In Fall 2023, Yale made some changes to its VPN login system. Instead of asking you for your username and password, the VPN client now directs you to a web-based authentication page.
This causes some trouble when logging in with openconnect. Reaching out to
Yale IT doesn’t help here – they only support Cisco’s first-party AnyConnect
client on Windows/Mac.
But there’s a workaround. Just tell openconnect to pretend it’s a Cisco
client:
openconnect --useragent=AnyConnect access.yale.eduAnd the VPN will start right up.
EDIT: Some readers have had difficulties with the setup process. I’ll add two tips here, so you won’t run into the same issues.
Firstly: Your browser will need access to the DISPLAY or WAYLAND_DISPLAY
variables to open a window. sudo won’t pass environment variables to
openconnect by default – so use something like sudo -E openconnect
instead.
Secondly: Running openconnect as root will start your browser as root. This
may put you in a situation where:
- Your VPN requires root permissions.
- Your browser refuses to start with root permissions, for security reasons.
Luckily, you can configure the browser that openconnect starts via the
--external-browser flag. So your final command will look something like this:
1sudo -E /usr/bin/openconnect --useragent=AnyConnect \
2 --external-browser="$HOME/bin/browser-derooting-wrapper-script" \
3 access.yale.eduIf you use Chromium, you can set the browser-derooting-wrapper-script to:
1#!/bin/sh -e
2
3# Chromium will run as root if the `--no-sandbox` flag is passed.
4# This is horrendously insecure. So please only use this for the VPN auth
5# window.
6exec chromium --no-sandbox "$@"But it’s better to set it to something like this:
1#!/bin/sh -e
2
3# Use `su` to start Firefox as our regular, non-root user.
4exec su --preserve-environment $YOUR_USERNAME firefox "$@"If none of this works – you can try opening an existing browser window, then
trying the scripts above. openconnect should open a tab in the existing
window, which can sidestep the “browser process is root” issue.