Connecting to UK Campus VPN¶
This document will describe how to connect to the campus Virtual Private Network (VPN) service with a VPN client. It describes several clients, so if one doesn’t work, you can choose another option.
You need to connect to the VPN in order to access many of the CS computers, including all the virtual machines.
Any time you connect to the campus VPN, ALL traffic generated during the connection is tunneled through the University systems. This includes email and web browsing.
Linux VPN clients¶
The Cisco AnyConnect client is the only one officially supported by UK. However, OpenConnect GUI client and VPNC GUI are community developed, they are more stable as well as easier to install and use.
This is the official VPN client from Cisco, it’s a good option to connect to campus since UK uses Cisco VPN appliances (Cisco ASA) for providing VPN services to users. However, in Linux it requires some work to install due to some dependencies that have to be in place first, etc. For a more straighforward install please feel free to use OpenConnect GUI
The program provided here (anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh) is provided by UK ITS on central campus.
Downloading the Cisco AnyConnect client for Linux¶
The software needs to be installed with root privileges, by becoming root using su(1) or running sudo(8).
$ su - # curl -s http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh | /bin/sh
$ sudo curl -s http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh | sudo /bin/sh
Manual downloading and install
On some systems the above commands don’t work as expected, in that case you will need to download the file and install manually
# curl -O http://www.cs.uky.edu/docs/users/vpn/anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh
If your system doesn’t have curl(1), then try to install it, or use wget(1) if available. Once you have the file on your hard drive you can install the software by executing:
# sh anyconnect-linux64-4.5.00058-core-vpn-webdeploy-k9.sh
While the installer is running it shows the following:
Installing Cisco AnyConnect Secure Mobility Client... Extracting installation files to /tmp/vpn.UsNrUc/vpninst015636984.tgz... Unarchiving installation files to /tmp/vpn.UsNrUc...
This will create the directory /opt/anyconnect with the libraries and binaries need to run the VPN client.
The software depends on a few libraries, and not all Linux systems have the necessary ones installed. Execute the following command:
# ldd /opt/cisco/anyconnect/bin/vpnui | grep found
If you don’t get any output at all, you can proceed to the section titled Running the client.
If there is output indicating there are missing libraries on your computer the next step is to locate those libraries and install them to satisfy the loader requirements to run the binary. If nothing is shown on the console then your system has all the libraries and you are ready to run the VPN client.
If your system is missing libraries you will see something similar to this:
libatk-1.0.so.0 => not found libgdk-x11-2.0.so.0 => not found libgtk-x11-2.0.so.0 => not found libpangox-1.0.so.0 => not found libpangoxft-1.0.so.0 => not found
On Debian based Linux distributions (ubuntu, for example), we can use the following command to satisfy the dependencies:
# apt install libatk1.0-0 libgdk-pixbuf2.0-0 libgtk2.0-0 libpangoxft-1.0-0 libpangox-1.0-0
Your machine could have different missing libraries. The previous listing was just an example on a recently installed machine with Ubuntu 18.04.2.
Running the client¶
/opt/cisco/anyconnect/bin/vpnui from the command line to see the
gui of AnyConnect. The server to which you should connect is vpn.uky.edu. Check the below pictures for details.
After you are connected AnyConnect will sit on your system tray where you can right click and view the window or just disconnect from your current vpn session. Additionally you can change some of the settings to change the program behavior. One of the options that could be marked is Allow local (LAN) access when using VPN (if configured), this option will allow you access to your local (home) LAN while at the same time use the default IPv4 route to campus to reach the needed services.
Adding vpnui to your PATH¶
As root (or using sudo(8)) make a symbolic link that makes vpnui available through the PATH environment variable. In this way, any time you need to connect to the VPN just type vpnui on your terminal of choice, or inside the run program dialog box.
# ln -sv /opt/cisco/anyconnect/bin/vpnui /usr/bin/
Or with sudo(8):
$ sudo ln -sv /opt/cisco/anyconnect/bin/vpnui /usr/bin/
If all of the above failed, most likely your system doesn’t meet all the requirements to run the program (missing libraries, etc).
Make sure that /opt/cisco/anyconnect/bin/vpnagentd is running. Under a normal ubuntu 18.04 install the systemd(1) service unit, vpnagentd, is installed and executed:
# systemctl status vpnagentd.service ● vpnagentd.service - LSB: Cisco AnyConnect Secure Mobility Client for Linux Loaded: loaded (/etc/init.d/vpnagentd; generated) Active: active (running) since Wed 2019-05-08 13:38:40 EDT; 2h 52min ago Docs: man:systemd-sysv-generator(8) Process: 26328 ExecStart=/etc/init.d/vpnagentd start (code=exited, status=0/SUCCESS) Tasks: 3 (limit: 4915) CGroup: /system.slice/vpnagentd.service └─26355 /opt/cisco/anyconnect/bin/vpnagentd May 08 13:55:02 leal acvpnagent: Function: getHostIPAddrByName File: ../../vpn/Common/IPC/SocketSupport.cpp Line: 323 Invoked Function: ::getaddrinfo May 08 13:55:02 leal acvpnagent: Function: resolveHostName File: ../../vpn/Common/Utility/HostLocator.cpp Line: 730 Invoked Function: CSocketSupport:: May 08 13:55:02 leal acvpnagent: Function: ResolveHostname File: ../../vpn/Common/Utility/HostLocator.cpp Line: 839 Invoked Function: CHostLocator::re May 08 13:55:02 leal acvpnagent: Function: logResolutionResult File: ../../vpn/Common/Utility/HostLocator.cpp Line: 913 Host vpn.uky.edu has been reso May 08 13:55:02 leal acvpnagent: Writing to hosts file: 220.127.116.11 vpn.uky.edu ###Cisco AnyConnect VPN client modified this file. Please do May 08 13:55:02 leal acvpnagent: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 5327 The requested VPN connection t May 08 13:55:08 leal acvpnagent: Function: internalReadSocket File: ../../vpn/Common/IPC/UdpTcpTransports_unix.cpp Line: 504 Invoked Function: ::read
You could also try another VPN open source client, described below.
OpenConnect can typically be installed via your package management software. On Debian/Ubuntu this command will install the package (as root you may omit ‘sudo’):
sudo apt install openconnect
sudo packman -S openconnect
For RedHat based systems:
sudo yum install epel-release sudo yum install NetworkManager-openconnect
For other platforms and more instruction on installing and using see the OpenConnect website
To connect to the VPN run the following, as root:
sudo openconnect vpn.uky.edu
Occasionally you may encounter errors during the intial connect attempt. Ctrl-C to abort the connection and try to connect again.
There is a package available for NetworkManager (default network setup for
Ubuntu Desktop) named
network-manager-openconnect that adds GUI support
for connecting to the VPN. Install the package, as root you may omit ‘sudo’:
sudo apt install network-manager-openconnect
If you are running the GNOME desktop environment, also run:
sudo apt install network-manager-openconnect-gnome
KDE also has a package available named
has not been tested but may work for users of the KDE desktop
enviornment. If you decide to use this resource, the
network-manager-openconnect and openconnect (and/or the VPNC
equivalent) packages may not be installed automattically.
You will now find the ability to add the VPN connection in the network settings
application. This can be accessed by opening
System Tools > Settings as well
as clicking on the far right side of the GNOME panel then clicking the crossed
screwdriver and wrench icon, newer versions of Ubuntu have replaced this icon
with a gear.
Select “Network” and click the plus sign on the right side of the VPN section.
Select “Cisco AnyConnect Compatible VPN (openconnect)” to create the new VPN connection.
In the Add VPN dialog box, enter a name you like for the connection and vpn.uky.edu in Gateway, leave all other blanks as default. Click save.
To connect to the VPN, click on the far right side of the GNOME panel and select VPN > Connect. You can also open the network settings again and toggle the switch next to the VPN connection.
A new window will open once connected, prompting for credentials. Use your LinkBlue ID (without @uky.edu) and password.
You can tell the VPN is active by the VPN icon on the GNOME panel. Older versions show a padlock while newer versions show a “VPN” icon.
To disconnect, click on the right side of the GNOME panel then click on the VPN connection and select “Turn Off”
Like Openconnect, VPNC also can typically be installed via your package management software. On Debian/Ubuntu this command will install the package (the root user can omit sudo in the following instructions):
sudo apt install vpnc
For other platforms and more instruction on installing and using see the
VPNC maintainer website.
Once installed run
man vpnc and
vpnc -h for further instructions.
Running VPNC from the command line (or by scripts) is slightly different than OpenConnect. You can either run the command by itself and interactively provide the necessary information for the connection or you can create a configuration file with the needed information.
Running the command by itself from the command line either as root or using sudo, it will look for configuration files /etc/vpnc.conf or /etc/vpnc/default.conf. If it does not find the files, VPNC will default to interactive mode.
An example of an interactive session is as follows:
$ sudo vpnc Enter IPSec gateway address: vpn.uky.edu Enter IPSec ID for vpn.uky.edu: ukyedu Enter IPSec secret for firstname.lastname@example.org: Enter username for vpn.uky.edu: LinkBlueID Enter password for LinkBlueID@vpn.uky.edu: VPNC started in background (pid: 6230)... $
The configuration file is in the general format of the above session. Here is an example of /etc/vpnc/default.conf that will connect to the UK VPN with a username of “LinkBlueID”:
#/etc/vpnc/default.conf IPSec gateway vpn.uky.edu IPSec ID ukyedu IPSec secret ukyedu Xauth username <LinkBlueID>
Edit the file with your favorite editor add the above contents, replacing
<LInkBlueID> with your own LinkBlue ID and save it. Comments are desgnated by
the # symbol. Since the password information is not included in the file,
running vpnc with the above config file via
sudo vpnc will trigger a prompt
for your LinkBlue password.
There may be the need for you to store your LinkBlue password in the configuration file, either for running a script or some other reason.In this case you should run the following two commands so it is not readable by anyone other than a superuser:
sudo chown root:root /etc/vpnc/default.conf sudo chmod 600 /etc/vpnc/default.conf
To end the VPN session, run the following:
It is possible to have multiple configuration files for
must be stored in
/etc/vpnc/ and have .conf as a file extension.
For example, say you have created
/etc/vpnc/ukvpn.conf. You would
sudo vpnc ukvpn.conf to use that config and connect to the
Putting your LinkBlueID and password in a text file is an insecure practice. Anyone with admin privilages will be able to read the file and gain access to your UK account.
Like OpenConnect there is a package available for GNOME (NetworkManager)
network-manager-vpnc adding GUI support for VPN connections. Install
the package by running the following, as root you can omit ‘sudo’:
sudo apt install vpnc vpnc-scripts network-manager-vpnc network-manager-vpnc-gnome
The procedure for connecting to the VPN is almost identical to the OpenConnect method above. The only difference is the name of the type of connection and some additional information needed to create the connection.
Follow the OpenConnect GUI steps above. When you click on the plus sign to add the connections, select “Cisco Compatible VPN (vpnc)”
The settings window will require you to enter information for the “Group Name” and “Group Password”, both are ukyedu. In order to save the passwords for the Group and User you will need to click on the “? in a circle” and select “Store the password only for this user” radio button.
Connecting and Disconnecting from the VPN is identical to the OpenConnect method above.
MacOS VPN Client¶
Connecting via MacOS is quite easy using the AnyConnect client. The client is available from the UK VPN website. Enter your LinkBlue credentials to login.
Click on “Start AnyConnect” and the website will attempt to start a web-based java VPN connection, it will fail and provide the below “AnyConnect VPN” link, click the link to download the dmg file.
Use the DiskImagesMounter to mount the dmg file and double click on the newly mounted drive.
A new window will open with the AnyConnect package.
Double- click to start the installer.
Connect to the VPN by running the client. Be sure to type vpn.uky.edu in the blank, you will only need to do this the first time you connect.
If for some reason the download of the VPN client takes a long time you can use the following local copy AnyConnect 4.8.00175
Make sure before installing that the checksum is valid against the original checksum. You can obtain the checksum from a terminal window by typing: shasum -a 256 anyconnect-macos-4.8.00175-core-vpn-webdeploy-k9.dmg
The output of the previous command must be the same as the following:
Windows VPN Client¶
The College of Arts and Sciences has an in depth guide on installing the VPN. It can be found here https://www.as.uky.edu/tutorials/downloading-installing-and-using-campus-vpn-client-windows