GitHub - 180254/vpn-openconnect-pulse-adfs: The wrapper allows you to log into the PulseSecure VPN server, secured with MSFT SSO, using the OpenConnect VPN client.

This repository has been archived by the owner on Aug 24, 2023. It is now read-only.

180254 / vpn-openconnect-pulse-adfs Public archive

Notifications You must be signed in to change notification settings
Fork 0
Star 2

The wrapper allows you to log into the PulseSecure VPN server, secured with MSFT SSO, using the OpenConnect VPN client.

MIT license

2 stars 0 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 18 Commits
.gitignore		.gitignore
LICENSE		LICENSE
README.txt		README.txt
install-openconnect.sh		install-openconnect.sh
requirements.txt		requirements.txt
vpn-adfs-cookie4.py		vpn-adfs-cookie4.py
vpn-adhoc-routing		vpn-adhoc-routing
vpn-custom-routings		vpn-custom-routings
vpn-custom-routings.txt		vpn-custom-routings.txt
vpn-openconnect		vpn-openconnect
vpn-openconnect-adfs4		vpn-openconnect-adfs4
vpn-set-routing-full		vpn-set-routing-full
vpn-set-routing-split		vpn-set-routing-split

Repository files navigation

What is this:
The wrapper allows you to log into the PulseSecure VPN server, secured with MSFT SSO, using the OpenConnect VPN client.

How it works:
To log into the Pulse Secure VPN server, you need a "DSID" cookie.
1. The tool opens the browser and clicks through the website (the playwright enters login information).
2. The tool acquires the cookie needed to log into the VPN server (DSID cookie).
3. The openconnect logs into the Pulse Secure VPN using the cookie provided.
It is a comprehensive solution for VPN connectivity. You may be interested in the whole thing or part of it.

Components of the solution:
- vpn-openconnect - Entrypoint. Allows changing the default version of the solution, which is currently vpn-openconnect-adfs4.
- vpn-adfs-cookie4.py - Obtains the DSID cookie (clicks for you in the browser).
- vpn-openconnect-adfs4 - First calls vpn-adfs-cookie4.py to get the cookie, then runs openconnect with that cookie.
- vpn-set-routing-full - Handles "full" (non-split) routing mode (all traffic is routed through the VPN server).
- vpn-set-routing-split - Handles "split" routing mode (part of the traffic is routed through the VPN server).
- vpn-custom-routings.txt - "Split" mode helper. Stores a list of domains to include them in split mode.
- vpn-custom-routings - Takes the "vpn-custom-routings.txt" file, and updates "vpn-set-routing-split" file.
- vpn-adhoc-routing - Adds a new "split routing" rule at runtime.

Dependency installation (on the Debian-based OS):
$ ./install-openconnect.sh
$ sudo apt-get install python3 python3-pip python3-venv
$ python3 -m venv venv
$ venv/bin/pip3 install --upgrade pip wheel setuptools
$ venv/bin/pip3 install --disable-pip-version-check --upgrade -r requirements.txt
$ venv/bin/python3 -m playwright install
$ venv/bin/python3 -m playwright install-deps

How to get started:
- Configure python keyring (https://pypi.org/project/keyring/). Store credentials there that allow you to connect to the VPN server there.
$ keyring set "vpnadfscreds" "email" # name.surname@example.com
$ keyring set "vpnadfscreds" "password" # password
$ keyring set "vpnadfscreds" "totp" # totpBase32Secret
- Edit the "vpn-openconnect-adfs4" file. Fill in the VPN server address there.
- Edit the "vpn-openconnect-adfs4" file. Check the openconnect parameters and change them if you need to.
- Edit the "vpn-set-routing-split" file. In the "split routing rules" section, enter a list of ip+netmask routed through a VPN server in the split mode.
- Edit the "vpn-custom-routings.txt" file. Enter a list of domains routed through a VPN server in split mode.
- Optionally, add "vpn-openconnect-adfs4" script to the sudoers file:
# visudo -f /etc/sudoers.d/99custom
user ALL=(ALL:ALL) NOPASSWD:SETENV: /home/user/vpn/vpn-openconnect-adfs4 *
user ALL=(ALL:ALL) NOPASSWD:SETENV: /home/user/vpn/vpn-adhoc-routing *

How to run it:
./vpn-openconnect [--mode full|split] [--protocol nc|pulse|other(?)] [--browser chromium|firefox|webkit] [--headless true|false]
./vpn-custom-routings fix - Reloads vpn-custom-routings.txt-related entries in the vpn-set-routing-split file.
./vpn-adhoc-routing some.example.com - Passes some.example.com through VPN server on a runtime.

Notes:
- ***Do NOT share the DSID value with anyone.***
- "--headless false" option allows you to check what's happening in the browser and debug problems.
- If something doesn't work, check the rules in the vpn-adfs-cookie4.py file in the TaskLoop class. You may need to adapt them to work with your VPN server.
- The solution may (will) not work when the server enforces compliance with the host check policy.

Troubleshooting:
- Fixing /etc/resolv.conf:
$ sudo systemctl restart systemd-resolved.service

Alternative solutions:
- https://github.com/utknoxville/openconnect-pulse-gui
- https://gitlab.com/openconnect/openconnect/-/merge_requests/271

Trademark notes:
- Pulse Secure, Pulse, and Steel-Belted Radius are registered trademarks of Pulse Secure, LLC. in the United States and other countries.
- openconnect denotes the OpenConnect VPN client (www.infradead.org/openconnect/).