- Command-line option
--method=<value>and corresponding environment variableUCSF_VPN_METHODare defunct.
- Now
ucsf vpnvalidates the VPN connection using a UCSF IT web service hosted under*.ucsf.edu. Previously https://ipinfo.io/ip was the default method. Note thatucsf vpn detailsstill uses ipinfo.io.
-
Now
ucsf vpn start --flavor=nonesets the default flavor. This can be used to override environment variableUCSF_VPN_FLAVOR, which may be preset in for instance~/.config/ucsf-vpn/envs. -
Now
ucsf vpn routingreports also on nameserver settings. -
Now
ucsf vpn start --debuganducsf vpn stop --debugreports on changes to your nameserver settings (/etc/resolv.conf). -
Add support for
ucsf vpn status --validate=ucsfit, which infers VPN status from https://help.ucsf.edu/HelpApps/ipNetVerify.php.
- OpenConnect is now the only supported method. Support for Pulse Secure GUI client has been dropped.
-
Now
ucsf vpn start --flavor=<flavor>checks if required OpenConnect hook scripts are installed on the system. If not, it will prompt the user if they should be installed. -
Add
ucsf vpn reconnect, which signalsSIGUSR2to the OpenConnect process and thereby "forces an immediate disconnection and reconnection; this can be used to quickly recover from LAN IP address changes."
- The use of
--method=pulse, which uses the Pulse Secure GUI client to establish a VPN connection, is defunct.
-
Now
ucsf vpn statususes all validation methods to conclude whether there is a working VPN connection or not. If they do not agree, an informative error is produced. Previously, it returned after the first validation method was successful, ignoring the remaining validation methods. -
Now
ucsf vpn startfinds the logged in user's~/.netrcfile also when called viasudo.
-
Now
ucsf vpn startanducsf vpn stopwait for the updating of the IP routing table (ip route show) to finish before returning. -
Now
ucsf vpn start --debuganducsf vpn stop --debugreports on changes to your IP routing table (perip route show). -
Now
ucsf vpn statusreports also on how long ago and when the OpenConnect process was started, if it exists. It also reports on any IP routing tunnel devices. -
Now
--argscauses all of the following options to be passed toopenconnect, e.g.ucsf vpn start --args --script=$PWD/my-vpnc-scriptcauses--script=$PWD/my-vpnc-scriptto be passed toopenconnect. -
Use
--presudo=falseto skip establishing 'sudo' permissions upfront. The default is--presudo=true, which might add asudo: ... a password is requiredevent in the/var/log/auth.loglog file, which in turn might trigger an security alert. The default can be controlled via environment variableUCSF_VPN_PRESUDO. -
ucsf vpnsources~/.config/ucsf-vpn/envson start, which provides a convenient location for configuring default settings viaUCSF_VPN_*environment variables. -
Add
ucsf vpn routing, which shows the current IP routing table. It also reports on the default non-VPN network interface on the machine, and any tunnel devices. By specifying--full, IP numbers are annotated with hostnames andwhoisinformation, if available. -
Now
ucsf vpngives an error if it detects an unknown--<flag>or an unknown--<key>=<value>option. -
Environment variable
UCSF_VPN_VERSION=x.y.zis now passed to OpenConnect.
- Add argument
--flavor=<flavor>, which defaults toUCSF_VPN_FLAVOR, which does not have a default value. If specified, folder~/.config/ucsf-vpn/flavors/<flavor>/must exist.
ucsf vpn startignored environment variableNETRC.
- When
ucsf vpn startfails, it would no longer detect when a wrong username of password was enter.
- The use of
--method=pulse, which uses the Pulse Secure GUI client to establish a VPN connection, is deprecated and will become defunct in a near-future release. Please use the default--method=openconnectinstead.
- Add support for controlling the ping timeout via environment
variable
UCSF_VPN_PING_TIMEOUT. This can be useful on very slow internet connections. Default is 1.0 seconds.
ucsf vpn restart --forcerestarts the VPN connection regardless of it is active or not. This can be useful if the internet connection is completely broken.
ucsf vpn startwould display lots of OpenConnect output, at least with OpenConnect 8.20-1 on Ubuntu 22.04. This output is now silenced.
ucsf-vpngave an obscure error (e.g.printf: %*R: invalid conversion specification) if the password comprised of one or more%symbols.
-
ucsf-vpn --version --fullnow reports on both theucsf-vpnversion and the OpenConnect version. -
ucsf-vpnnow respected environment variableNO_COLOR. Set it to any non-empty value to disable colored output.
ucsf-vpn startcould give a false error saying connection to the VPN failed. Now it retries several times if the status is not what it expects.
-
Options
--user=<user>and--pwd=<pwd>now take precedence over their corresponding entries in the ~/.netrc file. -
Switch from using
openconnectoption--juniperto--protocol=nc. The former is a legacy option that resolves to the latter, meaning this should be a backward compatible change. However, it might be that older versions of OpenConnect only recognizes--juniper. If that is the case, then specify optionucsf vpn --protocol=juniper startto revert back to the old behavior.
-
Added option
--protocol=<ptl>for setting the VPN protocol, which can also be set via environment variableUCSF_VPN_PROTOCOL. The default is--protocol=ncwith the alternative protocol being--protocol=pulse, which may be needed with newer versions of OpenConnect, such as 8.10. -
Error messages now report on also the ping status of the VPN server, in case the VPN setup failed.
-
Error messages now provide a URL to the UCSF Web VPN for validating credentials when it is likely that the connection failed due to an incorrect username, password, or 2FA was given.
-
Now
ucsf vpn stoptries to terminate OpenConnect a second time if the first attempt was not successful after 10 seconds.
- Legacy, non-standard key-value pair CLI options without equal signs
such as
--user aliceare now defunct. Use--user=aliceinstead.
- When prompted for a token (e.g.
--token=prompt) and pressing only ENTER (without entering anything), it will default topush. This will make it easier to switch between the 2FA mobile application and the YubiKey.
-
An informative message prompts the users what additional action needs to be done whenever
--token=pushor--token=phoneis used. -
If the connection fails, the likely reason for the failure is now given as part of the error message, e.g. 'Incorrect username or password' or '2FA token not accepted'.
-
The verbose standard error messages from OpenConnect is only displayed if the connected fails, otherwise it is muffled.
-
Error messages now include the version of ucsf-vpn and OpenConnect.
-
Environment variable
UCSF_VPN_PING_SERVERnow supports specifying multiple servers (separated by space). -
The default ping server is now 9.9.9.9 (Quad9.net).
-
The server used for testing the internet connection by pinging it, can now be controlled by environment variable
UCSF_VPN_PING_SERVER. -
The prompt asking for type of token now echoes type of token requested.
-
If OpenConnect requires additional options, then these can be specified also via environment variable
UCSF_VPN_EXTRAS. -
The validation toward the third-party https://ipinfo.io/ service done by
ucsf-vpn status,ucsf-vpn startanducsf-vpn stopcan be disabled by specifying option--validate=pid, or by setting environment variableUCSF_VPN_VALIDATE=pid. -
Sudo rights are now established upfront with an informative message.
- It was not possible to pass additional options of kind
--key valueto theopenconnectclient; they were dropped with an incorrect warning on using--key=valueinstead.
-
ucsf-vpn startanducsf-vpn stopis significantly faster because in previous versions there was a bug (see below) causing it to query for public IP information multiple times, which was slow. -
Now supporting proper key-value pair CLI options, e.g.
--user=alice.
-
ucsf-vpn stopmakes sure to terminate the process thatucsf-vpn startstarted, which works by having OpenConnect record the process ID to file. Previously,ucsf-vpn stopterminated allopenconnectprocess found. -
Messages are now outputted in different colors if the terminal supports it. Success message are outputted in green, warnings in yellow, errors in red, and debug messages in gray. Message from OpenConnect are outputted using the default foreground color, which is typically white. Similarly, prompts are highlighted in bright yellow. Disable with
--theme=noneor set environment variableUCSF_VPN_THEME=none. -
Now
ucsf-vpndisplays parts of the help anducsf-vpn --helpthe full.
ucsf-vpnfailed to cache collected public IP information resulting in it queried the same public IP information multiple times.
-
Legacy, non-standard key-value pair CLI options without equal signs such as
--user aliceare now deprecated. Use--user=aliceinstead. -
CLI option
--skiphas been dropped. It is now the default behavior.
-
The VPN server can now be set via environment variable
UCSF_VPN_SERVERas an alternative to specifying option--server.ucsf-vpn startwill output 'Connection to server ...' to indicate which server is used. -
If a custom VPN server is used, then the ~/.netrc file is search for that first with a fallback to
remote.ucsf.edu. This avoids having to update the .netrc file when using an alternative UCSF-VPN server.
- Updated how the information on the current connection is reported
by for instance
ucsf-vpn status.
- The reported IP could be garbled with a newline and 'https'.
- Attempts to connect using
--token smswill now give an informative error message explaining that is not supported by the OpenConnect interface.
ucsf-vpn --token <digits>only supported six-digit tokens; now seven-digit tokens are also supported.
-
The default VPN method is now OpenConnect (
--method openconnect). The previous method, Pulse Secure Client, is available by using--method pulse. -
The default is now
--token push(was--token prompt).
-
Added support to connect to the UCSF VPN using OpenConnect (>= 7.08), which is available on recent Linux distributions such as Ubuntu 18.04. The advantage of using OpenConnect rather that the Pulse Secure Client, is in addition of not requiring a proprietary software, it is also more stable because it does not operate by emulating key and mouse clicks in a GUI. The disadvantage is that it requires sudo, i.e. you need to have admin rights.
-
Added option
--methodto control whether to use OpenConnect (openconnect) or the Pulse Secure Client (pulse). The default, which isopenconnect, can be controlled via environment variableUCSF_VPN_METHOD.
- Option
--tokendid not have a default value.
-
Option
--token trueis deprecated; use--token promptinstead. -
Credentials in ~/.ucsfvpnrc are now ignored. Use ~/.netrc instead.
-
Now
ucsf-vpn start --guigives more information about the steps taken and how to force or skip a UCSF notification popup, if such exists (which they add once in a while to notify users). -
Now
ucsf-vpn start --guidefaults to--no-notification, since UCSF has now removed the notification about the new 2FA requirements.
-
Now
ucsf-vpn start --guilooks in the Pulse Secure GUI config file to identify which of several connections is for the target VPN URL. If none matches, a proper connection is automatically added to the settings. -
Add option
--url <url>for specifying the VPN URL. Currently, only used for validation. -
Now
--realm <realm>is acknowledged also for--gui(though UCSF VPN still only 'Dual Factor Pulse Clients'). -
Now
ucsf-vpn troubleshootreports on the configured connections available in the Pulse Secure GUI. If a connection to the UCSF-specific VPN URL is missing, then a warning is displayed. -
The default value for
--tokencan be set via env varUCSF_VPN_TOKEN.
-
Fixed Bash code according to ShellCheck suggestions.
-
Running ShellCheck code analysis via Travis CI.
-
Added support for
--token pushand--token phone, which will authenticate via the Duo app (approve and confirm), and phone call ("press any key"), respectively. Also, accepts--token phone2, and--token smsbut not sure the UCSF supports those. -
Now
ucsf-vpn start --guiminimizes the main Pulse Secure GUI window as soon as it is no longer needed. -
Now
ucsf-vpn start --guiwaits for the popup windows to close before verifying that the VPN connection is working.
-
ucsf-vpn start --guiwould not works if Pulse Secure GUI was already open but minimized. -
ucsf-vpn stopfailed to close the Pulse Secure GUI window.
-
Two-factor authentication (2FA) is now supported by sending user credentials and 2FA tokens via the Pulse Secure GUI by utilizing xdotool (automated mouse clicks and key presses over X11). It's not perfect, but it works.
-
Now
ucsf-vpn start --guiis the default. -
ucsf-vpn start-guiwas renamed toucsf-vpn open-gui.
-
Now
ucsf-vpn start(with default--gui) connects to the UCSF VPN via the Pulse Secure GUI (by sending mouse and key sequences). -
Added
--gui(default) and--no-guito control whetherucsf-vpn startshould the Pulse Secure GUI or the CLI. -
Added
--token <token>to specify the one-time two-factor authentication (2FA) token, where--token true(default) will prompt user to enter token, and--token falsewill try to connect without 2FA. -
Added
--notification(default) and--no-notificationto indicate whether the UCSF VPN login includes a "Pre Sign-In Notification" message that needs to be confirmed or not. -
Added
--speed <factor>for adjusting the waiting times between submitting information to the GUI. -
Now
ucsf-vpn troubleshootalso reports onpulsesvc --version. -
Use environment variable
PULSEPATHto override the default location (/usr/local/pulse/) of the Pulse Secure software and libraries.
- Credentials in ~/.ucsfvpnrc are defunct. Use ~/.netrc instead.
-
Added
ucsf-vpn log, which output the log file. -
Added
ucsf-vpn troubleshoot, which reports on errors in the log file.
- Authentication credentials in ~/.netrc were not found on systems where where awk does not support POSIX regular expressions.
- If username and/or password are not specified or not identifiable from the ~/.netrc file, then the user will be prompted to enter them.
- Add support for credentials in ~/.netrc.
- Credentials in ~/.ucsfvpnrc are deprecated. Use ~/.netrc instead.
- Now supporting the new Junos Secure Pulse client.
- Support for OpenConnect is defunct due to UCSF VPN server changes.
-
Add option
--server <server>to override the default VPN specify. -
ucsf-vpn --helpreports on the OpenConnect version available.
- Add
ucsf-vpn togglefor quick toggling of the UCSF VPN connect.
-
Now
ucsf-vpnchecks for working internet connection and adjust accordingly. For instance,ucsf-vpn restartwill not try to infer public IP number if there is no internet connection but instead it will just go ahead an restart the local VPN service. -
Add
ucsf-vpn restart.
- First public release.