cloudmesh-vpn

This library is a wrapper around openconnect that provides added functionality. Additional features include secure password saving that uses the native-OS keyring, as well as vpn-slicing, which only sends traffic destined for school servers through the VPN and keeps other traffic out of the tunnel. Perhaps most conveniently, this library provides an easy way to install openconnect via a package manager (chocolatey for Windows, homebrew for macOS) without requiring any other dependencies besides Python. The package manager is installed for you on-the-fly which installs openconnect.

School	Tested	VPN-Slicing
UVA	✅	✅
FIU	✅	✅
UFL	✅	✅
FAMU	❌	❌
NYU	✅	❌
UCI	❌	❌
GMU	❌	❌
OleMiss	❌	❌
SC	❌	❌

Install

Windows

Open any terminal (git bash, cmd, powershell) as administrator.

Download Python from the Python website. Your Python version can be checked with the command python -V. Try doing the following.

python -V
# hopefully that works, if not, use python3 instead of python from now on.
# in git bash run as administrator:
python -m venv ~/ENV3
# or, in cmd run as administrator:
python -m venv "%USERPROFILE%\ENV3"
#
# if you are in git bash then:
source ~/ENV3/Scripts/activate
# if you are in cmd then:
"%USERPROFILE%\ENV3\Scripts\activate.bat"

# now you see (ENV3)
pip install cloudmesh-vpn

Usage

To connect to the UVA Anywhere VPN, run

# YOU MUST BE IN YOUR VIRTUAL ENVIRONMENT.
# see the previous commands on how to activate it first.
cms vpn connect

For other organizations, the --service flag can be used:

cms vpn connect --service=ufl
# possible services are uva fiu ufl

Note- currently the output will be piped to the terminal and will end in response to Ctrl + C consider executing the following:

nohup cms vpn connect --service=ufl >/dev/null 2>&1

To disconnect from current VPN, run

cms vpn disconnect

To see info regarding your connection, run

cms vpn info

Troubleshooting

Sometimes DNS lookup is broken entirely

To fix:

Get-DnsClientNrptRule | Remove-DnsClientNrptRule -Force
netsh interface ipv4 delete winsservers name="Ethernet" all
netsh interface ipv4 delete winsservers name="Wi-Fi" all
rasdial /disconnect
net start dnscache
net stop dnscache
ping google.com

Linux and macOS

Requirements

We use the command openconnect. To check if it is available please use

$ which openconnect

If it is not available, on macOS do:

brew install openconnect

you can install it on Ubuntu with

$ sudo apt install openssl
$ sudo apt install openconnect
$ sudo apt install network-manager-openconnect

and in case you use gnome also:

$ sudo apt install network-manager-gnome
$ sudo apt install network-manager-openconnect-gnome

Getting certificates

We have tested this tool only with University of Virginia, but it should be simple to adapt. Just follow the instructions to obtain the certificates from your provider.

At UVA you find the certificate and other documentation at

• https://www.rc.virginia.edu/userinfo/linux/uva-anywhere-vpn-linux/

we place all certificates into ~/.ssh/uva

mkdir -p ~/.ssh/uva
# You will receive a file ending in .p12. In this example we will assume it is named mst3k.p12.
cd ~/.ssh/uva
# wget https://download.its.virginia.edu/local-auth/universal/usher.cer
wget --no-check-certificate https://download.its.virginia.edu/local-auth/universal/usher.cer

To get a certificate for your device, go to

• https://cloud.securew2.com/public/82116/limited/?device=Unknown

Fill it out and get the key. You will receive a file ending in .p12. In this example we will assume it is named mst3k.p12 and place it into ~/.ssh/uva/user.p12

It is important for us to rename this key to user.p12 so we have a simpler way of identifying it and writing this documentation.

Now convert the keys and certificates with the following commands

cd ~/.ssh/uva
openssl pkcs12 -in user.p12 -nocerts -nodes -out user.key
openssl pkcs12 -in user.p12 -clcerts -nokeys -out user.crt
openssl x509 -inform DER -in usher.cer -out usher.crt

Now your UVA directory should have the following files in it.

ls ~/.ssh/uva/
user.crt  user.key  user.p12  usher.cer  usher.crt

Install and using the command

You can now use the cloudmesh cms vpn command.

$ pip install cloudmesh-vpn
$ cms help

To connect use

$ cms vpn connect 

To disconnect

$ cms vpn disconnect

Acknowledgments

This work was in part funded by the NSF CyberTraining: CIC: CyberTraining for Students and Technologies from Generation Z with the award numbers 1829704 and 2200409.

Manual Page

Command vpn
===========

::

  Usage:
        vpn connect [--service=SERVICE] [--timeout=TIMEOUT] [-v] [--choco]
        vpn disconnect [-v]
        vpn status [-v]
        vpn info

  This command manages the vpn connection

  Options:
      -v       debug [default: False]
      --choco  installs chocolatey [default: False]

  Description:
    vpn info
       prints out information about your current location as
       obtained via the vpn connection.

    vpn status
        prints out "True" if the vpn is connected
        and "False" if it is not.

    vpn disconnect
        disconnects from the VPN.

    vpn connect [--service=SERVICE]
        connects to the UVA Anywhere VPN.

        If the VPN is already connected a warning is shown.

        You can connect to other VPNs while specifying their names
        as given to you by the VPN provider with e service option.