Difference between revisions of "Proxies and VPN"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Cov
 
(17 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
 +
=Proxies=
 
== Web Proxy ==
 
== Web Proxy ==
 
If you're just looking to access library resources like subscription journals, you can make use of the library's [http://www.lib.vt.edu/help/extended/extproxy.html web-based proxy].
 
If you're just looking to access library resources like subscription journals, you can make use of the library's [http://www.lib.vt.edu/help/extended/extproxy.html web-based proxy].
  
 
== SSH Tunnel ==
 
== SSH Tunnel ==
If you're looking for a quick and dirty way to obtain a VT IP, you can run a [http://dltj.org/article/ssh-as-socks-proxy/ SOCKS proxy with SSH] using a CVL (ECE) or rlogin (CS) shell account.
+
If you're looking for a quick and dirty way to obtain a VT IP, you can run a [[Secure Shell#Tunneling|secure shell socks proxy]] using a [[CVL]] (ECE) or [[rlogin]] (CS) shell account.
 +
 
 +
= VPN =
 +
Connecting to the Internet through Virginia Tech's [http://en.wikipedia.org/wiki/Virtual_private_network  Virtual Private Network] (VPN) is the only officially advertised and supported method of accessing certain resources such as [http://network.software.vt.edu/ VT Network Software] from off-campus. Alternatively, you can use '''SSH tunnels''' or proxies to obtain a Virginia Tech IP address.
 +
 
 +
 
 +
To connect to Virginia Tech's VPN service you have two options:
 +
#Use the graphical [https://4help.vt.edu/sp?id=kb_article&sysparm_article=KB0016112 Cisco Secure client] offered.  To install and use this application see their KB by clicking that link to the left.
 +
#Setup OpenConnect for the CLI option.  Which is detailed below.  (There may be a way to tie this into the Network Manager GUI tool, but I haven't gone that far yet)
 +
 
 +
 
 +
=== OpenConnect Install ===
 +
 
 +
There is a bug ( ''Cisco Anyconnect STRAP channel bindings with TLSv1.3 (#659)'' ) in the repo versions that prevents OpenConnect from connecting to VT's VPN service.  This was fixed in the HEAD branch, but that means we need to build and install it from source.
 +
 
 +
In the following instructions whenever you see <span style="color:#FF0000">USERNAME</span>, replace this with your Linux system's username.
 +
 
 +
I want to also note that these instructions were tested on Ubuntu linux with the Firefox browser.  If you have something different you may need to modify the below instructions to work with your distro.
 +
 
 +
 
 +
'''Build OpenConnect --HEAD from source and configure system'''
 +
 
 +
Install GIT if it is not already installed on the system:
 +
 
 +
<pre>sudo apt-get install git</pre>
 +
 
 +
Then clone the source code for OpenConnect --HEAD:
 +
 
 +
<pre>
 +
cd $HOME
 +
git clone git://git.infradead.org/users/dwmw2/openconnect.git
 +
</pre>
 +
 
 +
The next step is to install required dependencies, then build and install OpenConnect.  The script below handles all those tasks.  You can copy the below code into a file and run as a script or you can run each command individually in a terminal if you so choose.
 +
 
 +
<pre>
 +
#!/bin/bash
 +
 
 +
# Install dependencies
 +
sudo apt install \
 +
  build-essential gettext autoconf automake libproxy-dev \
 +
  libxml2-dev libtool vpnc-scripts pkg-config zlib1g-dev \
 +
  libp11-kit-dev libp11-dev libssl-dev
 +
 
 +
# Build
 +
cd openconnect
 +
./autogen.sh
 +
./configure
 +
make && make check
 +
sudo make install && sudo ldconfig
 +
 
 +
# Verify
 +
openconnect --version
 +
</pre>
 +
 
 +
Next download the latest vpnc-script for OpenConnect and make executable.
 +
 
 +
<pre>
 +
cd $HOME
 +
wget https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script
 +
chmod 744 vpnc-script
 +
</pre>
 +
 
 +
The command that gets used to connect to the VPN has one portion that requires the use of sudo for the vpnc-script.  The sudo credentials prompt tends to get buried in all of OpenConnect’s message output to the terminal window.  We can add a line to the sudoers file to avoid getting prompted.  Open the sudoers file for editing with the following command:
 +
 
 +
<pre>sudo visudo</pre>
 +
(or ''sudo vi /etc/sudoers'' if that is your preference)
 +
 
 +
Now add the following line to end of the sudoers file to allow the user to run the vpnc-script without being prompted for an admin password:
 +
 
 +
<code><span style="color:#FF0000">USERNAME</span> ALL=(ALL) NOPASSWD: SETENV: /home/<span style="color:#FF0000">USERNAME</span>/vpnc-script</code>
 +
 
 +
As the user account does not have permission to create the required /var/run/vpnc directory (and this directory gets deleted every reboot) we need to run the following command to have the system create the directory for us at boot and set some proper permissions:
 +
 
 +
<pre>echo "d /run/vpnc 770 root netdev - -" | sudo tee /etc/tmpfiles.d/vpnc.conf</pre>
 +
 
 +
Add the user to the groups netdev and kvm so they have proper permissions to access certain files and directories:
 +
 
 +
<code>sudo usermod -a -G kvm <span style="color:#FF0000">USERNAME</span></code><br />
 +
<code>sudo usermod -a -G netdev <span style="color:#FF0000">USERNAME</span></code>
 +
 
 +
We need to create a TUN/TAP interface device so that it is ready to use by the user and OpenConnect when connecting to the VPN.  If we don’t do this OpenConnect will fail as it cannot create this interface for us since it is getting run by the non-root user account.  We can have the system create a tun interface at boot for us by creating the following file:
 +
 
 +
<pre>cd /etc/systemd/network/
 +
sudo vi 90-tun0.netdev</pre>
 +
 
 +
Then add the following to this file:
 +
 
 +
<code>&nbsp;[NetDev]<br />
 +
Name=tun0<br />
 +
Kind=tun<br />
 +
&nbsp;[TUN]<br />
 +
Mode=tun<br />
 +
User=<span style="color:#FF0000">USERNAME</span>
 +
</code>
 +
 
 +
Now enable the system-networkd service:
 +
 
 +
<pre>sudo systemctl enable systemd-networkd</pre>
 +
 
 +
And to be safe that everything has taken affect lets do a '''restart of the system'''.
 +
 
 +
 
 +
'''Connecting to the Cisco Secure VPN'''
 +
 
 +
Below are the commands for connecting to the different VPN Realms (VT-Traffic or All-Traffic):
 +
 
 +
 
 +
Connect to '''VT-Traffic''':
 +
 
 +
<code>openconnect --server=<nowiki>https://vpn.vt.edu/VT-Traffic</nowiki> --useragent=AnyConnect -s 'sudo -E /home/<span style="color:#FF0000">USERNAME</span>/vpnc-script' --external-browser /usr/bin/firefox -i tun0</code>
 +
 
 +
 
 +
Connect to '''All-Traffic''':
 +
 
 +
<code>openconnect --server=<nowiki>https://vpn.vt.edu/All-Traffic</nowiki> --useragent=AnyConnect -s 'sudo -E /home/<span style="color:#FF0000">USERNAME</span>/vpnc-script' --external-browser /usr/bin/firefox -i tun0</code>
  
== How to connect to Virginia Tech's VPN ==
 
Connecting to the Internet through Virginia Tech's [http://en.wikipedia.org/wiki/Virtual_private_network  Virtual Private Network] (VPN) is the only officially advertised and supported method of accessing certain resources such as [http://network.software.vt.edu/ VT Network Software] from off-campus.
 
  
<ul><li> '''Important:''' You must first create a [http://computing.vt.edu/accounts_and_access/remote_access_id/ Remote Access ID] to be able to log into the VPN. This is different from your normal VT PID password.
+
If you want to make things easier to type each time you connect, add the above commands as shell aliases.
</li></ul>
 
=== Using Ubuntu or Debian ===
 
<ol><li> Install the [http://www.gnome.org/projects/NetworkManager/ Network Manager] applet if you do not already have it.
 
</li><li> Install the '''network-manager-pptp''' package for your distribution.
 
</li></ol>
 
From here you will need to configure the VPN somewhat differently
 
depending on your version of NetworkManager. To see your version of
 
NetworkManager, right click the NetworkManager applet on your upper
 
panel. The nm-applet looks like one of the following, depending on if
 
your connected:
 
  
<table border="1">
 
  
<tr>
+
Once you've run the above command and done the Single-Sign On/Two-Factor authentication in the browser window that opens, you should be connected to the VPN. Just leave the terminal window open that you ran the openconnect command in initially to maintain the VPN connection.
<th>Not Connected </th><th> Connected
 
</th></tr>
 
<tr>
 
<td><a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_not_connected.png" class="image" title="Image:nm_not_connected.png"><img alt="Image:nm_not_connected.png" src="VPN_files/Nm_not_connected.html" height="24" width="24" border="0"></a> </td><td> <a href="http://www.vtluug.org/wiki/index.php?title=Image:Nm_connected.png" class="image" title="Image:nm_connected.png"><img alt="Image:nm_connected.png" src="VPN_files/Nm_connected.html" height="22" width="22" border="0"></a>
 
</td></tr></table>
 
  
==== NetworkManager 0.6 (Ubuntu 8.04 Hardy Heron) ====
 
<ol><li> Click the Network Manager applet in your panel.
 
</li><li> Under '''VPN Connections''', select '''Configure VPN...'''.
 
</li><li> Click the '''Add''' button.
 
</li><li> Click '''Forward'''.
 
</li><li> Click '''Forward''' again.
 
</li><li> In the '''Connection Name''' box, type <code>VT PPTP VPN</code>.
 
</li><li> In the '''Gateway''' box, type <code>pptp.cns.vt.edu</code>
 
</li><li> At the top, click the '''Authentication''' tab.
 
</li><li> Check the box labeled '''Refuse CHAP'''.
 
</li><li> Click '''Forward'''.
 
</li><li> Click '''Apply'''.
 
</li><li> Restart Network Manager with the following commands:
 
</li></ol>
 
<code></code><pre>sudo /etc/dbus-1/event.d/25NetworkManager restart
 
sudo /etc/dbus-1/event.d/26NetworkManagerDispatcher restart</pre>
 
==== NetworkManager 0.7 (Ubuntu 8.10 Intrepid Ibex) ====
 
<ol><li> Click the NetworkManager applet &#8594; VPN Connections &#8594; Configure VPN
 
</li><li> Go to the VPN tab
 
</li><li> Click Add
 
</li><li> You will be asked to choos a VPN connection type. Select Point-to-Point Tunneling Protocol (PPTP) and click Create
 
</li><li> Enter the following and click OK:
 
</li></ol>
 
<table align="center" border="1">
 
  
<tr>
+
'''Disconnecting from the VPN'''
<th>Connection name
 
</th><td>VT PPTP VPN (really, can be whatever you like)
 
</td></tr>
 
<tr>
 
<th>Gateway
 
</th><td>pptp.cns.vt.edu
 
</td></tr>
 
<tr>
 
<th>User name
 
</th><td>''your PID''
 
</td></tr>
 
<tr>
 
<th>Password
 
</th><td>''your VPN password''
 
</td></tr>
 
<tr>
 
<th>NT Domain
 
</th><td>''(blank)''
 
</td></tr></table>
 
  
==== Connecting to the VPN ====
+
Disconnecting is pretty simple.  When done use Ctrl-C in the same terminal window that OpenConnect is running and allow a few seconds for it to close the connection and return to a terminal prompt.
<ol><li> Click the Network Manager applet in your panel.
 
</li><li> Under '''VPN Connections''', select '''VT PPTP VPN'''
 
</li><li> Log in using your Remote Access ID.
 
</li></ol>
 
  
==== Ubuntu upgraders from 8.04 Hardy Heron to 8.10 ====
+
==IPsec==
If you experience an error "unable to find valid VPN secrets", you
+
See [[IPsec]]
need to delete your saved password. Go to Applications &#8594; Passwords and
 
Encryption Keys, then go to the Passwords tab and delete the entry for
 
your VPN password (e.g., "VPN password secret for VT PPTP VPN..."). Now
 
left-click the NetworkManager applet icon, select the VT PPTP VPN, and
 
enter your VPN password.
 
  
 
[[Category:Howtos]]
 
[[Category:Howtos]]
 +
[[Category:Software]]
 +
[[Category:VTLUUG:Projects]]
 +
[[Category:Needs restoration]]

Latest revision as of 20:59, 6 November 2025

Proxies

Web Proxy

If you're just looking to access library resources like subscription journals, you can make use of the library's web-based proxy.

SSH Tunnel

If you're looking for a quick and dirty way to obtain a VT IP, you can run a secure shell socks proxy using a CVL (ECE) or rlogin (CS) shell account.

VPN

Connecting to the Internet through Virginia Tech's Virtual Private Network (VPN) is the only officially advertised and supported method of accessing certain resources such as VT Network Software from off-campus. Alternatively, you can use SSH tunnels or proxies to obtain a Virginia Tech IP address.


To connect to Virginia Tech's VPN service you have two options:

  1. Use the graphical Cisco Secure client offered. To install and use this application see their KB by clicking that link to the left.
  2. Setup OpenConnect for the CLI option. Which is detailed below. (There may be a way to tie this into the Network Manager GUI tool, but I haven't gone that far yet)


OpenConnect Install

There is a bug ( Cisco Anyconnect STRAP channel bindings with TLSv1.3 (#659) ) in the repo versions that prevents OpenConnect from connecting to VT's VPN service. This was fixed in the HEAD branch, but that means we need to build and install it from source.

In the following instructions whenever you see USERNAME, replace this with your Linux system's username.

I want to also note that these instructions were tested on Ubuntu linux with the Firefox browser. If you have something different you may need to modify the below instructions to work with your distro.


Build OpenConnect --HEAD from source and configure system

Install GIT if it is not already installed on the system: 

sudo apt-get install git

Then clone the source code for OpenConnect --HEAD: 

cd $HOME
git clone git://git.infradead.org/users/dwmw2/openconnect.git

The next step is to install required dependencies, then build and install OpenConnect. The script below handles all those tasks. You can copy the below code into a file and run as a script or you can run each command individually in a terminal if you so choose. 

#!/bin/bash

# Install dependencies
sudo apt install \
  build-essential gettext autoconf automake libproxy-dev \
  libxml2-dev libtool vpnc-scripts pkg-config zlib1g-dev \
  libp11-kit-dev libp11-dev libssl-dev

# Build
cd openconnect
./autogen.sh
./configure
make && make check
sudo make install && sudo ldconfig

# Verify
openconnect --version

Next download the latest vpnc-script for OpenConnect and make executable. 

cd $HOME
wget https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script
chmod 744 vpnc-script

The command that gets used to connect to the VPN has one portion that requires the use of sudo for the vpnc-script. The sudo credentials prompt tends to get buried in all of OpenConnect’s message output to the terminal window. We can add a line to the sudoers file to avoid getting prompted. Open the sudoers file for editing with the following command: 

sudo visudo

(or sudo vi /etc/sudoers if that is your preference)

Now add the following line to end of the sudoers file to allow the user to run the vpnc-script without being prompted for an admin password:

USERNAME ALL=(ALL) NOPASSWD: SETENV: /home/USERNAME/vpnc-script

As the user account does not have permission to create the required /var/run/vpnc directory (and this directory gets deleted every reboot) we need to run the following command to have the system create the directory for us at boot and set some proper permissions: 

echo "d /run/vpnc 770 root netdev - -" | sudo tee /etc/tmpfiles.d/vpnc.conf

Add the user to the groups netdev and kvm so they have proper permissions to access certain files and directories:

sudo usermod -a -G kvm USERNAME
sudo usermod -a -G netdev USERNAME

We need to create a TUN/TAP interface device so that it is ready to use by the user and OpenConnect when connecting to the VPN. If we don’t do this OpenConnect will fail as it cannot create this interface for us since it is getting run by the non-root user account. We can have the system create a tun interface at boot for us by creating the following file: 

cd /etc/systemd/network/
sudo vi 90-tun0.netdev

Then add the following to this file:

 [NetDev]
Name=tun0
Kind=tun
 [TUN]
Mode=tun
User=USERNAME

Now enable the system-networkd service: 

sudo systemctl enable systemd-networkd

And to be safe that everything has taken affect lets do a restart of the system.


Connecting to the Cisco Secure VPN

Below are the commands for connecting to the different VPN Realms (VT-Traffic or All-Traffic):


Connect to VT-Traffic:

openconnect --server=https://vpn.vt.edu/VT-Traffic --useragent=AnyConnect -s 'sudo -E /home/USERNAME/vpnc-script' --external-browser /usr/bin/firefox -i tun0


Connect to All-Traffic:

openconnect --server=https://vpn.vt.edu/All-Traffic --useragent=AnyConnect -s 'sudo -E /home/USERNAME/vpnc-script' --external-browser /usr/bin/firefox -i tun0


If you want to make things easier to type each time you connect, add the above commands as shell aliases.


Once you've run the above command and done the Single-Sign On/Two-Factor authentication in the browser window that opens, you should be connected to the VPN. Just leave the terminal window open that you ran the openconnect command in initially to maintain the VPN connection.


Disconnecting from the VPN

Disconnecting is pretty simple. When done use Ctrl-C in the same terminal window that OpenConnect is running and allow a few seconds for it to close the connection and return to a terminal prompt.

IPsec

See IPsec

Retrieved from "https://vtluug.org/w/index.php?title=Proxies_and_VPN&oldid=8222"