Tian
July 17, 2020

Set up UCL VPN for Linux System

Linux
Shell

I am not good at VPN, but using it to access UCL school resource is really a neccesary for my daily work. Previously I always use Linux system (elementary OS). Howeverm it seems UCL did not provide a detailed explaination how to set up VPN in Linux system.

So I explored online a bit before, find a solution for myself. Now I am shifting to Mac system mostly, but it's better to record a bit the linux VPN system.

Merely I used OpenConnec, so initially I need to install the openconnect on my computer.

sudo apt-get update
sudo apt-get install openconnect

Then created a fold in my home directory like bleow: In the folder called "./cisco", there are two folder called "vpn" and "hostscan".

tian@ThinkPad-X240:~/.cisco$ ls
csd-wrapper.sh  hostscan  vpn

Then I found a nice script from Github. I can't find the origin script url, but below is not what I wrote.

Then finally, in my .bashrc file I addded one line:

alias .VPN="sudo openconnect --csd-user=tian --csd-wrapper=/home/tian/.cisco/csd-wrapper.sh vpn.ucl.ac.uk"

Then everytime I need to open VPN, I directly type: '.VPN' in temrinal then it works.

#!/bin/bash
# Cisco Anyconnect CSD wrapper for OpenConnect

# Enter your vpn host here
CSD_HOSTNAME=vpn.ucl.ac.uk
if [[ -z ${CSD_HOSTNAME} ]]
then
    echo "Define CSD_HOSTNAME with vpn-host in script text. Exiting."
    exit 1
fi

HOSTSCAN_DIR="$HOME/.cisco/hostscan"
LIB_DIR="$HOSTSCAN_DIR/lib"
BIN_DIR="$HOSTSCAN_DIR/bin"

BINS=("cscan" "cstub" "cnotify")


# parsing command line
shift

URL=
TICKET=
STUB=
GROUP=
CERTHASH=
LANGSELEN=

while [ "$1" ]; do
    if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
    if [ "$1" == "-stub" ];     then shift; STUB=$1; fi
    if [ "$1" == "-group" ];    then shift; GROUP=$1; fi
    if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
    if [ "$1" == "-url" ];      then shift; URL=$1; fi
    if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
    shift
done


ARCH=$(uname -m)

if [[ "$ARCH" == "x86_64" ]]
then
    ARCH="linux_x64"
else
    ARCH="linux_i386"
fi

# creating dirs
for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do
    if [[ ! -f $dir ]]
    then
        mkdir -p $dir
    fi
done

# getting manifest, and checking binaries
wget --no-check-certificate -c "https://${CSD_HOSTNAME}/CACHE/sdesktop/hostscan/$ARCH/manifest" -O "$HOSTSCAN_DIR/manifest"

# generating md5.sum with full paths from manifest
export HOSTSCAN_DIR=$HOSTSCAN_DIR
cat $HOSTSCAN_DIR/manifest | sed -r 's/\(|\)//g' | awk '{ cmd = "find $HOSTSCAN_DIR -iname " $2; while (cmd | getline line) { print $4, line; } }' > $HOSTSCAN_DIR/md5.sum

# check number of files either
MD5_LINES=`wc --lines $HOSTSCAN_DIR/md5.sum | awk '{ print $1; }'`
MANIFEST_LINES=`wc --lines $HOSTSCAN_DIR/manifest | awk '{ print $1; }'`
echo "Got $MANIFEST_LINES files in manifes, locally found $MD5_LINES"

# check md5
md5sum -c $HOSTSCAN_DIR/md5.sum
if [[ "$?" -ne "0" || "$MD5_LINES" -ne "$MANIFEST_LINES" ]]
then
    echo "Corrupted files, or whatever wrong with md5 sums, or missing some file"
    # just download every file mentioned in manifest (not ideal, but hopefully should be enough)
    FILES=( $(cat $HOSTSCAN_DIR/manifest | sed -r 's/\(|\)//g' | awk '{ print $2; }') )
    WORK_DIR=`pwd`
    TMP_DIR=`mktemp -d` && cd $TMP_DIR
    for i in ${FILES[@]} ; do
        FILE="$(basename "$i")"
           
        echo "Downloading: $FILE to $TMP_DIR"
        wget --no-check-certificate -c "https://${CSD_HOSTNAME}/CACHE/sdesktop/hostscan/$ARCH/$FILE" -O $FILE

        # some files are in gz (don't understand logic here)
        if [[ ! -f $FILE || ! -s $FILE ]]
        then
            # remove 0 size files
            if [[ ! -s $FILE ]]; then 
                rm $FILE
            fi
            
            echo "Failure on $FILE, trying gz"
            FILE_GZ=$FILE.gz
            wget --no-check-certificate -c "https://${CSD_HOSTNAME}/CACHE/sdesktop/hostscan/$ARCH/$FILE_GZ" -O $FILE_GZ
            gunzip --verbose --decompress $FILE_GZ
        fi
	
        # don't know why, but my version of hostscan requires tables to be stored in libs
        echo $FILE | grep --extended-regexp --quiet --invert-match ".so|tables.dat"
        IS_LIB=$?
        if [[ "$IS_LIB" -eq "1" ]]
        then
            cp --verbose $FILE $LIB_DIR
        else
            cp --verbose $FILE $BIN_DIR
        fi
        
    done
    
    for i in ${BINS[@]} ; do
        echo "Setting excecution bit on: $BIN_DIR/$i"
        chmod u+x $BIN_DIR/$i
    done
    
    cd $WORK_DIR
    rm -rf $TMP_DIR
    
fi

# cstub doesn't care about logging options, sic!
#ARGS="-log debug -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH"
ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH"

echo "Launching: $BIN_DIR/cstub $ARGS"
$BIN_DIR/cstub $ARGS

Copyright © Yuan Tian 2023.