Updated as of Summer 2021 (for Debian)To connect to Virginia Tech's VPN service you have two options:# Install Use the "openconnect" package# Run "sudo openconnect --protocol=pulse 'graphical [https://vpn.nis4help.vt.edu/vttrafficsp?id=kb_article&sysparm_article=KB0016112 Cisco Secure client] offered. To install and use this application see their KB by clicking that link to the left.#Setup OpenConnect for the CLI option. Which is detailed below. (There may be a way to tie this into the Network Manager GUI tool, but I haven'"t gone that far yet) === OpenConnect Install === There is a bug ( ''Cisco Anyconnect STRAP channel bindings with TLSv1.3 (#* If 659)'' ) in the repo versions that prevents OpenConnect from connecting to VT's VPN service. This was fixed in the HEAD branch, but that means we need to build and install it complains from source. In the following instructions whenever you see <span style="color:#FF0000">USERNAME</span>, replace this with your Linux system's username. I want to also note that about these instructions were tested on Ubuntu linux with the Firefox browser. If you have something different you may need to modify the below instructions to work with your distro. '''Build OpenConnect --HEAD from source and configure system''pulse' Install GIT if it is not already installed on the system: <pre>sudo apt-get install git</pre> Then clone the source code for OpenConnect --HEAD: <pre>cd $HOMEgit clone git://git.infradead.org/users/dwmw2/openconnect.git</pre> The next step is to install required dependencies, then try: "build and install OpenConnect. The script below handles all those tasks. You can copy the below code into a file and run as a script or you can run each command individually in a terminal if you so choose. <pre>#!/bin/bash # Install dependenciessudo apt install \ build-essential gettext autoconf automake libproxy-dev \ libxml2-dev libtool vpnc-scripts pkg-config zlib1g-dev \ libp11-kit-dev libp11-dev libssl-dev # Buildcd openconnect./autogen.sh./configuremake && make checksudo make install && sudo ldconfig # Verifyopenconnect --protocol=nc 'version</pre> Next download the latest vpnc-script for OpenConnect and make executable. <pre>cd $HOMEwget https://vpngitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-scriptchmod 744 vpnc-script</pre> The command that gets used to connect to the VPN has one portion that requires the use of sudo for the vpnc-script.nis The sudo credentials prompt tends to get buried in all of OpenConnect’s message output to the terminal window.vt We can add a line to the sudoers file to avoid getting prompted.edu Open the sudoers file for editing with the following command: <pre>sudo visudo</pre>(or ''sudo vi /etc/vttrafficsudoers''if that is your preference) Now add the following line to end of the sudoers file to allow the user to run the vpnc-script without being prompted for an admin password: <code><span style="color:#FF0000">USERNAME</span> ALL=(ALL) NOPASSWD: SETENV: /home/<span style="color:#FF0000">USERNAME</span>/vpnc-script</code> # At As the user account does not have permission to create the required /var/run/vpnc directory (and this directory gets deleted every reboot) we need to run the following command to have the system create the login prompt, enter your VT PIDdirectory for us at boot and set some proper permissions: <pre>echo "d /run/vpnc 770 root netdev - -" | sudo tee /etc/tmpfiles.d/vpnc.conf</pre> Add the user to the groups netdev and kvm so they have proper permissions to access certain files and directories: <code>sudo usermod -a -G kvm <span style="color:#FF0000">USERNAME</span></code><br /><code>sudo usermod -a -G netdev <span style="color:# At FF0000">USERNAME</span></code> We need to create a TUN/TAP interface device so that it is ready to use by the user and OpenConnect when connecting to the password prompt, enter you NETWORK PASSWORDVPN. (This If we don’t do this OpenConnect will fail as it cannot create this interface for us since it is not getting run by the non-root user account. We can have the same as your VT login password, but system create a generated with 16 characters like tun interface at boot for us by creating the following file: <pre>cd /etc/systemd/network/sudo vi 90-tun0.netdev</pre> Then add the following to this file: <code> [NetDev]<br />Name=tun0<br />Kind=tun<br /> [TUN]<br />Mode=tun<br />User=<span style="color:#FF0000"ghrt>USERNAME</span></code> Now enable the system-oiuynetworkd service: <pre>sudo systemctl enable systemd-dgfj-lkjl") To generate one or get networkd</pre> And to be safe that everything has taken affect lets do a new one you'll have ''restart of the system'''. '''Connecting to the Cisco Secure VPN''' Below are the commands for connecting to go the different VPN Realms (VT-Traffic or All-Traffic): Connect to your '''VT accounts page (found at -Traffic''': <code>openconnect --server=<nowiki>https://vt4helpvpn.vt.serviceedu/VT-Traffic</nowiki> --useragent=AnyConnect -s 'sudo -E /home/<span style="color:#FF0000">USERNAME</span>/vpnc-script' --external-browser /usr/bin/firefox -i tun0</code> Connect to '''All-Traffic''': <code>openconnect --nowserver=<nowiki>https://vpn.vt.comedu/All-Traffic</sp?idnowiki> --useragent=kb_article&sys_idAnyConnect -s 'sudo -E /home/<span style=5e76ba690f266500d3254b9ce1050eff"color:#networkchange)FF0000">USERNAME</span>/vpnc-script' --external-browser /usr/bin/firefox -i tun0</code> If you want to make things easier to type each time you connect, add the above commands as shell aliases.# When prompted for password#2, enter Once you've run the above command and done the method of 2Single-Sign On/Two-factor Factor authentication in the browser window that opens, you want should be connected to use# Minimize the VPN. Just leave the terminal window open that you used for ran the openconnect or enter ^ctrl-Z' command in initially to put the job in maintain the backgroundVPN connection. If you now enter '''ifconfigDisconnecting from the VPN' or 'ip add', you will see Disconnecting is pretty simple. When done use Ctrl-C in the same terminal window that OpenConnect is running and allow a new ip address assigned few seconds for it to youclose the connection and return to a terminal prompt.
==IPsec==
