[go: up one dir, main page]
Skip to content

Instantly share code, notes, and snippets.

@tuxdna

tuxdna/juniper-vpn.md

Last active January 19, 2018 07:20
Show Gist options
  • Save tuxdna/5926030 to your computer and use it in GitHub Desktop.
Save tuxdna/5926030 to your computer and use it in GitHub Desktop.
Download ZIP
Juniper VPN setup on Fedora 17 x86_64
Raw
juniper-vpn.md

Juniper Network Connect

Setup

Install Java and Java Webstart and other dependencies

Install Java and Java Web Start ( IcedTea plugin ) on Fedora ( version 17 in this case ):

$ sudo yum install icedtea-web

You man want to disable SELinux first.

$ sudo setenforce 0

Start Firefox from the command line. And then open the VPN login page:

$ firefox

Now enter your user/password in the browser. After a while it will launch the Applet and ask for confirmation. Once that is done, it will also ask for root password to install some software on the system.

$ firefox
java version "1.7.0_19"
OpenJDK Runtime Environment (fedora-2.3.9.4.fc17-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
Calling Super Init.
/home/tuxdna/.juniper_networks
Here is the standard output of the command:

Service needs to be installed for the first time
calling /home/tuxdna/.juniper_networks/network_connect/installNC.sh
Here is the standard error of the command (if any):

in get Proxy info..
linux_start_script= 
linux_end_script= 
notification_message= null
always_show_notification_msg= null
dnsSuffix= 
para 0 is /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java
para 1 is -classpath
para 2 is /home/tuxdna/.juniper_networks/network_connect/NC.jar
para 3 is NC
para 4 is -h
para 5 is vpn.example.com
para 6 is -n
para 7 is 
para 8 is -t
para 9 is 
para 10 is -x
DSID=a76e
Launching "/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" "-classpath" "/home/tuxdna/.juniper_networks/network_connect/NC.jar" "NC" "-h" "vpn.example.com "-n" "" "-t" "" "-x" 
Res: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java -classpath /home/tuxdna/.juniper_networks/network_connect/NC.jar NC -h vpn.example.com -n  -t  -x

It installs the software on home folder of the current user:

$ cd ~

These are the list of files/folders which were setup by the java application.

$ find .juniper_networks/
.juniper_networks/
.juniper_networks/whitelist.txt
.juniper_networks/network_connect
.juniper_networks/network_connect/ncsvc
.juniper_networks/network_connect/installnc.log
.juniper_networks/network_connect/NC.jar
.juniper_networks/network_connect/xlaunchNC.sh
.juniper_networks/network_connect/libncui.so
.juniper_networks/network_connect/version.txt
.juniper_networks/network_connect/installNC.sh
.juniper_networks/network_connect/ncdiag
.juniper_networks/ncLinuxApp.jar

Setting up the service binary that creates a VPN tunnel.

$ sudo ldd ./ncsvc
[sudo] password for tuxdna: 
not a dynamic executable

$ sudo file ./ncsvc
./ncsvc: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

Its a 32bit binary, so we need to install some dependencies.

$ sudo yum install -y glibc.i686  zlib.i686 libgcc.i686

$ sudo ldd ./ncsvc
linux-gate.so.1 =>  (0xf77d4000)
libdl.so.2 => /lib/libdl.so.2 (0xf77b9000)
libz.so.1 => /lib/libz.so.1 (0xf77a3000)
libpthread.so.0 => /lib/libpthread.so.0 (0xf7789000)
libm.so.6 => /lib/libm.so.6 (0xf775e000)
libc.so.6 => /lib/libc.so.6 (0xf75ab000)
/lib/ld-linux.so.2 (0xf77d5000)

Now fetch the SSL certificate.

$ openssl s_client -connect vpn.example.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der
$ ls
cert.der  installnc.log  installNC.sh  juniper-connect.sh  libncui.so  ncdiag  NC.jar  ncsvc  version.txt  xlaunchNC.sh

Connect to VPN

Download the connection script

$ cd ~/.juniper_networks/network_connect
$ wget -c https://gist.github.com/tuxdna/5926015/raw/0ccd69d46b0c7340ae592f80a5c91509a54e1abb/juniper-connect.sh

Modify HOST, USERNAME and REALM in the script download just now.

Now connect

$ sudo bash juniper-connect.sh 
[sudo] password for tuxdna: 
Please enter VPN password: 
Now connecting to VPN
Connecting to vpn.example.com : 443

Juniper Network Connect

Setup

Install Java and Java Webstart and other dependencies

Install Java and Java Web Start ( IcedTea plugin ) on Fedora ( version 17 in this case ):

$ sudo yum install icedtea-web

You man want to disable SELinux first.

$ sudo setenforce 0

Start Firefox from the command line. And then open the VPN login page:

$ firefox

Now enter your user/password in the browser. After a while it will launch the Applet and ask for confirmation. Once that is done, it will also ask for root password to install some software on the system.

$ firefox
java version "1.7.0_19"
OpenJDK Runtime Environment (fedora-2.3.9.4.fc17-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)
Calling Super Init.
/home/tuxdna/.juniper_networks
Here is the standard output of the command:

Service needs to be installed for the first time
calling /home/tuxdna/.juniper_networks/network_connect/installNC.sh
Here is the standard error of the command (if any):

in get Proxy info..
linux_start_script= 
linux_end_script= 
notification_message= null
always_show_notification_msg= null
dnsSuffix= 
para 0 is /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java
para 1 is -classpath
para 2 is /home/tuxdna/.juniper_networks/network_connect/NC.jar
para 3 is NC
para 4 is -h
para 5 is vpn.example.com
para 6 is -n
para 7 is 
para 8 is -t
para 9 is 
para 10 is -x
DSID=a76e
Launching "/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" "-classpath" "/home/tuxdna/.juniper_networks/network_connect/NC.jar" "NC" "-h" "vpn.example.com "-n" "" "-t" "" "-x" 
Res: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java -classpath /home/tuxdna/.juniper_networks/network_connect/NC.jar NC -h vpn.example.com -n  -t  -x

It installs the software on home folder of the current user:

$ cd ~

These are the list of files/folders which were setup by the java application.

$ find .juniper_networks/
.juniper_networks/
.juniper_networks/whitelist.txt
.juniper_networks/network_connect
.juniper_networks/network_connect/ncsvc
.juniper_networks/network_connect/installnc.log
.juniper_networks/network_connect/NC.jar
.juniper_networks/network_connect/xlaunchNC.sh
.juniper_networks/network_connect/libncui.so
.juniper_networks/network_connect/version.txt
.juniper_networks/network_connect/installNC.sh
.juniper_networks/network_connect/ncdiag
.juniper_networks/ncLinuxApp.jar

Setting up the service binary that creates a VPN tunnel.

$ sudo ldd ./ncsvc
[sudo] password for tuxdna: 
not a dynamic executable

$ sudo file ./ncsvc
./ncsvc: setuid setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

Its a 32bit binary, so we need to install some dependencies.

$ sudo yum install -y glibc.i686  zlib.i686 libgcc.i686

$ sudo ldd ./ncsvc
linux-gate.so.1 =>  (0xf77d4000)
libdl.so.2 => /lib/libdl.so.2 (0xf77b9000)
libz.so.1 => /lib/libz.so.1 (0xf77a3000)
libpthread.so.0 => /lib/libpthread.so.0 (0xf7789000)
libm.so.6 => /lib/libm.so.6 (0xf775e000)
libc.so.6 => /lib/libc.so.6 (0xf75ab000)
/lib/ld-linux.so.2 (0xf77d5000)

Now fetch the SSL certificate.

$ openssl s_client -connect vpn.example.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der
$ ls
cert.der  installnc.log  installNC.sh  juniper-connect.sh  libncui.so  ncdiag  NC.jar  ncsvc  version.txt  xlaunchNC.sh

Connect to VPN

Download the connection script

$ cd ~/.juniper_networks/network_connect
$ wget -c https://gist.github.com/tuxdna/5926015/raw/0ccd69d46b0c7340ae592f80a5c91509a54e1abb/juniper-connect.sh

Modify HOST, USERNAME and REALM in the script download just now.

Now connect

$ sudo bash juniper-connect.sh 
[sudo] password for tuxdna: 
Please enter VPN password: 
Now connecting to VPN
Connecting to vpn.example.com : 443

Alternative method using ncui

Now compile the ncui utility.

$ cd ~/.juniper_networks/network_connect/
$ gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
/bin/ld: cannot find crt1.o: No such file or directory
/bin/ld: cannot find crti.o: No such file or directory
/bin/ld: skipping incompatible /usr/lib64/libc.so when searching for -lc
/bin/ld: cannot find -lc
/bin/ld: cannot find crtn.o: No such file or directory
collect2: error: ld returned 1 exit status

We need to install 32 bit version libc devel libraries.

On Ubuntu:

$ sudo apt-get install gcc-multilib libc6-i386 libc6-dev-i386

On Fedora:

$ yum install -y glibc-devel.i686 libXtst-devel-1.2.2-1.fc19.i686

Now link the ncui tool

$ gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
$ ./ncui
Password: <ENTER SUDO PASSWORD HERE>
usage: ncui -h host -u user -p passwd -r realm -f cert_file [-l log_level] [-L log_level]
       ncui -h host -c cookies -f cert_file [-l log_level] [-L log_level] [-U sign_in_url]
       ncui -v
    log_level : 0 : Log Critical messages only
                1 : Log Critital and Error messages
                2 : Log Critital, Error and Warning messages
                3 : Log Critital, Error, Warning and Info messages(default)
                4 : Log All Verbose messages
                5 : Log All messages

Now connect to the SSL VPN

$ ./ncui -h vpn.example.com -c DSID="YOUR_DSID_COOKIE" -f vpn.example.com-cert.der
Password: <ENTER SUDO PASSWORD HERE>

In a separate window, you can also check the configuration of the new tunner interface that is created by ncui.

Tunnel device

$ ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1400
        inet TUNNEL_DEVICE_IP_ADDRES  netmask 255.255.255.255  destination TUNNEL_GATEWAY_IP_ADDRESS
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 4632  bytes 3205343 (3.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5141  bytes 662182 (646.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

DNS entries

$ cat /etc/resolv.conf
search example.com sub-domain.example.com
nameserver IP_ADDRESS_DNS1
nameserver IP_ADDRESS_DNS2

Monitor what ncui process is doing:

$ sudo su -
# strace -p $(pgrep ncui)
...
) = 0 (Timeout)
time(NULL)                              = 1375218742
time(NULL)                              = 1375218742
send(6, ".............", 20, 0) = 20
send(6, ".............", 20, 0) = 20
time(NULL)                              = 1375218742
poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}], 2, 2000) = 1 ([{fd=6, revents=POLLIN}])
time(NULL)                              = 1375218742
recv(6, ".............", 16384, 0) = 482
send(4, "q", 1, 0)                      = -1 EAGAIN (Resource temporarily unavailable)
send(4, "p", 1, 0)                      = -1 EAGAIN (Resource temporarily unavailable)
time(NULL)                              = 1375218742
time(NULL)                              = 1375218742
poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}], 2, 2000
...

Connecting to Remote Desktop

Invoke the command

rdesktop -r sound=local -r clipboard:CLIPBOARD -z -g '80%' -a 15 -u user.name -d DOMAINNAME -p - remote.hostname.com

Above command does the following:

  • Connects to remote.hostname.com at domain DOMAINNAME
  • With username user.name and password taken from STDIN
  • Forwards remote sound to local machine
  • Enables clipboard sharing
  • Uses compression
  • Makes the remote desktop screen to 80% of the local machine's screen
  • Uses 15bit color depth on the remote desktop
@rthill
Copy link
rthill commented Jul 9, 2013

Check https://github.com/rthill/jvpn this works without installing java and i386 libs.

@tuxdna
Copy link
Author
tuxdna commented Jul 30, 2013

I noticed it quite late. jvpn is nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment