan was implemented which checks for the existence of a certain text file and a certain binary. Since I use openconnect the scan fails however the files are present. I use a csd-wrapper script with openconnect to provide necessary information.
My question is how do I change the csd-wrapper script to tell the remote vpn server the required text file and binary are in place?
Edit: I have a partial solution which looks like it will satisfy the scans. However since it depends on downloading binaries from the vpn server and running those, as opposed to posting data yourself, it is insecure.
The openconnect project provides a few helpful scripts:
https://gitlab.com/openconnect/openconnect/-/tree/master/trojans
We need this:
https://gitlab.com/openconnect/openconnect/-/blob/master/trojans/csd-wrapper.sh
To connect use the --csd-wrapper argument to run the script and point it to where you downloaded it, it should be executable:
openconnect -c 'XX' --user='username' --authgroup='group' --csd-wrapper=csd-wrapper.sh
One of the reasons this is insecure is because the binaries it downloads can have a trojan, or can be insecure because cisco introduces bugs and security flaws:
My question remains how to find out what to post. I know about:
https://github.com/Gilks/hostscan-bypass
But the cisco anyconnect client won't let me connect when I proxy TLS. It insists the connection is insecure and stops. So I'd have find another way to find out the info it needs to post.
It's worth it to note that doing it this way at least is as close as possible to your organisation's rules since it is doing pretty much what the anyconnect client would do. So there is less or no potential for accidentally violating said rules (if one would care).
Final note, it is bizarre (but totally expected, sadly) that organisations choose to use a vpn solution which is inferior and known to be insecure. Just because it has the "corporate" stamp on it. The anyconnect client at least for linux has not been updated in years and does not support all the authentication methods compared to openconnect (Smart Cards for example). For more discussion see:
I've built an ubuntu container locally that uses OpenConnect to establish a connection to a customer's AnyConnect VPN server. They also have an L2TP connection available as well. After OpenConnect establishes a connection, some python code is called to do some data extraction from an MSSQL instance then shut down.
I've been fighting with getting this to work in Cloud Run, which was likely never going to work as there doesn't seem any way to establish a tunnel network device, much less run with any privileges or docker capabilities.
My assumption is either I have to run the container inside Compute Engine, or hopefully there's a way to get this working in App Engine. But I assume there's a standard way for me to get access to a VPN network (without using Google Cloud VPN) from a container running in GCP, and I haven't found an example much less official documentation from Google on how to accomplish this within their eco system.
I use openconnect to connect to my VPN server, one strange thing I've noticed is that if I use kill or pkill command to kill a background running openconnect process then the whole Linux network will be unusable, I've to reboot the system to get it running again, but using Ctrl + C killing a foreground openconnect doesn't effect the network useability, I want to make a script to auto restart(kill and re-connect) openconnect at 12 AM every day, so I want to have the ability to terminate it with pkill command.
I wonder the difference between killing it with pkill and killing it with Ctrl + C and how to terminate the process properly in a shell script.
Thanks.
Log
root@vagrant:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=144 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 138.338/141.269/144.200/2.931 ms
root@vagrant:~# ps
PID TTY TIME CMD
1397 pts/0 00:00:00 sudo
1398 pts/0 00:00:00 bash
1493 pts/0 00:00:00 openconnect
1495 pts/0 00:00:00 ps
root@vagrant:~# pkill openconnect
root@vagrant:~# ping 8.8.8.8
connect: Network is unreachable
I am using openconnect to connect to a VPN. When starting the client as sudo openconnect -v -u anaphory vpn-gw1.somewhere.net, I am able to connect after entering the GROUP and Password.
# openconnect -v -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
GROUP: [Anyconnect-VPN|CLUSTER-DLCE|Clientless]:CLUSTER-DLCE
POST https://vpn-gw1.somewhere.net
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
[…]
However, when I specify that same group name on the command line, the connection fails with an “Invalid host entry” message.
# openconnect -v -g CLUSTER-DLCE -u anaphory vpn-gw1.somewhere.net
[…]
XML POST enabled
Please enter your username and password.
Password:XML POST enabled
Invalid host entry. Please re-enter.
Failed to obtain WebVPN cookie
Do I need to do any magic to the group name, or how do I find out how to make this work?