Juniper/Pulse Secure VPN on Linux (2015 edition)

September 21, 2015 – 8:52 pm by Adnan Hodzic

Prelude

Some time ago, Juniper Networks sold their beloved Junos Pulse SSL VPN, and thus new company called Pulse Secure was created. Which resulted in Pulse Secure client, which is used to establish secure authentication to the (VPN) tunnel.

Since Juniper never supported Linux, it comes as no surprise that successor company client supports every other platform except Linux.

Setting Juniper VPN/Secure Pulse on Linux is pain. Basically, it comes down to using Java applet in web browser or using 3rd party hacks and scripts. Something I refused to accept.

Getting it to work in a web browser

Although, it can be bit confusing on 64 bit architecture, getting VPN access via web browser is simple. You just need to install right packages:

sudo apt-get install icedtea-7-plugin openjdk-7-jre:i386 libstdc++6:i386 lib32z1 lib32ncurses5 libxext6:i386 libxrender1:i386 libxtst6:i386 libxi6:i386

I’ve tested this on with OpenJDK 7/8 and Oracle Java 7/8 on Debian Jessie (8.x). It works just fine. Same solution will also work on Ubuntu.

Despite this solution working just fine, it’s pretty lame. As if your default browser is Chrome, which dropped NPAPI plugin support … means every time you want to establish VPN connection you need to fire up Iceweasel/Firefox.

Even if that is your default browser, it’s still pretty lame to connect to VPN using Java applet.

Getting it to (properly) work in terminal

Forget about scripts and what not, answer is simple and it’s called openconnect. Client which added support for Juniper’s Network Connect protocol in 7.05 release.

Version 7.06-2 is available in Debian, but only in Stretch (testing)/Sid (unstable) repositories.

Which really isn’t a problem. As most of my Debian is still based on Stable, with many other packages from Stretch (testing), Sid (unstable) and even some from Experimental. If you ask how, please refer to my blog post about “APT Pinning“.

Install openconnect package:

sudo apt-get install openconnect

Connecting to your Juniper VPN is as simple as running:

sudo openconnect --juniper vpn-url.com/linux

While connection established via the browser could be bit flaky at times, connection established via openconnect worked without a hitch. I did however encounter a bug in network-manager, to which I found a workaround.

Same version of openconnect is found in the upcoming release of Ubuntu 15.10 (Wily Werewolf). Thus, I’m pretty sure it’ll work just fine there as well. Instead of running same command every time you want to connect, I suggest creating an alias.

In this case, running “vpn” is all that’s necessary to start the connection, i.e:

alias vpn="sudo openconnect --juniper vpn-url.com/linux"

OpenConnect save username/password (extra)

Since OpenConnect client doesn’t have feature to save your credentials, and retyping these every time you want to connect to VPN is very cumbersome. Hack/workaround is to save VPN password in a (preferably very well hidden) file after which you can do more magic with alias-es, i.e:

cred=`/bin/cat ~/.hidden_dir/vpn_cred`
alias vpn="echo $cred | sudo openconnect --juniper vpn-url.com/linux -u johndoe $@"

Customize “cred” variable to your own needs, and also make sure to replace “johndoe” with your vpn username. After which running “vpn” in terminal will start the vpn connection without username/password prompt.

Disable sudo password prompt (extra)

If you don’t want to be prompted with “sudo” password every time, in /etc/sudoers file for your user add/edit i.e:

johndoe ALL=(ALL:ALL) NOPASSWD:ALL

Happy hacking!

 

  • DK

    Thanks for the blog post. I am running Ubuntu 15.04 which only has the openconnect version 6 in the package manager. I had to run an autobuild script for openconnect 7 which I found here: https://gist.github.com/darrenpmeyer/b0b964e02f815be75698

    Once I did that it works perfectly! Just thought I’d let you and your readers know if they are trying to get this working from Ubuntu.

  • Great to hear that it worked out for you! Please spread the word.

  • Wojciech Niemira

    probably poorly searched. 5 years I use ncsvc (example: http://techne.alaya.net/?p=6228)

  • Ryan McGuire

    Thank you for the post! I’ve been using this method since I found it late last year. I loaded the latest daily build of 16.04 (Xenial Xerus) and I haven’t been able to get it to work. Just a caution to others.

  • Ryan McGuire

    Thank you for the post! I’ve been

  • MCG800

    Thank you for the post! I’ve been using this method since I found it late last year. I loaded the latest daily build of 16.04 (Xenial Xerus) and I haven’t been able to get it to work. Just a caution to others.

  • MCG800

    It appears to be this bug: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1517452

    Adding the following to NetworkManager.conf fixed it for me:

    [keyfile]

    unmanaged-devices=interface-name:tun0

  • Nice find and thanks for sharing!

    I had a network manager problem on Debian, but not anymore (Stretch) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798179

  • Benjamin Mathias

    nice. but the connection gives me the following error

    ###

    XML response has no “auth” node
    Failed to obtain WebVPN cookie

    ###

  • Suresh Iyer

    i get the same error

  • @benjaminmathiasGrinisqus and @disqus_IvFBm6nz37Grinisqus

    I never got that error.

    Two things come across my mind:

    1: Can you confirm with your networking team, if you have correct permissions for your profile (that your account is flagged as being a Linux user and not i.e: Mac?) and that you’re using proper URL to establish your connection?

    URL and profile are different for all platforms win/mac/linux. So it might be trying to launch wrong client.

    2. It also seems like this a problem on Ubuntu (https://goo.gl/RL9GLZ), and comment #32 has a suggestion on how to fix it.

    Please let me know if you have any updates on this problem.

  • Ongun Ar?sev

    Thanks this blog post. The second method worked for connection to the VPN tunnel of my university on Ubuntu 14.04.3 LTS 64-bit. Up until now, I was already using the first solution with Firefox. Now they seem to have changed something and the first method which used to work no longer works. Previously there used to be a start button on the website when logged in via the browser which could be clicked to launch the application.

    For the second method to work I had to compile and install the openconnect from source as described in this website `http://itservices.rockefeller.edu/assets/file/Computer_VPN_Client_Configuration_Guide.pdf`. Now I wonder if it is possible to have a GUI instead of just terminal like it used to be.

  • Since I prefer the terminal solution and connect to it quickly via an alias. I never set it up using GUI, however you can easily do it if you follow these steps:

    In Debian/Ubuntu just run: “apt-get install network-manager-openconnect-gnome”

    This package will provide you openconnect implementation to GNOME Network Manager.

  • Vincent Loschiavo

    Here’s an alternative that I use everyday: https://github.com/samm-git/jvpn

  • Thanks a lot for this… saved my day!

  • Awesome, glad to hear that! Please spread the word.

  • Bob

    Thank you, worked perfectly.

  • ?????? ????????

    Thanks a lot, Adnan, it works great with Pulse Secure

  • Most welcome, please spread the word Smile

  • Dan Bielaski

    +1 to using the SH Autobuild script referenced by DK above. Now that Firefox is phasing out NPAPI with version 52, I had to find a non-browser method on Linux Mint 17.3 for Juniper Network Connect (Chrome phased out NPAPI long ago). One thing worth mentioning: The script needs to be run without SUDO elevation (which it takes care of in the script). If you run with SUDO, it will fail the PGP key validation.