Add Duo Push, multi-session, kick, reconnect, and custom user-agent

CHANGELOG

@@ -1,3 +1,12 @@
+*** 0.8.1 (jv)
+ + Support Pulse Secure / Duo Push
+
+*** 0.8.0 (jv)
+ + allow multi-session (if enabled server-side)
+ # converted README to .md
+ + added more requirements
+
+*** 0.7.1
  # try to detect valid starting class for tncc.jar
  + Force hostchecker logging if debug is enabled
 

FAQ

@@ -1,28 +1,31 @@
-Q: JVPN is not working for me
-A: Try to enable debug output. You will find logs in the 
-   ~/.juniper_networks/network_connect/ directory. Also you can try ncui mode.
+Q: jvpn is not working for me
+A: Try to enable debug output. You will find logs in the
+   ~/.juniper_networks/network_connect/ directory. Also, you can try ncui mode.
 
-Q: Is it possible to run it non non ARM/MIPS/PPC?
-A: No, because it using closing source VPN client binary available only for
-   i386 platform.
+Q: Is it possible to run jvpn on ARM/MIPS/PPC?
+A: No, because it using Juniper's closed source VPN client binary available only
+    for i386 platform (which also works on i686, of course).
 
-Q: Where to send patches?
-A: Use "pull request" at https://github.com/samm-git/jvpn/. Or just by mail.
+Q: Where should I send patches?
+A: Use "pull request" at https://github.com/samm-git/jvpn/. Or just by email.
 
 Q: Could you help me with my VPN account, it does not work?
-A: Only if you can provide credentials to test. I need them to debug 
-   connection from native GUI and JVPN to identify what is going wrong.
-   Also you can try to debug yourself. Some tools i used:
-    * Wireshark/tcpdump - to dump traffic between ncsvc and JAVA GUI
+A: Only if you can provide credentials to test. I need them to debug the
+   connection from native GUI and jvpn to identify what is going wrong.
+   Also you can try to debug yourself. Some tools I use:
+    * Wireshark/tcpdump - to dump traffic between ncsvc and Java GUI
+    * Firefox with Firebug - to see what the "normal" conversation with a browser looks like
     * strace - to trace VPN processes
-    * Java decompiler - to decompile source code of GUI, not too much 
+    * Java decompiler - to decompile source code of GUI, not too much
       interesting, anyway
 
-Q: Is it possible to use jvpn on FreeBSD?
-A: No. FreeBSD supports Linux ABI, but ncsvc heavily depends on Linux network
+Q: Is it possible to use jvpn on FreeBSD or OS X?
+A: Maybe? FreeBSD supports Linux ABI, but ncsvc heavily depends on Linux network
    stack, including /proc/net/route, /proc/net/tun, etc. It _should_ be
    possible to emulate all this staff or to use LD_PRELOAD hacks, but it will
-   require much more efforts.
+   require much more effort.
+
+   If you get it working, please send a patch.
 
 Q: What if I get status=6e and Authentication failed
-A: Check, where is your ifconfig binary. It should be at /sbin/ifconfig
+A: Check the location of your ifconfig binary. The downloaded binaries insist that it be located at /sbin/ifconfig (so, if it's not, make a symlink).

README.md

@@ -0,0 +1,114 @@
+jvpn
+====
+Connect to Juniper Junos Pulse / Pulse Secure VPN (including Duo support) on the command line without Java
+
+## Features
+ * Works *without Java* on both x86 and x86_64 hosts
+ * Emulates web browser to get authentication data
+ * Supports Duo push two-factor authentication
+ * Automatically starts juniper client and passes data to it using TCP socket
+    connection.
+ * Able to download Linux client from the VPN server without browser or
+    Java.
+ * Supports launching Host Checker to perform checks on a client host.
+ * Option to protect resolv.conf by setting +i attribute for the connection time
+ * Ability to run scripts on connect/disconnect events
+ * Integration with external password/token providers, including "stoken" RSA
+    softkey.
+ * Ability to kick existing sessions (for example, you forgot to log out of the
+    VPN on another system and/or your server is set up with connection count limits)
+
+## Requirements
+ * Perl with LWP modules (for https)
+ * openssl binary
+ * unzip (for client unpacking)
+
+### Extra requirements for ncui mode (optional):
+ (note the i686 requirements if your OS is 64-bit)
+ * gcc
+ * glibc-devel.i686
+ * zlib.i686
+ * libgcc.i686
+
+## Usage
+To configure jvpn.pl, edit jvpn.ini.
+
+The first run of jvpn.pl (under sudo) will download and install the client automatically.
+
+If you want to run it without sudo - set the suid bit on the "ncsvc" binary (`chmod u+s ncsvc`).
+
+If you have multiple configurations - use the --conf switch to define ini file.
+
+### How the script works
+ 1. Connects to the VPN web portal with provided user name and password (and PIN/token).
+ 2. Gets DSID value
+ 3. Gets md5 fingerprint of the SSL certificate
+ 4. If VPN client is not installed script downloads and unpacks it.
+ 5. Starts ncsvc and connects to it (using TCP 127.0.0.1:4242
+    socket in ncsvc mode or using "ncui" wrapper in ncui mode).
+ 6. Script emulates (aka "fakes") native GUI and passes configuration data to daemon.
+ 7. Script can optionally protect resolv.conf from dhcpd or Network Manager by
+    setting +i flag on it (disabled by default).
+ 8. On Ctrl+C script sending "Disconnect" command to the daemon and logs out
+    by, again, emulating browser interaction.
+
+### Difference between `mode=ncui` and `mode=ncsvc`
+In "ncsvc" (default) mode jvpn establishes a TCP socket connection to nvsvc daemon and tries to establish connection using it protocol.
+
+In "ncui" mode jvpn tries to use the main() function in libncui.so which later calls ncsvc. Basically, if default mode does not work for you, try ncui mode.
+
+Please note that to use ncui mode you must have gcc and other stuff (noted above) installed.
+
+### Scripting support
+It is possible to run user-defined scripts on conncect/disconnect events. To
+use this functionality you will need to define the script to run in the jvpn.ini
+using the `script=<scriptname>` line. That script needs to be executable, of course.
+
+List of pre-defined variables and sample route table modification can be found
+in scripts/sample-script.sh.
+
+### Different ways to provide password
+By default jvpn asks for your password on startup. It is also possible to define
+password in configuration file or to use external program to provide it (and
+token).
+
+To store password directly in jvpn.ini, use `password=plaintext:mypassword`.
+
+If you write a helper script, it should simply print your password to stdout. If it is called a second time (some VPN servers request additional tokens) jvpn will define an "OLDPIN" variable containing first token code. See scripts/stoken.sh for example of "stoken" integration.
+
+If you need to use an external token (either a key fob or a mobile phone app,
+for example), set your password with the `password=xxx` parameter as above, and also set `token=1` in jvpn.ini.  You will be prompted to type in the token before the script attempts to connect.
+
+### Hostchecker support
+As of version 0.7.0 it is possible to run hostchecker using the `hostchecker=1` setting
+in jvpn.ini. Hostchecker is used to perform checks on endpoint computers that
+connect to the VPN device to make sure the endpoints meet certain security
+requirements. If hostchecker support is enabled jvpn tries to run tncc.jar using
+Java (emulating web browser applet behavior).
+
+JRE needs to be installed to support this feature.
+
+Generally, It is recommended to enable this only if you are unable to connect without it.
+
+### Bugs and debugging
+This script was written (and modified) without any official Juniper/Pulse documentation or support, only using wireshark/tcpdump, Firefox (to look at web forms) and a debugger. It is very likely that it has a bugs or will not work correctly for you.
+
+If you need some support - enable debug and send me as much information as you can.
+
+Script debug is written to stdout and daemon log is written to the
+~/.juniper_networks/network_connect/ncsvc.log file.
+
+## License
+The author has placed this work in the Public Domain, thereby relinquishing
+all copyrights. Everyone is free to use, modify, republish, sell or give away
+this work without prior consent from anybody.
+
+This software is provided on an "as is" basis, without warranty of any
+kind. Use at your own risk! Under no circumstances shall the author(s) or
+contributor(s) be liable for damages resulting directly or indirectly from
+the use or non-use of this software.
+
+## Authors
+Original Author: Alex Samorukov <samm@os2.kiev.ua>
+
+2015-2016 revisions author: Jeff Vier <jeff@jeffvier.com>