search

dnschneid / crouton

Chromium OS Universal Chroot Environment
https://goo.gl/fd3zc?si=1
BSD 3-Clause "New" or "Revised" License
8.56k stars 1.24k forks source link

VPN Connection using OpenConnect #182

Closed anthonylai closed 11 years ago

anthonylai commented 11 years ago

Hi,

Would I be able to connect t VPN using OpenConnect? If not, do we have other alternatives to establish VPN connections? I installed uml-utilities and also downloaded the vpnc-script from http://www.infradead.org/openconnect/vpnc-script.html.

I installed it, and after numerous of attempts, it worked once. But I have no luck afterwards.

Essentially, when it is not working, it could not find device tun2 and SIOCSIFMTU

Any help is greatly appreciated, as I really need this to work to be able to make the Chromebook Pixel useful.

Thanks. Sincerely, Anthony

Log when it is not working

alai@localhost:~$ sudo openconnect --disable-ipv6 -u XXXXX --script /etc/vpnc/vpnc-script VPNSERVER Attempting to connect to XXX.XXX.XXX.XXX:443 SSL negotiation with VPNSERVER Connected to HTTPS on VPNSERVER GET VPNSERVER Got HTTP response: HTTP/1.0 302 Temporary moved Attempting to connect to XXX.XXX.XXX.XXX:443 SSL negotiation with VPNSERVER1 Connected to HTTPS on VPNSERVER1 GET VPNSERVER1 Got HTTP response: HTTP/1.0 302 Object Moved SSL negotiation with VPNSERVER1 Connected to HTTPS on VPNSERVER1 GET VPNSERVER1/+webvpn+/index.html Please enter your username and password. Password: POST VPNSERVER1/+webvpn+/index.html Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connect Banner:

Cannot find device "tun2" Cannot find device "tun2" Cannot find device "tun2" Cannot find device "tun2" SIOCSIFMTU: No such device Connected tun2 as XXX.XXX.XXX.XXX, using SSL Established DTLS connection

Log when it is working (only once)

alai@localhost:~$ sudo openconnect --disable-ipv6 -u XXXXX --script /etc/vpnc/vpnc-script VPNSERVER Attempting to connect to XXX.XXX.XXX.XXX:443 SSL negotiation with VPNSERVER Connected to HTTPS on VPNSERVER GET VPNSERVER Got HTTP response: HTTP/1.0 302 Temporary moved Attempting to connect to XXX.XXX.XXX.XXX:443 SSL negotiation with VPNSERVER1 Connected to HTTPS on VPNSERVER1 GET VPNSERVER1 Got HTTP response: HTTP/1.0 302 Object Moved SSL negotiation with VPNSERVER1 Connected to HTTPS on VPNSERVER1 GET VPNSERVER1/+webvpn+/index.html Please enter your username and password. Password: POST VPNSERVER1/+webvpn+/index.html Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connect Banner:

Connected tun2 as XXX.XXX.XXX.XXX, using SSL Established DTLS connection

jacklevy commented 11 years ago

i was able to get vpnc working within a precise chroot by changing the vpnc ifmode from tun to tap, as follows:

sudo apt-get install vpnc
sudo vpnc --ifmode tap ~/myvpn.conf

this successfully creates a vpn tunnel (provided that you have a valid myvpn.conf), but i still had to override nameservers manually to get DNS resolution working. currently the best way i've found to do this is to handroll a resolv.conf with the correct DNS servers for the VPN and then copy it over /var/host/shill/resolv.conf after the VPN connection is established. (this also requires restoring the old resolv.conf when the VPN is disconnected, if you want your network connection to continue functioning.)

as you would hope, since hardware resources are shared (along with the resolv.conf we modified), this approach allows both chrome OS and the chroot to access the VPN.

another change i found useful was disabling wifi power management while the VPN is connected, as i found wifi pm was causing VPN disconnects during short periods of idle time. you can do this as follows:

sudo apt-get install wireless-tools
sudo iwconfig wlan0 power off
anthonylai commented 11 years ago

Confirmed this issue is random, as I can get the connection 1 out of maybe 50 times. As you can see, I am trying really hard, and looking for a solution.

anthonylai commented 11 years ago

Hi Jack,

Thanks for your feedback. Do you know how I can get a valid myvpn.conf? I would like to try out openVPN as well. I do have other machines that can connect to VPN through Cisco anyConnect. I wonder if I can get the conf file from there.

Thanks. Sincerely, Anthony

jacklevy commented 11 years ago

the exact configuration will depend on the VPN you are connecting to. for general syntax, refer to man vpnc:

   EXAMPLES

   This is an example vpnc.conf with pre-shared keys:

          IPSec gateway vpn.example.com
          IPSec ID ExampleVpnPSK
          IKE Authmode psk
          IPSec secret PskS3cret!
          Xauth username user@example.com
          Xauth password USecr3t

   And another one with hybrid  authentication  (requires  that  vpnc  was
   built with openssl support):

          IPSec gateway vpn.example.com
          IPSec ID ExampleVpnHybrid
          IKE Authmode hybrid
          CA-Dir /etc/vpnc
          or
          CA-File /etc/vpnc/vpn-example-com.pem
          IPSec secret HybS3cret?
          Xauth username user@example.com
          Xauth password 123456
dnschneid commented 11 years ago

This is begging for a wiki entry. @jacklevy, would you be up for it?

jacklevy commented 11 years ago

done

https://github.com/dnschneid/crouton/wiki/VPNC

dnschneid commented 11 years ago

Awesome. Thanks! @anthonylai, does the wiki answer your questions?

anthonylai commented 11 years ago

Hi @jacklevy, @dnschneid

Thank you for all your hard work in setting up the wiki. Unfortunately, I am unable to confirm whether it works for me. My company uses openconnect protocol, and I went ahead and attempted to retrieve the vpnc.conf information To my dismay, I kept hitting different errors when I tried various configurations and ways to connect. It is unclear to me whether it is an issue with my server configuration information or vpnc in general. 

It would be great to be able to still use openconnect or cisco anyconnect as a vpn solution

Thanks. Sincerely, Anthony

anthonylai commented 11 years ago

I do not think I am technical enough to resolve it myself. However, I am willing to provide all the debugging information you may need.

Thanks. Sincerely, Anthony

sunaku commented 10 years ago

@anthonylai try this solution from issue #235 which worked successfully on my Acer C720 chromebook.

zaheermkn commented 8 years ago

Fri Jan 29 22:13:57 2016 NMDVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Apr 25 2011 Fri Jan 29 22:13:57 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Jan 29 22:13:57 2016 NOTE: NMDVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Jan 29 22:13:57 2016 NOTE: --fast-io is disabled since we are running on Windows Fri Jan 29 22:13:57 2016 LZO compression initialized Fri Jan 29 22:13:57 2016 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ] Fri Jan 29 22:13:57 2016 Socket Buffers: R=[8192->8192] S=[8192->8192] Fri Jan 29 22:13:57 2016 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ] Fri Jan 29 22:13:57 2016 Local Options hash (VER=V4): 'bc07730e' Fri Jan 29 22:13:57 2016 Expected Remote Options hash (VER=V4): 'b695cb4a' Fri Jan 29 22:13:57 2016 Attempting to establish TCP connection with 183.207.232.43:80 Fri Jan 29 22:13:57 2016 TCP connection established with 183.207.232.43:80 Fri Jan 29 22:13:57 2016 Send to HTTP proxy: 'CONNECT 176.126.237.214:80 HTTP/1.0' Fri Jan 29 22:13:57 2016 User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/528.16 (iPhone; U; CPU iPhone OS 3.0 like Mac OS X; en-us; compatible; Googlebot/870; U; en) Presto/2.4.15 Fri Jan 29 22:13:57 2016 Host:www.mts.in/ Fri Jan 29 22:13:57 2016 X-Online-Host:www.mts.in/ Fri Jan 29 22:13:57 2016 HTTP proxy returned: 'HTTP/1.0 302 Moved Temporarily' Fri Jan 29 22:13:57 2016 HTTP proxy returned bad status Fri Jan 29 22:13:57 2016 TCP/UDP: Closing socket Fri Jan 29 22:13:57 2016 SIGTERM[soft,init_instance] received, process exiting

have you any solution for openvpn HTTP/1.0 moved in vpnbook config.