Juniper/Pulse Secure VPN on Linux (2015 edition)

September 21, 2015 – 20:52 by Adnan Hodzic

Prelude

Some time ago, Juniper Networks sold their beloved Junos Pulse SSL VPN, and thus new company called Pulse Secure was created. Which resulted in Pulse Secure client, which is used to establish secure authentication to the (VPN) tunnel.

Since Juniper never supported Linux, it comes as no surprise that successor company client supports every other platform except Linux.

Setting Juniper VPN/Secure Pulse on Linux is pain. Basically, it comes down to using Java applet in web browser or using 3rd party hacks and scripts. Something I refused to accept.

Getting it to work in a web browser

Although, it can be bit confusing on 64 bit architecture, getting VPN access via web browser is simple. You just need to install right packages:

sudo apt-get install icedtea-7-plugin openjdk-7-jre:i386 libstdc++6:i386 lib32z1 lib32ncurses5 libxext6:i386 libxrender1:i386 libxtst6:i386 libxi6:i386

I’ve tested this on with OpenJDK 7/8 and Oracle Java 7/8 on Debian Jessie (8.x). It works just fine. Same solution will also work on Ubuntu.

Despite this solution working just fine, it’s pretty lame. As if your default browser is Chrome, which dropped NPAPI plugin support … means every time you want to establish VPN connection you need to fire up Iceweasel/Firefox.

Even if that is your default browser, it’s still pretty lame to connect to VPN using Java applet.

Getting it to (properly) work in terminal

Forget about scripts and what not, answer is simple and it’s called openconnect. Client which added support for Juniper’s Network Connect protocol in 7.05 release.

Version 7.06-2 is available in Debian, but only in Stretch (testing)/Sid (unstable) repositories.

Which really isn’t a problem. As most of my Debian is still based on Stable, with many other packages from Stretch (testing), Sid (unstable) and even some from Experimental. If you ask how, please refer to my blog post about “APT Pinning“.

Install openconnect package:

sudo apt-get install openconnect

Connecting to your Juniper VPN is as simple as running:

sudo openconnect --juniper vpn-url.com/linux

While connection established via the browser could be bit flaky at times, connection established via openconnect worked without a hitch. I did however encounter a bug in network-manager, to which I found a workaround.

Same version of openconnect is found in the upcoming release of Ubuntu 15.10 (Wily Werewolf). Thus, I’m pretty sure it’ll work just fine there as well. Instead of running same command every time you want to connect, I suggest creating an alias.

In this case, running “vpn” is all that’s necessary to start the connection, i.e:

alias vpn="sudo openconnect --juniper vpn-url.com/linux"

OpenConnect save username/password (extra)

Since OpenConnect client doesn’t have feature to save your credentials, and retyping these every time you want to connect to VPN is very cumbersome. Hack/workaround is to save VPN password in a (preferably very well hidden) file after which you can do more magic with alias-es, i.e:

cred=`/bin/cat ~/.hidden_dir/vpn_cred`
alias vpn="echo $cred | sudo openconnect --juniper vpn-url.com/linux -u johndoe $@"

Customize “cred” variable to your own needs, and also make sure to replace “johndoe” with your vpn username. After which running “vpn” in terminal will start the vpn connection without username/password prompt.

Disable sudo password prompt (extra)

If you don’t want to be prompted with “sudo” password every time, in /etc/sudoers file for your user add/edit i.e:

johndoe ALL=(ALL:ALL) NOPASSWD:ALL

Happy hacking!

 

Disqus Comments

foolcontrol