Connecting to the Yale VPN from Linux

In Fall 2023, Yale made some changes to its VPN login system. Instead of asking you for your username and password, the VPN client now directs you to a web-based authentication page.

This causes some trouble when logging in with openconnect. Reaching out to Yale IT doesn’t help here – they only support Cisco’s first-party AnyConnect client on Windows/Mac.

But there’s a workaround. Just tell openconnect to pretend it’s a Cisco client:

openconnect --useragent=AnyConnect access.yale.edu

And the VPN will start right up.

EDIT: Some readers have had difficulties with the setup process. I’ll add two tips here, so you won’t run into the same issues.

Firstly: Your browser will need access to the current DISPLAY or WAYLAND_DISPLAY to open a window. Unfortunately, sudo doesn’t pass environment variables to openconnect by default – so remember to use sudo -E openconnect instead.

Secondly: Running openconnect as root will start your browser as root. This may put you in a situation where:

• Your VPN requires root permissions.
• Your browser refuses to start with root permissions, for security reasons.

Luckily, you can configure the browser that openconnect starts via the --external-browser flag. So your final command will look something like this:

sudo -E /usr/bin/openconnect  --useragent=AnyConnect \
  --external-browser="$HOME/bin/browser-derooting-wrapper-script" \
  access.yale.edu

If you use Chromium, you can set the browser-derooting-wrapper-script to:

#!/bin/sh -e

# Chromium will run as root if the `--no-sandbox` flag is passed. 
# This is horrendously insecure. So please only use this for the VPN auth
# window. 
exec chromium --no-sandbox "$@"

But it’s better to set it to something like this:

#!/bin/sh -e

# Use `su` to start Firefox as our regular, non-root user. 
exec su --preserve-environment $YOUR_USERNAME firefox "$@"