[vox-tech] UC Davis VPN using openconnect

T. Mark techmark at tutanota.de
Tue Jan 17 20:03:26 PST 2017



Just wondering if you're still looking for a solution..  you might consider a 3rd party VPN.  (And just use their "ucd-guest" unencrypted connection to get to it.)  Quite awhile back when I didnt want creepy strangers even seeing the fact that I was connecting to my stockbroker (over public hotspots which was all I had access to) I resorted to a provider stated as trustworthy by a long, longtime radio show.  (I'll refrain from naming them in case doing so might result in a demand spike with resulting price increase, as I might one day be able to afford it again.)  Something like $5/mo for the most minimal service, SSH tunnelling,  which I'd use via

   ssh -L 5000:127.0.0.1:1080 account at assignedsshserver.io

or so.. the full-fledged VPN service is a bit more.  Hit me up off-list for their url, and if anyone else has thoughts on good services (good call on digitalocean btw-- used by at least a couple podcasts I know of) let me/us know, by all means.

--
https://twitter.com/linuxusergroup

20. Dec 2016 21:43 by mmstigler at ucdavis.edu:


> Hi 
>
> Thanks Bill for the explanation! But I am not sure I fully understood your answer: is the issue coming from openconnect, or from how the library guys did setup the certificate? What is weird is that it used to work for a while, and then not anymore. In the latter case, will asking the  #openconnect people help resolve the situation?
>
> Thanks!!
>
> Matthieu
>
> On Sat, Dec 17, 2016 at 12:27 AM, Bill Broadley <> bill at broadley.org> > wrote:
>
>>
>> > I hit the same error yesterday. Bill said the Library broke it somehow.
>> > The 'Official' Pulse client is working on Linux. And someone I chatted
>> > with yesterday had an interested SSH port forwarding method of VPN, if
>> > you have access to a server on campus.
>>
>> The first time I tried it, I stopped by the openconnect irc channel and worked
>> with (I think) the primary dev.  We tracked it down to a SSL problem, which I
>> could even confirm with a browser.
>>
>> I reported that to the library, and they tweaked the SSL cert (it wasn't
>> properly signed).
>>
>> I lobbied for them to support openconnect since it was compatible, a signed
>> binary, 64 bit, and open source.  The pulse client seems like some orphaned
>> juniper project that some 3rd party is trying to make some money off of.  They
>> haven't even recompiled for 64 bit since.  What's worse is that the binary
>> includes an old SSL library with known exploits, turns out that you need a
>> fairly new openssl library which actually emulates the broken behavior, but
>> doesn't allow the exploit.
>>
>> Kinda sad that campus is standardizing on an orphaned insecure unsigned binary
>> for such a critical piece of security infrastructure.
>>
>> In any case the #openconnect folks were really helpful, if you want to try to
>> get it working again I suggest trying there.
>>
>>
>>
>> _______________________________________________
>> vox-tech mailing list
>> vox-tech at lists.lugod.org
>> http://lists.lugod.org/mailman/listinfo/vox-tech
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lugod.org/pipermail/vox-tech/attachments/20170118/3cbc69ba/attachment.html>


More information about the vox-tech mailing list