Engineering-Tech Wiki

User Tools

Site Tools

You are here: start » auth » howto » linux » vpnclient
Trace:
auth:howto:linux:vpnclient

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
auth:howto:linux:vpnclient [2012/09/11 09:00] – [Instructions for Linux vpnc Client (recommended)] kohoferauth:howto:linux:vpnclient [2022/06/20 11:40] (current) kohofer
Line 1: Line 1:
-====== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen ======+====== VPN (Virtual Private Network) at the Free University of Bolzano/Bozen and EURAC ======
  
 ===== Infos regarding the usage of VPN ===== ===== Infos regarding the usage of VPN =====
  
-http://www.unibz.it/en/ict/ComputerInternet/network/vpn/default.html+https://knowledge.scientificnet.org/workspace/#nd=ab7442f9-c4d0-4ffc-a4f7-1e0d84515cc9&ld=17f4d8ce-edff-4d42-ad33-d98e2cdebc35&ln=it
  
-==== Instructions for Windows 2000, XP, VISTA and 7 - 32bit and 64bit ====+==== Instructions for MacOS X ====
  
-http://www.unibz.it/en/ict/ComputerInternet/network/vpn/InstallationWindows.html+We recommend to download and install [[https://itunes.apple.com/en/app/cisco-anyconnect/id392790924?mt=8|Cisco AnyConnect]] from Apple Store for iOS and connect via Browser to https://vpn.scientificnet.org for Mac OSX
  
-===Instructions for MacOS X 10.4 ==== +=== Unsupported Instructions for MacOS X  and iOS - use at own risk! ===
-http://www.unibz.it/en/ict/ComputerInternet/network/vpn/InstallationMacOSX.html+
  
-==== Instructions for MacOS X 10.6 ====+Download, unpack (doubleclick), then doupleclick the unpacked file to install it:
  
-There is no need to install a Client, simply download and install (doubleclick) the\\ +{{:auth:howto:linux:vpn-scientificnet.org.networkconnect.zip|}}
-following file:+
  
-{{:auth:howto:linux:unibz.networkconnect.zip|}}+Under Network settings a new item should appear:
  
-===== Instructions for Linux vpnc Client (recommended) =====+  * VPN (IPSec) 
 +  * change username to your username 
 +  * click Connect and enter your password 
 + 
 +=== Uninstalling if installation is corrupt in MacOSx === 
 + 
 +Uninstallation has to be done by running this command on terminal: 
 + 
 +sudo /opt/cisco/vpn/bin/vpn_uninstall.sh 
 + 
 +Should the uninstallation or reinstallation be corrupt, run this command on terminal:  
 + 
 +sudo pkgutil --forget com.cisco.pkg.anyconnect.vpn 
 + 
 + 
 +=== Instructions for iOS 9 === 
 + 
 +  - Press Settings 
 +  - Choose General 
 +  - Nearly at the end, click VPN 
 +  - Next click: Add VPN Configuration... 
 +    - **Type:** IPSec 
 +    - **Description:** VPN Scientificnet 
 +    - **Server:** vpn.scientificnet.org 
 +    - **Account:** <your-unibz-username> 
 +    - **Password:** <your-unibz-password> or leave empty to ask every time! 
 +    - **Group Name:** Unibz 
 +    - **Secret:** <file> 
 +NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL 
 +</file> 
 +  - Press Done in upper right corner of window 
 +  - Status: Slide Button to the right to connect 
 +  - Enter Password if not already entered above 
 + 
 +=== Instructions for Android 7 === 
 + 
 +  - Press Settings 
 +  - Find VPN Settings, depends on Model  
 +  - Next click: Add VPN Configuration... 
 +    - **Name:** Unibz VPN 
 +    - **Type:** IPSec Xauth PSK 
 +    - **Server-Address:** vpn.scientificnet.org 
 +    - **IPSec Identifier:** Unibz 
 +    - **IPSec Pre-shared Key:** NrW2z9sj8g3kjJrzXxJwRPbIRNInWakL 
 +    - **Account:** <your-unibz-username> 
 +    - **Password:** <your-unibz-password> or leave empty to ask every time! 
 +     
 +  - Press Done 
 +  - Status: Slide Button to the right to connect 
 +  - Enter Password if not already entered above 
 + 
 +===== Instructions for Linux using openconnect Client (recommended) ===== 
 + 
 +Run this command to install openconnect client and OpenConnect plugin GNOME GUI  
 + 
 +  sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome 
 + 
 +Once installed open Settings and go to Network, press + right of the VPN section. 
 + 
 +{{:auth:howto:linux:network_vpn.png?400|}} 
 + 
 +Select **Cisco AnyConnect Compatible VPN (openconnect)** and fill out as shown below: 
 + 
 +{{:auth:howto:linux:add_vpn_openconnect.png?400|}} 
 + 
 +{{:auth:howto:linux:details_vpn.png?300|Details}} {{:auth:howto:linux:identity_vpn.png?300|Identity}}  
 + 
 +{{:auth:howto:linux:ipv4_vpn.png?300|IPv4}} {{:auth:howto:linux:ipv6_vpn.png?300|IPv6}}  
 + 
 +**Details** 
 +  - Make available to other users: tick if you want to allow other users on your system to use the VPN 
 + 
 +**Identity** 
 +  - Name: VPN work (use a descriptive name) 
 +  - VPN Protocol: Cisco AnyConnect 
 +  - Gateway: vpn.scientificnet.org 
 +  - CA Certificate: download from {{ :auth:howto:linux:vpn-scientificnet-org.pem |here}}, not really necessary! 
 + 
 +The rest can be left as it is. 
 + 
 +**IPv4/IPv6** 
 +  - IPv4 Method: Automatic (DHCP) 
 +  - DNS: ON 
 +  - Routes: ON 
 + 
 +Press <color #22b14c>Apply</color> 
 + 
 +Now you can enable the VPN connection! 
 + 
 +Move the slider from OFF to ON, a small window should open, 
 + 
 +{{:auth:howto:linux:enable_vpn.png?400|Enable VPN}} 
 + 
 +make sure that for VPN Host you select: **vpn.scientificnet.org** 
 + 
 +Enter your unibz Username, without @unibz.it and your unibz Password. 
 + 
 +{{:auth:howto:linux:connect_vpn.png?400|Connect VPN}} 
 + 
 +Press **Login** 
 + 
 +If all goes well the slider should remain in ON position, if not check the Log. 
 +To verify launch this command in a terminal: 
 + 
 +  ifconfig | grep 172* 
 + 
 +You should get a new interface --> vpn0: with an IP Address: 172.21.66.xxx 
 + 
 +===== Instructions for Linux vpnc Client =====
  
 1. Install vpnc 1. Install vpnc
  
-  sudo aptitude install vpnc+  sudo apt-get install vpnc
  
-2. Create configuration file unibz.conf. Download from here: {{:auth:howto:linux:unibz.conf|}}+2. For Unibz: 
 + 
 +  * Create configuration file unibz.conf. Download from here: {{:auth:howto:linux:unibz.conf|}} 
 + 
 +2.a For Eurac: 
 + 
 +   * Create configuration file eurac.conf. Download from here: {{:auth:howto:linux:eurac.conf|}}
        
 <note important>IPSec obfuscated secret needs to be on a single line.</note> <note important>IPSec obfuscated secret needs to be on a single line.</note>
        
 <note important>Replace <your-windows-login> with your username.</note> <note important>Replace <your-windows-login> with your username.</note>
 +
 +
 +For Unibz:
  
   sudo vi /etc/vpnc/unibz.conf   sudo vi /etc/vpnc/unibz.conf
Line 37: Line 152:
 IPSec gateway vpn.unibz.it IPSec gateway vpn.unibz.it
 IPSec ID Unibz IPSec ID Unibz
-IPSec obfuscated secret 06294C134E0BEBDA4B449B56BFD305D35D12DABF4044EDB6794926C2CA6D5AEDFE6342DF190E566EB11215DDC1591D5CB6ABEBEB593693C6D0B2077D78034B6AFEEA3221E77F4 +IPSec obfuscated secret 06294C134E0BEBDA4B449B56BFD305D35D12DABF4044EDB6794926C2CA6D5AEDFE6342DF190E566EB11215DDC1591D5CB6ABEBEB593693C6D0B2077D78034B6AFEEA3221E77F4C9858DD711AA8DE58F6 
-C9858DD711AA8DE58F6 +Xauth username your-windows-login 
-Xauth username <your-windows-login>+# e.g. Xauth username fmoser (not fmoser@unibz.it)
 ####################################### #######################################
 </code> </code>
Line 52: Line 167:
 sudo ls -l /etc/vpnc/unibz.conf sudo ls -l /etc/vpnc/unibz.conf
 -rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/unibz.conf -rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/unibz.conf
 +</code>
 +
 +For Eurac:
 +
 +  sudo vi /etc/vpnc/eurac.conf
 +
 +<code>
 +#######################################
 +IPSec gateway vpn.scientificnet.org 
 +IPSec ID Eurac
 +IPSec obfuscated secret 56A1CD68CC3AD33B48DB0F727ADDBC0A354DE3287D15C8526ED4CEDE4BC2ACDD1BB2460BC2354671A405F6150EA7C294C4DBC4CF9FFE45873BECAD3A2A738C5053BE34F709D592B50AD5BC472CDFF350
 +Xauth username your-windows-login
 +# e.g. Xauth username fmoser (not fmoser@eurac.edu)
 +#######################################
 +</code>
 +
 +apply this rights:
 +
 +  sudo chmod 600 /etc/vpnc/eurac.conf
 +  
 +  sudo chown root.root /etc/vpnc/eurac.conf
 +
 +<code>
 +sudo ls -l /etc/vpnc/eurac.conf
 +-rw------- 1 root root 250 2009-05-02 15:54 /etc/vpnc/eurac.conf
 </code> </code>
  
 3. Start vpnc 3. Start vpnc
 +
 +For Unibz:
  
   sudo vpnc-connect --domain unibz unibz   sudo vpnc-connect --domain unibz unibz
Line 60: Line 202:
 This will first ask for your sudo password and then This will first ask for your sudo password and then
 your <unibz-password> your <unibz-password>
 +
 +For Eurac:
 +
 +  sudo vpnc-connect --domain eurac eurac
 +
 +This will first ask for your sudo password and then
 +your <eurac-password>
 +
  
 4. Stop vpnc 4. Stop vpnc
  
   sudo vpnc-disconnect   sudo vpnc-disconnect
 +
  
 ==== Possible errors ==== ==== Possible errors ====
  
 +If you get the following error:  **vpnc-connect: no response from target**\\
 +try adding the line below to your configuration file (unibz.conf)
 +
 +**NAT Traversal Mode cisco-udp**
 +
 +----
  
 When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric,\\ When one attempts to connect to their VPN after installing and configuring vpnc on Ubuntu Oneiric,\\
Line 80: Line 237:
 provides an updated / revised release of this script. Download the latest copy from [[http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script|here]].\\ provides an updated / revised release of this script. Download the latest copy from [[http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script|here]].\\
 Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script
 +
 +----
 +
 +Access via ssh not possible, MTU value to high!
 +
 +In some cases the MTU value is too high, which results in an very strange
 +situation: ping works, but ssh hangs at this point:
 +
 +...
 +debug1: sending SSH2_MSG_KEX_ECDH_INIT
 +debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 
 +
 +
 +There are 2 bug reports for this:\\
 +
 +https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1110787\\
 +https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085
 +
 +and a possible solution/workaround for Linux Mint:
 +
 +https://community.hide.me/threads/setup-problem-on-linux-mint-17.1839/
 +
 +Check the current MTU value:
 +
 +  ip link | grep mtu
 +
 +Set MTU value on interface eth0 to 1392
 +
 +  /sbin/ifconfig eth0 mtu 1392
 +
 +----
 +
 +Allow local (LAN) access when using VPN (MacOS)
 +
 +
 +{{:auth:howto:linux:allow-local-lan-access-with-vpn.png?400|VPN preferences}}
 +
 +
 +==== Decode Group Password ====
 +
 +[[https://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode|cisco vpnclient password decoder]]
  
  
Line 183: Line 381:
 Per-user configuration is stored in your home directory in a file called .anyconnect Per-user configuration is stored in your home directory in a file called .anyconnect
  
-===== Shrew Soft VPN Client Instructions for 32 or 64 bit version of Windows 2000XPVista and 7 (recommened) =====+====== Install openconnect-sso macOS with SAML ====== 
 + 
 +If you don't want to use Cisco Anyconnect on the Apple Mac, you can install openconnect 
 +and openconnect-sso for using SAML! 
 + 
 +**Requirements**: Python3 
 + 
 +Install brew 
 +  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" 
 + 
 +Install openconnect and pipx 
 +  brew install openconnect pipx 
 +  pipx ensurepath 
 + 
 +Install pipx 
 +  pip install --user pipx 
 + 
 +Install openconnect-sso 
 +  pipx install "openconnect-sso[full]" 
 +  pipx ensurepath 
 + 
 +Launch openconnect-sso 
 +  /Users/user/.local/bin/openconnect-sso --server vpn.scientificnet.org/saml 
 + 
 +<code> 
 +... 
 +... 
 +[info     ] Loading page                   [webengine] url=https://vpn.scientificnet.org/+CSCOE+/saml/sp/login?tgname=ScientificNetworkSouthTyrol-SAML&acsamlcap=v2 
 +[info     ] Terminate requested.           [webengine]  
 +[info     ] Exiting browser                [webengine]  
 +[info     ] Browser exited                 [openconnect_sso.browser.browser]  
 +[info     ] Response received              [openconnect_sso.authenticator] id=success message= 
 +[sudo] password for <local-username>: 
 + 
 +Connected to 193.106.xxx.xxx:443 
 +SSL negotiation with vpn.scientificnet.org 
 +Server certificate verify failed: signer not found 
 +Connected to HTTPS on vpn.scientificnet.org 
 +Got CONNECT response: HTTP/1.1 200 OK 
 +CSTP connected. DPD 30, Keepalive 20 
 +Connected as 172.xx.xx.xx + 2a02:27e8:10:741:0:dacc:0:2/64, using SSLwith DTLS in progress 
 +Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM). 
 +Error: any valid prefix is expected rather than "dev"
 + 
 +</code> 
 + 
 +A browser-window will ask for your username and password, next it will ask for the PIN which you need 
 +to generate with an Authenticator! 
 + 
 +Last thing to enter is the sudo password to enable the network interface. 
 + 
 +====== Install openconnect-sso Ubuntu with SAML ====== 
 + 
 +Requirements: 
 + 
 +  sudo apt install python3.8-venv openconnect 
 + 
 +  pip install --user pipx 
 +  pipx install "openconnect-sso[full]" 
 +  pipx ensurepath 
 + 
 +Launch openconnect-sso 
 + 
 +  openconnect-sso --server vpn.scientificnet.org/saml
  
-1. Go to http://www.shrew.net/home and download latest stable release of Shrew Soft VPN Client for Windows: http://www.shrew.net/download/vpn+A browser window will open, where it might ask for your 2FA/MFA, 
 +then it will ask for your sudo password to get the VPN interface up. 
 +Leave the command running as long as you need VPN.
  
-2. Download unibz profile (need to login with unibz login&password+You can also add an ampersand (&and the end of the command to put the command 
-https://pro.unibz.it/vpn/profiles/unibz/Free%20University%20of%20Bozen-Bolzano.zip+into background:
  
-3Install Shrew Soft VPN Client for Windows+  openconnect-sso --server vpn.scientificnet.org/saml &
  
-4. Start Shrew Soft VPN Client, unzip unibz profile and Import in VPN client 
  
  
/data/www/wiki.inf.unibz.it/data/attic/auth/howto/linux/vpnclient.1347346820.txt.gz · Last modified: 2019/01/16 10:03 (external edit)