Palo Alto VPN for linux

From HPC Guide
Revision as of 05:46, 5 June 2024 by Dvory (talk | contribs) (→‎Download)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

For security reason TelAviv University starts a VPN with double authentication standard.

In order to do that users have to check/fill in their mobile phone at myTAU page (https://mytau.tau.ac.il/GetResource.php) and enroll to the service. Then you need install GoogleAuthenticator on you mobile device and register it at TAU.

After that you may download and install PaloAlto GlobalProtect VPN client on your device (all operation systems are supported: IOS, Android, Linux MAC and even Window)

The steps:

Enrollment

Go to https://mytau.tau.ac.il/GetResource.php

Choose the “1” then “2” :

Then you will receive SMS with 2-minute code and enter it immediately to the filed: Then you will be redirected to the QR code for GoogleAuthenticator account setup: Scan it using your mobile Google Authenticator app using “+” on bottom right corner of mobile device and enter the generated code from mobile GoogleAuthenticator to the field and press the green button.

Download

Download and install VPN client, from the browser, go to:


GlobalProtect-5.3.4

GlobalProtect-6.0.1

GlobalProtect-6.1.1

GlobalProtect-6.2.0

Linux package should be extracted and installed appropriated version:

Debian/Ubuntu

dpkg -i GlobalProtect_UI_deb-6.0.1.1-6.deb

Redhat/Centos

yum localinstall GlobalProtect_UI_rpm-6.0.1.1-6.rpm

Configure

Paloalto3.PNG

Execute and configure VPN client on Linux (another OS are similar) :

Open client by pressing on the relevant icon ("1" as in the picture on the right)

And enter address vpn.tau.ac.il ("2" as in the picture on the right)

Errors

SSL Error

On latest ubuntu version, ubuntu 22.04, after installing and configuring globalprotect VPN, you get this error:

784px-Vpn ssl error.png


Fix only for globalprotect

create new ssl.conf file on your pc with the following content: vim ~/ssl.conf

openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation

Then find this file: sudo find / -name PanGPUI.desktop -type f or locate PanGPUI.desktop (may need to do sudo updatedb before running this one) there should be at least 2 path with this file, ignore this one --> /opt/paloaltonetworks/globalprotect/PanGPUI.desktop

On my linux, kubuntu 22.04 the file is here: /etc/xdg/autostart/PanGPUI.desktop enter this file and change it from:

[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=/opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false

to

[Desktop Entry]
Name=PanGPUI
Type=Application
Exec=OPENSSL_CONF=~/ssl.conf /opt/paloaltonetworks/globalprotect/PanGPUI
Terminal=false

After restarting you pc, globalprotect will autostart with the custom ssl settings

Global fix

here is how to workaround it:

open /usr/lib/ssl/openssl.cnf

comment out this section:

# [openssl_init]

# providers = provider_sect

add this new section under the commented one from earlier:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

reboot globalprotect app and the error should be fixed.

source:https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1960268


TAU credentials

Paloalto4.PNG

Fill in pop-upped windows with your TAU credentials:

Open your mobile GoogleAuthenticator and enter code from there


Congratulations: you are done!