As part of the privilege of attending Georgia Institute of Technology, I get access to PACE, Georgia Tech’s supercomputing cluster. Unfortunately, to access PACE, you need to connect to Georgia Tech’s VPN. To connect to Georgia Tech’s VPN, you need to use Palo Alto Network’s GlobalProtect. It’s… not fun. My biggest annoyance is that you can’t actually exit the application on MacOS without running the following command:
launchctl unload /Library/LaunchAgents/com.paloaltonetworks.gp.pangp*
Additionally, even though I’m connecting to the VPN to do my computing homework, Georgia Tech can now see all of my traffic. I’m not particularly comfortable with this. There has to be a separate way.
And it turns out, by using openconnect
and vpn-slice
, you can!
First, install openconnect
and vpn-slice
:
brew install openconnect vpn-slice
Then, to connect to Georgia Tech’s VPN, run the following command:
sudo openconnect --protocol=gp vpn.gatech.edu \ -u <georgia_tech_username_without_email> # ex: jsmith123 -p <georgia_tech_password> \ # can be omitted -s "vpn-slice login-ice.pace.gatech.edu"
Note that sudo perms are necessary since it messes with your networking devices. Then, it’ll ask you for your georgia tech password if not provided, and then a secondary factor. Go to the duo app, and enter the 6 digits randomly generated, and you should be in!
Full tracelog provided below for reference:
abhiagarwal@Abhis-MacBook-Pro ~> sudo openconnect --protocol=gp vpn.gatech.edu -u jsmith123 -s "vpn-slice login-ice.pace.gatech.edu"POST https://vpn.gatech.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=MacConnected to <--snip-->SSL negotiation with vpn.gatech.eduConnected to HTTPS on vpn.gatech.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)Enter login credentialsPassword:POST https://vpn.gatech.edu/global-protect/getconfig.espChoose a secondary factor from ('push1', 'phone1') or enter passcode:Challenge:POST https://vpn.gatech.edu/global-protect/getconfig.espPortal reports GlobalProtect version 6.2.7-1047; we will report the same client version.Portal set HIP report interval to 60 minutes).2 gateway servers available: DC Gateway (dc-ext-gw.vpn.gatech.edu) NI Gateway (ni-ext-gw.vpn.gatech.edu)Please select GlobalProtect gateway.GATEWAY: [DC Gateway|NI Gateway]:DC GatewayPOST https://dc-ext-gw.vpn.gatech.edu/ssl-vpn/login.espConnected to <--snip-->SSL negotiation with dc-ext-gw.vpn.gatech.eduConnected to HTTPS on dc-ext-gw.vpn.gatech.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)GlobalProtect login returned authentication-source=gp-auth-sequence-newGlobalProtect login returned password-expiration-days=0GlobalProtect login returned portal-userauthcookie=<--snip-->GlobalProtect login returned portal-prelogonuserauthcookie=emptyGlobalProtect login returned usually-equals-4=4POST https://dc-ext-gw.vpn.gatech.edu/ssl-vpn/getconfig.espTunnel timeout (rekey interval) is 180 minutes.Idle timeout is 180 minutes.No MTU received. Calculated 1326 for ESP tunnelPOST https://dc-ext-gw.vpn.gatech.edu/ssl-vpn/hipreportcheck.espWARNING: Server asked us to submit HIP report with md5sum <--snip-->. VPN connectivity may be disabled or limited without HIP report submission. You need to provide a --csd-wrapper argument with the HIP report submission script.ESP session established with serverESP tunnel connected; exiting HTTPS mainloop.Configured as <--snip-->, with SSL disconnected and ESP establishedSession authentication will expire at Tue Jul 1 15:27:45 2025
WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.WARNING: IPv6 address or netmask set. Support for IPv6 in vpn-slice should be considered BETA-QUALITY.Got results: [<DNS IN A rdata: <--snip-->>]
Inspecting the /etc/hosts
file, we can see that openconnect
added the relevant hosts:
abhiagarwal@Abhis-MacBook-Pro ~> cat /etc/hosts### Host Database## localhost is used to configure the loopback interface# when the system is booting. Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1 localhost130.<--snip--> dns0.utun11 # vpn-slice-utun11 AUTOCREATED130.<--snip--> dns1.utun11 # vpn-slice-utun11 AUTOCREATED128.<--snip--> login-ice.pace.gatech.edu # vpn-slice-utun11 AUTOCREATED
Finally, we can just ssh [email protected]
and we’re in!