Difference between revisions of "Palo Alto VPN for linux"
orig>Wiki admin (Created page with "For security reason TelAviv University starts a VPN with double authentication standard. In order to do that users have to check/fill in their mobile phone at myTAU page (http...") |
|||
| (33 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
For security reason TelAviv University starts a VPN with double authentication standard. | For security reason TelAviv University starts a VPN with double authentication standard. | ||
| + | |||
In order to do that users have to check/fill in their mobile phone at myTAU page | In order to do that users have to check/fill in their mobile phone at myTAU page | ||
(https://mytau.tau.ac.il/GetResource.php) and enroll to the service. | (https://mytau.tau.ac.il/GetResource.php) and enroll to the service. | ||
Then you need install GoogleAuthenticator on you mobile device and register it at TAU. | Then you need install GoogleAuthenticator on you mobile device and register it at TAU. | ||
| + | |||
After that you may download and install PaloAlto GlobalProtect VPN client on your device (all | After that you may download and install PaloAlto GlobalProtect VPN client on your device (all | ||
operation systems are supported: IOS, Android, Linux MAC and even Window) | operation systems are supported: IOS, Android, Linux MAC and even Window) | ||
| + | |||
The steps: | The steps: | ||
| − | + | ==Enrollment== | |
| − | + | Go to https://mytau.tau.ac.il/GetResource.php | |
| − | + | ||
| − | + | Choose the “1” then “2” : | |
| − | + | ||
| − | + | Then you will receive SMS with 2-minute code and enter it immediately to the filed: | |
| − | + | Then you will be redirected to the QR code for GoogleAuthenticator account setup: | |
| − | |||
| − | |||
| − | |||
| − | |||
Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device | Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device | ||
and enter the generated code from mobile GoogleAuthenticator to the field and press the green button. | and enter the generated code from mobile GoogleAuthenticator to the field and press the green button. | ||
| − | + | ||
| − | + | ==Download== | |
| − | + | Download and install VPN client, from the browser, go to: | |
| − | + | ||
| − | + | ||
| + | [https://hpcguide.tau.ac.il/vpn/PanGPLinux-5.3.4-c5.tgz GlobalProtect-5.3.4] | ||
| + | |||
| + | [https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.0.1-c6.tgz GlobalProtect-6.0.1] | ||
| + | |||
| + | [https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.1.1-c4.tgz GlobalProtect-6.1.1] | ||
| + | |||
| + | [https://hpcguide.tau.ac.il/vpn/PanGPLinux-6.2.0-c10.tgz GlobalProtect-6.2.0] | ||
| + | |||
Linux package should be extracted and installed appropriated version: | Linux package should be extracted and installed appropriated version: | ||
| − | Debian/Ubuntu | + | |
| − | Redhat/Centos | + | '''Debian/Ubuntu''' |
| − | 2. | + | |
| − | + | <code>dpkg -i GlobalProtect_UI_deb-6.0.1.1-6.deb</code> | |
| − | + | ||
| − | + | '''Redhat/Centos''' | |
| − | + | ||
| − | + | <code>yum localinstall GlobalProtect_UI_rpm-6.0.1.1-6.rpm</code> | |
| − | + | ||
| + | ==Configure== | ||
| + | |||
| + | [[File:Paloalto3.PNG|thumb|right]] | ||
| + | |||
| + | Execute and configure VPN client on Linux (another OS are similar) : | ||
| + | |||
| + | Open client by pressing on the relevant icon ("1" as in the picture on the right) | ||
| + | |||
| + | And enter address '''vpn.tau.ac.il''' ("2" as in the picture on the right) | ||
| + | |||
| + | ==Errors== | ||
| + | ===SSL Error=== | ||
| + | On latest ubuntu version, ubuntu 22.04, after installing and configuring globalprotect VPN, you get this error: | ||
| + | |||
| + | [[File:784px-Vpn ssl error.png|none|thumb]] | ||
| + | |||
| + | |||
| + | ====Fix only for globalprotect==== | ||
| + | create new <code>ssl.conf</code> file on your pc with the following content: | ||
| + | vim ~/ssl.conf | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl_conf = openssl_init | ||
| + | [openssl_init] | ||
| + | ssl_conf = ssl_sect | ||
| + | [ssl_sect] | ||
| + | system_default = system_default_sect | ||
| + | [system_default_sect] | ||
| + | Options = UnsafeLegacyRenegotiation | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | Then find this file: | ||
| + | <code>sudo find / -name PanGPUI.desktop -type f</code> | ||
| + | or | ||
| + | <code>locate PanGPUI.desktop</code> (may need to do sudo updatedb before running this one) | ||
| + | there should be at least 2 path with this file, ignore this one --> <code>/opt/paloaltonetworks/globalprotect/PanGPUI.desktop</code> | ||
| + | |||
| + | On my linux, kubuntu 22.04 the file is here: <code>/etc/xdg/autostart/PanGPUI.desktop</code> | ||
| + | enter this file and change it from: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [Desktop Entry] | ||
| + | Name=PanGPUI | ||
| + | Type=Application | ||
| + | Exec=/opt/paloaltonetworks/globalprotect/PanGPUI | ||
| + | Terminal=false | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | to | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [Desktop Entry] | ||
| + | Name=PanGPUI | ||
| + | Type=Application | ||
| + | Exec=OPENSSL_CONF=~/ssl.conf /opt/paloaltonetworks/globalprotect/PanGPUI | ||
| + | Terminal=false | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | After restarting you pc, globalprotect will autostart with the custom ssl settings | ||
| + | |||
| + | ====Global fix==== | ||
| + | here is how to workaround it: | ||
| + | |||
| + | open <code>/usr/lib/ssl/openssl.cnf</code> | ||
| + | |||
| + | comment out this section:<syntaxhighlight lang="bash"> | ||
| + | # [openssl_init] | ||
| + | |||
| + | # providers = provider_sect | ||
| + | </syntaxhighlight>add this new section under the commented one from earlier:<syntaxhighlight lang="bash"> | ||
| + | [openssl_init] | ||
| + | ssl_conf = ssl_sect | ||
| + | |||
| + | [ssl_sect] | ||
| + | system_default = system_default_sect | ||
| + | |||
| + | [system_default_sect] | ||
| + | Options = UnsafeLegacyRenegotiation | ||
| + | |||
| + | </syntaxhighlight>reboot globalprotect app and the error should be fixed. | ||
| + | |||
| + | <blockquote>source:https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268</blockquote> | ||
| + | |||
| + | |||
| + | ==TAU credentials== | ||
| + | [[File:Paloalto4.PNG|thumb|right]] | ||
| + | Fill in pop-upped windows with your TAU credentials: | ||
| + | |||
| + | Open your mobile GoogleAuthenticator and enter code from there | ||
| + | |||
| + | |||
Congratulations: you are done! | Congratulations: you are done! | ||
Latest revision as of 05:46, 5 June 2024
For security reason TelAviv University starts a VPN with double authentication standard.
In order to do that users have to check/fill in their mobile phone at myTAU page (https://mytau.tau.ac.il/GetResource.php) and enroll to the service. Then you need install GoogleAuthenticator on you mobile device and register it at TAU.
After that you may download and install PaloAlto GlobalProtect VPN client on your device (all operation systems are supported: IOS, Android, Linux MAC and even Window)
The steps:
Enrollment
Go to https://mytau.tau.ac.il/GetResource.php
Choose the “1” then “2” :
Then you will receive SMS with 2-minute code and enter it immediately to the filed: Then you will be redirected to the QR code for GoogleAuthenticator account setup: Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device and enter the generated code from mobile GoogleAuthenticator to the field and press the green button.
Download
Download and install VPN client, from the browser, go to:
Linux package should be extracted and installed appropriated version:
Debian/Ubuntu
dpkg -i GlobalProtect_UI_deb-6.0.1.1-6.deb
Redhat/Centos
yum localinstall GlobalProtect_UI_rpm-6.0.1.1-6.rpm
Configure
Execute and configure VPN client on Linux (another OS are similar) :
Open client by pressing on the relevant icon ("1" as in the picture on the right)
And enter address vpn.tau.ac.il ("2" as in the picture on the right)
Errors
SSL Error
On latest ubuntu version, ubuntu 22.04, after installing and configuring globalprotect VPN, you get this error:
Fix only for globalprotect
create new ssl.conf file on your pc with the following content:
vim ~/ssl.conf
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
Then find this file:
sudo find / -name PanGPUI.desktop -type f
or
locate PanGPUI.desktop (may need to do sudo updatedb before running this one)
there should be at least 2 path with this file, ignore this one --> /opt/paloaltonetworks/globalprotect/PanGPUI.desktop
On my linux, kubuntu 22.04 the file is here: /etc/xdg/autostart/PanGPUI.desktop
enter this file and change it from:
[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=/opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false
to
[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=OPENSSL_CONF=~/ssl.conf /opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false
After restarting you pc, globalprotect will autostart with the custom ssl settings
Global fix
here is how to workaround it:
open /usr/lib/ssl/openssl.cnf
comment out this section:
# [openssl_init]
# providers = provider_sect
add this new section under the commented one from earlier:
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation
reboot globalprotect app and the error should be fixed.
source:https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268
TAU credentials
Fill in pop-upped windows with your TAU credentials:
Open your mobile GoogleAuthenticator and enter code from there
Congratulations: you are done!