Connecting to UK Campus VPN

This document will describe how to connect to the campus VPN service with a VPN client. Several clients will be described so if one doesn’t work for some specific reason then you have other options to choose from.

Warning

Any time you connect to the campus VPN, ALL traffic generated during the connection will be tunneled through the University systems. This includes email and web browsing.

Linux VPN clients

Attention

The Cicso AnyConnect client is the only one officially supported by UK. However, OpenConnect GUI client and VPNC GUI are community developed, they are more stable as well as easier to install and use.

Cisco AnyConnect

This is the official VPN client from Cisco, it’s a good option to connect to campus since UK uses Cisco VPN appliances (Cisco ASA) for providing VPN services to users.

The program provided here (anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh) is provided by UK ITS on central campus.

Downloading the Cisco AnyConnect client for Linux

The software needs to be installed with root privileges, by becoming root using su(1) or running sudo(8).

with su:

$ su -
# curl -s http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh | /bin/sh

with sudo:

$ sudo curl -s http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh | sudo /bin/sh

Manual downloading and install

On some systems the above commands don’t work as expected, in that case you will need to download the file and install manually

# curl -O http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh

If your system doesn’t have curl(1), then try to install it, or use wget(1) if available. Once you have the file on your hard drive you can install the software by executing:

# sh anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh

While the installer is running it shows the following:

Installing Cisco AnyConnect Secure Mobility Client...
Extracting installation files to /tmp/vpn.UsNrUc/vpninst015636984.tgz...
Unarchiving installation files to /tmp/vpn.UsNrUc...

This will create the directory /opt/anyconnect with the libraries and binaries need to run the VPN client.

Missing libraries

The software depends on a few libraries, and not all Linux systems have the necessary ones installed. Execute the following command:

# ldd /opt/cisco/anyconnect/bin/vpnui | grep found

If you don’t get any output at all, you can proceed to the section titled Running the client.

If there is output indicating there are missing libraries on your computer the next step is to locate those libraries and install them to satisfy the loader requirements to run the binary. If nothing is shown on the console then your system has all the libraries and you are ready to run the VPN client.

If your system is missing libraries you will see something similar to this:

libatk-1.0.so.0 => not found
libgdk-x11-2.0.so.0 => not found
libgtk-x11-2.0.so.0 => not found
libpangox-1.0.so.0 => not found
libpangoxft-1.0.so.0 => not found

On Debian based Linux distributions (ubuntu, for example), we can use the following command to satisfy the dependencies:

# apt install libatk1.0-0 libgdk-pixbuf2.0-0 libgtk2.0-0 libpangoxft-1.0-0 libpangox-1.0-0

Note

Your machine could have different missing libraries. The previous listing was just an example on a recently installed machine with Ubuntu 18.04.2.

Running the client

Run /opt/cisco/anyconnect/bin/vpnui from the command line to see the gui of AnyConnect. The server to which you should connect is vpn.uky.edu. Check the below pictures for details.

_images/start.png

Connection - Server name

_images/connect.png

Authentication - Use your LinkBlue credentials

_images/connected.png

Initial connection statistics

_images/statistics.png

Advanced connection statistics

After you are connected AnyConnect will sit on your system tray where you can right click and view the window or just disconnect from your current vpn session. Additionally you can change some of the settings to change the program behavior. One of the options that could be marked is Allow local (LAN) access when using VPN (if configured), this option will allow you access to your local (home) LAN while at the same time use the default IPv4 route to campus to reach the needed services.

Adding vpnui to your PATH

As root (or using sudo(8)) make a symbolic link that makes vpnui available through the PATH environment variable. In this way, any time you need to connect to the VPN just type vpnui on your terminal of choice, or inside the run program dialog box.

As root:

# ln -sv /opt/cisco/anyconnect/bin/vpnui /usr/bin/

Or with sudo(8):

$ sudo ln -sv /opt/cisco/anyconnect/bin/vpnui /usr/bin/

Troubleshooting

If all of the above failed, most likely your system doesn’t meet all the requirements to run the program (missing libraries, etc).

Make sure that /opt/cisco/anyconnect/bin/vpnagentd is running. Under a normal ubuntu 18.04 install the systemd(1) service unit, vpnagentd, is installed and executed:

# systemctl status vpnagentd.service

 ● vpnagentd.service - LSB: Cisco AnyConnect Secure Mobility Client for Linux
    Loaded: loaded (/etc/init.d/vpnagentd; generated)
    Active: active (running) since Wed 2019-05-08 13:38:40 EDT; 2h 52min ago
      Docs: man:systemd-sysv-generator(8)
   Process: 26328 ExecStart=/etc/init.d/vpnagentd start (code=exited, status=0/SUCCESS)
     Tasks: 3 (limit: 4915)
    CGroup: /system.slice/vpnagentd.service
            └─26355 /opt/cisco/anyconnect/bin/vpnagentd

 May 08 13:55:02 leal acvpnagent[26355]: Function: getHostIPAddrByName File: ../../vpn/Common/IPC/SocketSupport.cpp Line: 323 Invoked Function: ::getaddrinfo
 May 08 13:55:02 leal acvpnagent[26355]: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function: CSocketSupport::
 May 08 13:55:02 leal acvpnagent[26355]: Function: ResolveHostname File: ../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::re
 May 08 13:55:02 leal acvpnagent[26355]: Function: logResolutionResult File: ../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host vpn.uky.edu has been reso
 May 08 13:55:02 leal acvpnagent[26355]: Writing to hosts file:  128.163.55.43        vpn.uky.edu ###Cisco AnyConnect VPN client modified this file. Please do
 May 08 13:55:02 leal acvpnagent[26355]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 5327 The requested VPN connection t
 May 08 13:55:08 leal acvpnagent[26355]: Function: internalReadSocket File: ../../vpn/Common/IPC/UdpTcpTransports_unix.cpp Line: 504 Invoked Function: ::read

You could also try another VPN open source client, described below.

OpenConnect

OpenConnect can typically be installed via your package management software. On Debian/Ubuntu this command will install the package (as root you may omit ‘sudo’):

sudo apt install openconnect

On arch:

sudo packman -S openconnect

For RedHat based systems:

sudo yum install epel-release
sudo yum install NetworkManager-openconnect

For other platforms and more instruction on installing and using see the OpenConnect website

To connect to the VPN run the following, as root:

sudo openconnect vpn.uky.edu

Note

Occasionally you may encounter errors during the intial connect attempt. Ctrl-C to abort the connection and try to connect again.

OpenConnect GUI

There is a package available for NetworkManager (default network setup for Ubuntu Desktop) named network-manager-openconnect that adds GUI support for connecting to the VPN. Install the package, as root you may omit ‘sudo’:

sudo apt install network-manager-openconnect

If you are running the GNOME desktop environment, also run:

sudo apt install network-manager-openconnect-gnome

Note

KDE also has a package available named kvpnc. It has not been tested but may work for users of the KDE desktop enviornment. If you decide to use this resource, the network-manager-openconnect and openconnect (and/or the VPNC equivalent) packages may not be installed automattically.

You will now find the ability to add the VPN connection in the network settings application. This can be accessed by opening System Tools > Settings as well as clicking on the far right side of the GNOME panel then clicking the crossed screwdriver and wrench icon, newer versions of Ubuntu have replaced this icon with a gear.

Old Settings Icon

Pre Ubuntu 19.04 icon

Settings Icon

Ubuntu 19.04 Icon

Select “Network” and click the plus sign on the right side of the VPN section.

Network Settings

System Settings -> Network Settings

Select “Cisco AnyConnect Compatible VPN (openconnect)” to create the new VPN connection.

Add VPN

Add AnyConnect VPN

In the Add VPN dialog box, enter a name you like for the connection and vpn.uky.edu in Gateway, leave all other blanks as default. Click save.

VPN Settings

To connect to the VPN, click on the far right side of the GNOME panel and select VPN > Connect. You can also open the network settings again and toggle the switch next to the VPN connection.

On/Off VPN

A new window will open once connected, prompting for credentials. Use your LinkBlue ID (without @uky.edu) and password.

Credentials

You can tell the VPN is active by the VPN icon on the GNOME panel. Older versions show a padlock while newer versions show a “VPN” icon.

VPN status

To disconnect, click on the right side of the GNOME panel then click on the VPN connection and select “Turn Off”

disconnect

VPNC

Like Openconnect, VPNC also can typically be installed via your package management software. On Debian/Ubuntu this command will install the package (the root user can omit sudo in the following instructions):

sudo apt install vpnc

For other platforms and more instruction on installing and using see the VPNC maintainer website. Once installed run man vpnc and vpnc -h for further instructions.

Running VPNC from the command line (or by scripts) is slightly different than OpenConnect. You can either run the command by itself and interactively provide the necessary information for the connection or you can create a configuration file with the needed information.

Running the command by itself from the command line either as root or using sudo, it will look for configuration files /etc/vpnc.conf or /etc/vpnc/default.conf. If it does not find the files, VPNC will default to interactive mode.

An example of an interactive session is as follows:

$ sudo vpnc
Enter IPSec gateway address: vpn.uky.edu
Enter IPSec ID for vpn.uky.edu: ukyedu
Enter IPSec secret for ukyedu@vpn.uky.edu:
Enter username for vpn.uky.edu: LinkBlueID
Enter password for LinkBlueID@vpn.uky.edu:
VPNC started in background (pid: 6230)...
$

The configuration file is in the general format of the above session. Here is an example of /etc/vpnc/default.conf that will connect to the UK VPN with a username of “LinkBlueID”:

#/etc/vpnc/default.conf
IPSec gateway vpn.uky.edu
IPSec ID ukyedu
IPSec secret ukyedu
Xauth username <LinkBlueID>

Edit the file with your favorite editor add the above contents, replacing <LInkBlueID> with your own LinkBlue ID and save it. Comments are desgnated by the # symbol. Since the password information is not included in the file, running vpnc with the above config file via sudo vpnc will trigger a prompt for your LinkBlue password.

There may be the need for you to store your LinkBlue password in the configuration file, either for running a script or some other reason.In this case you should run the following two commands so it is not readable by anyone other than a superuser:

sudo chown root:root /etc/vpnc/default.conf
sudo chmod 600 /etc/vpnc/default.conf

To end the VPN session, run the following:

sudo vpnc-disconnect

Note

It is possible to have multiple configuration files for vpnc. They must be stored in /etc/vpnc/ and have .conf as a file extension. For example, say you have created /etc/vpnc/ukvpn.conf. You would run sudo vpnc ukvpn.conf to use that config and connect to the upvpn concentrator.

Warning

Putting your LinkBlueID and password in a text file is an insecure practice. Anyone with admin privilages will be able to read the file and gain access to your UK account.

VPNC GUI

Like OpenConnect there is a package available for GNOME (NetworkManager) named network-manager-vpnc adding GUI support for VPN connections. Install the package by running the following, as root you can omit ‘sudo’:

sudo apt install vpnc vpnc-scripts network-manager-vpnc network-manager-vpnc-gnome

The procedure for connecting to the VPN is almost identical to the OpenConnect method above. The only difference is the name of the type of connection and some additional information needed to create the connection.

Follow the OpenConnect GUI steps above. When you click on the plus sign to add the connections, select “Cisco Compatible VPN (vpnc)”

Add VPNC connection

Adding a VPNC VPN connection

The settings window will require you to enter information for the “Group Name” and “Group Password”, both are ukyedu. In order to save the passwords for the Group and User you will need to click on the “? in a circle” and select “Store the password only for this user” radio button.

VPNC settings

VPNC Settings

Connecting and Disconnecting from the VPN is identical to the OpenConnect method above.


MacOS VPN Client

Connecting via MacOS is quite easy using the AnyConnect client. The client is available from the UK VPN website. Enter your LinkBlue credentials to login.

_images/1-vpn-login.png

Click on “Start AnyConnect” and the website will attempt to start a web-based java VPN connection, it will fail and provide the below “AnyConnect VPN” link, click the link to download the dmg file.

_images/2-start-java-connect.png _images/3-download-dmg.png

Use the DiskImagesMounter to mount the dmg file and double click on the newly mounted drive.

DiskImageMounter

A new window will open with the AnyConnect package.

package

Double- click to start the installer.

installer

Connect to the VPN by running the client. Be sure to type vpn.uky.edu in the blank, you will only need to do this the first time you connect.

connect

Windows VPN Client

The College of Arts and Sciences has an in depth guide on installing the VPN. It can be found here https://www.as.uky.edu/tutorials/downloading-installing-and-using-campus-vpn-client-windows