openconnect, by default, tunnels all your traffic through the VPN. This is not good for your privacy. It is better to tunnel only the traffic destined to the specific hosts that you want to access. This can be done using the vpn-slice script.

• vpn-slice

For example, to connect to the UTHSC VPN but only access the hosts tux01 and tux02e through the VPN, run the following command.

$ openconnect-sso --server uthscvpn1.uthsc.edu --authgroup UTHSC -- --script 'vpn-slice tux01 tux02e'

The vpn-slice script looks up the hostnames tux01 and tux02e on the VPN DNS and adds /etc/hosts entries and routes to your system. vpn-slice can also set up more complicated routes. To learn more, read the vpn-slice documentation.

The UTHSC VPN still requires unsafe legacy TLS renegotiation. This is disabled by default on the latest Guix. We need to re-enable it by configuring openssl.cnf as described on the following stackoverflow page.

• https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled

Here's a quick summary. Put the following in some file, say /tmp/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

Set the environment variable OPENSSL_CONF to point to this file.

export OPENSSL_CONF=/tmp/openssl.cnf

Then, run the openconnect-sso client as usual.

Remembering to do all these steps is a hassle. Writing a shell script to automate this is a good idea, but why write shell scripts when we have G-expressions! Here's a G-expression script that I prepared earlier.

• uthsc-vpn.scm

Download it, tweak the %hosts variable to specify the hosts you are interested in, and run it like so:

$(guix build -f uthsc-vpn.scm)

Many thanks to Pjotr Prins and Erik Garrison without whose earlier work this guide would not be possible.

• https://github.com/pjotrp/linux-at-university-of-tennessee
• https://github.com/ekg/openconnect-sso-docker