Personal tools
University Computing Service

Help & Support

Accessing the VPDN

Accessing the University of Cambridge VPDN Service using Linux/Mac OS X/Unix

 

NOTE: The service is called University of Cambridge VPDN Service but this is non-standard nomenclature so whenever you read VPDN, translate it in your mind to VPN.

What is the University of Cambridge VPDN Service?

This service is a Virtual Private Network (VPN) and it provides an encrypted connection via an external ISP to facilities that are restricted to computers on the CUDN (cam-only facilities).

For further details, see the University of Cambridge VPDN Service web site.

Obtaining the VPN Client

The VPN client was originally written by Maurice Massar and is published under the GPL. For more information, visit the VPN client home page.

We, i.e. Unix Support, have modified the original VPN client distribution, and will assume that you will be using our modified version to access the University of Cambridge VPDN Service in this document.

Linux

If you have an RPM based Linux distribution such as SuSE, Fedora, RedHat, or Mandrake Linux for example, you can use our binary rpms. You can download the binary rpm for SuSE 10.3 or if you prefer to compile your own rpm, you can use our source rpm.

If your Linux distribution is not RPM based, you need to download our source archive. Examples of such distributions are Debian, Gentoo, and Slackware.

Mac OS X

If you are using Mac OS X Leopard (10.5.x), SnowLeopard (10.6.x), or Lion (10.7.x) you can use our binary installer packages which include vpnc as well as all required libraries packaged in an easy to use installer package. You can download the Leopard installer package and the SnowLeopard/Lion installer package. If you are using Lion and your Mac is running a 64-bit kernel, you also need to install the 64-bit compatible tunnel driver package. Please make sure you install the vpnc package BEFORE the updated tunnel package and also when you launch the tunnel package installer please click on "Customize" and unselect "Ethertap kernel extension" and "TunTap Startup Item", i.e. the only thing that should be selected is "IP Tunnel kernel extension". Then click "Install" and when done you will need to reboot before it will start working...

If you are using Mac OS X Tiger you will need to compile and install your own vpnc client and required libraries.

*BSD/Solaris/Other Unix Flavours

You will need to get the source archive if you want to use a different Unix flavour such as NetBSD, FreeBSD, or Solaris 7.

Requirements

Note: This section does not apply to Mac OS X so you can skip ahead to the next section.

You already need to have an internet connection setup on the computer on which you are going to setup the VPN client.

You need to have installed the libgcrypt library (the current version of the VPN client requires libgcrypt version 1.1.90 or higher) as well as the iproute or iproute2 package. Both SuSE and Fedora supply libgcrypt and should have the iproute2 package installed by default.

Note, libgcrypt also requires libgpg-error so if you have to install libgcrypt chances are you will also need to install libgpg-error.

If you are using a non-rpm base distribution such as Debian, you can get the source code for libgrcypt and libgpg-error and compile it yourself or you can install the packages provided by your distribution. If you managed to install Debian you probably know hot to do that so I will spare you the details.

You need to have ip forwarding enabled. How this is done is heavily dependent on your Linux distribution so the vpnc-connect script will enable it for you if it detects that it is disabled. Note that this will only be effective until you reboot the next time (or you disable it manually). But of course when you run vpnc-connect after a reboot it will re-enable ip forwarding again.

If you are using a home-grown Linux kernel, you need to make sure that you have enabled Universal TUN/TAP device driver support in the kernel configuration. (This is the CONFIG_TUN option in .config.) If you configured tun support as a module, you need to modprobe tun as root to load the module.

You need the /dev/net/tun character special file to exist. On most modern Linux distributions this already exists and you do not need to worry about it but if you are on a Debian system or simply do not have /dev/net/tun you can create it with the command mknod /dev/net/tun c 10 200. (Note, you need to be root to be able to do this.)

Finally, vpnc now automatically modifies the DNS servers after connection to the Cambridge ones and then restores your old settings when you disconnect so you no longer need to modify /etc/resolv.conf yourself.

Limitations

The nature of the shared group secret used by the University of Cambridge VPDN Cisco Service, means that the VPN is not quite as secure as one might desire. For details, please point your web browser to http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml.

Installing the VPN Client

Linux Using RPMs

Note: You need to become the root user for this. (Use the su command for example to do so.)

If you are using our binary rpm or you have built your own binary rpm, simply use the command rpm -Uvh vpnc-0.5.2-svn.r340.ucs.2.i586.rpm to install it and proceed to the next section.

If you want to compile your own binary rpm from our source rpm, use the command rpmbuild --rebuild vpnc-0.5.2-svn.r340.ucs.2.src.rpm. You can then install it as described above and proceed to the next section. Note, if you built your own RPM on a non-SuSE Linux system, it might end differently, for example .i386.rpm, .x86_64.rpm, etc.

Linux/*BSD/Solaris/Other Unix Flavours Using Source Archive (for Mac OS X see below)

If you are using the source archive, unpack the downloaded archive using for example tar xvjf vpnc-0.5.2-svn.r340.ucs.2.tar.bz2. Then, change into the created directory cd vpnc-0.5.2 and run make followed by sudo make install. This should build and then install the client.

Mac OS X Leopard/SnowLeopard Using Our Installer

When you download the installer package it will automatically launch the installation. If you stopped it or it did not launch because you obtained it in some other way, simply double click on the installer package to launch the installation, then follow the simple on-screen instructions to install vpnc and all required libraries as well as the needed TUN driver.

Mac OS X Using Source Archive

This is unfortunately a little involved as vpnc requires a lot of libraries to be installed before vpnc can be built/used.

First of all you need to install the compiler and related utilities. To do this you need to install the Xcode Tools.

You can either download them from Apple or you can find them on the Mac OS X Leopard installation DVD (it is under "Optional Installs", then "Xcode Tools", then double click on the "XcodeTools.mpkg" icon) or the Mac OS X Tiger "Mac OS X Xcode Tools" CD (double click on the "XcodeTools.mpkg").

Then you need to install the MacPorts installer (simply download the latest version and install it). If you do not know what MacPorts is then look at the MacPorts website.

Then you need to install the needed libraries for vpnc which you do by opening a Terminal and running:

sudo port selfupdate
sudo port install libgcrypt

As long as it all succeeds which it hopefuly will you will now have all the needed libraries installed on your Mac.

Now you need to install the TUN driver for Mac OS X as Apple do not include one with Mac OS X.

Start by downloading the TUN/TAP driver (chose the latest available version).

For Leopard, SnowLeopard, and Tiger you can download the binary packages and follow the instructions provided with them to install them.

Finally it is time to install vpnc itself.

You need to download the source archive.

Then unpack the downloaded archive using for example tar xvjf vpnc-0.5.2-svn.r340.ucs.2.tar.bz2. Then, change into the created directory cd vpnc-0.5.2 and run make followed by sudo make install. This should build and then install the client. You will then need to restart the Terminal application so that the modifications to your path can take effect.

Setting up the VPN Client for the University of Cambridge VPDN Service

On Linux/*BSD/Solaris/Other Unix flavours run the command vpnc-setup (you need to be the root user to do this). On Mac OS X run sudo vpnc-setup. You will be asked some questions to which you need to reply.

Note for sudo to work on Mac OS X your user must be allowed to administer the Mac and your user must have a password set. If you do not have a password set then use the passwd command to set a password. When asked for the old password simply press enter, then when asked type in a password and make sure that you remember what it is, then when asked type the new password again.

When you use sudo it will ask your for your user password for your Mac. If you do not want to have to type this in then run the following command, which will setup sudo to not require a password:


printf "%s\tALL=(ALL) NOPASSWD: ALL\n" $(id -u -n) | sudo tee -a /etc/sudoers

Here is an example run of vpnc-setup.


VPN/IPSec gateway [vpdn-access-cisco.csx.cam.ac.uk]:
VPN/IPSec group id [default]:
VPN/IPSec group shared secret []: SHARED_SECRET
VPN/Xauth username []: VPN_USERNAME
Would you like to store your VPN password in the config file? (yes/[no]): yes
VPN/Xauth password []: VPN_PASSWORD
VPN client config file updated successfully.

You can simply press the return key when asked for the VPN/IPSec server and the VPN/IPSec group ID as the correct defaults are already setup for you. Also, when entering the group shared secret and your password, what you are typing is not going to be displayed so that no one can look over your shoulder while you are typing it in.

You can answer in the same way as in the example above but you need to replace the SHARED_SECRET, VPN_USERNAME, and VPN_PASSWORD as will be described below.

Note, that if you choose to store your VPN password in the config file, your password will be stored in clear text in the VPN config file /etc/vpnc/default.conf which is a security risk. If you would prefer your password not to be stored there, simply answer no (or just press return) when you are asked the question Would you like to store your VPN password in the config file?. You will then be prompted for your password every time you connect.

What to use for VPN_USERNAME and VPN_PASSWORD

After applying for the Cambridge University VPDN Service you will receive a letter with the username and password that allow you to connect to the service.

If you have not applied yet, you can apply online (you can also apply in person at the Computing Service Reception).

The username, which is normally your CRSID, is what you need to use for VPN_USERNAME.

The password is what you need to use for VPN_PASSWORD.

What to use for SHARED_SECRET

Establish an ssh connection to vpdn-admin.csx.cam.ac.uk and login as vpdn. For example run ssh -x vpdn@vpdn-admin.csx.cam.ac.uk. (Note the current RSA key fingerprint for vpdn-admin.csx.cam.ac.uk is <28:e1:ef:58:26:51:df:33:6c:0b:21:e4:39:73:99:6c).

You will be asked for your VPN username and password (see above). Enter them.

You will be presented with a menu:

a=announcements, k=shared key, p=change password, q=quit
c=cisco client, n=normal (L2TP) client
?

Choose c (and press return) to select that you want to use the cisco client (the client we are using emulates the Cisco client).

Followed by k (and press return). The Shared key will be displayed. Use this for SHARED_SECRET.

You can also take the opportunity to change your password using p (and pressing return). If you change your password you need to use the new password for VPN_PASSWORD instead of the one quoted in the letter from the Computing Service (see above).

You can now close the connection using q (and pressing return).

Having run vpnc-setup and input all the details everything is ready to go.

Connecting to the University of Cambridge VPDN Service

On Linux/*BSD/Solaris/Other Unix flavours run vpnc-connect (you need to be the root user for this). On Mac OS X enter sudo vpnc. You will then need to enter your VPN password if you did not allow vpnc-setup to store it in the VPN config file.

The vpnc daemon will create a tun network interface (run ifconfig to see it), connect to the VPN server and, assuming this is successful, it will modify your routing table appropriately so that your default route is the VPN.

And that is all. You should now be connected to the University of Cambridge VPDN Service.

To verify that everything is working properly point your web browser to a web page that is only allowed to be accessed from within Cambridge and check that you are allowed to access it. An example is the IngentaConnect electronic journal database (http://www.ingentaconnect.com/), which should show you at the top of the web page that you are logged in as Cambridge University Library.

Note, that the above does not setup NAT on your machine and thus other computers on your local network cannot connect to the internet using the VPN. This is beyond the scope of this document but in essence, on Linux, you need to add an iptables rule to the nat table in the POSTROUTING chain specifying that all packets going out on the tun network interface (use ifconfig to find out which one is in use for the VPN connection) have their source addresses changed to be your VPN IP address (again, use ifconfig to find the IP address used for the tun interface in use for the VPN connection).

If you are an advanced user and want to setup more complex routing, you can do so either by modifying the script /etc/vpnc/vpnc-script file (it is a simple Bash script) or by modifying the routing table after you have connected.

Disconnecting from the University of Cambridge VPDN Service

Assuming you used the vpnc-connect script to connect to the University of Cambridge VPDN Service, on Linux/*BSD/Solaris/Other Unix flavours run vpnc-disconnect (you need to be the root user for this). On Mac OS X run sudo vpnc-disconnect. You will then be disconnected from the VPN server. Also, your routing configuration will be reset to what it was before and the tun network interface will be removed.

If you are an advanced user and you did not use the vpnc-connect script to connect to the VPN server, you will need to disconnect by killing the running VPN client daemon (vpnc).

Uninstalling the VPN Client

Linux Using RPMs

Note: You need to become the root user for this. (Use the su command for example to do so or run the commands with sudo.)

If you are using our binary rpm or you have installed your own binary rpm, simply use the command rpm -e vpnc-0.5.2-svn.r340.ucs.2.i586.rpm to uninstall the rpm.

You can then also delete the configuration files by running rm -rf /etc/vpnc.

Note if you also installed libgcrypt and/or libgpg-error you can uninstall those, too by running rpm -e libgcrypt and rpm -e libgpg-error, respectively.

Linux/*BSD/Solaris/Other Unix Flavours Using Source Archive (for Mac OS X see below)

If you are using the source archive, go into the directory where you unpackked the downloaded archive. If you have deleted this directory this is not a problem, simply download the source archive again then unpack it using for example tar xvjf vpnc-0.5.2-svn.r340.ucs.2.tar.bz2. Then, change into the created directory cd vpnc-0.5.2.

Once in the unpacked source directory, you can perform the uninstall by running sudo make uninstall.

You can then also delete the configuration files by running sudo rm -rf /etc/vpnc.

Note if you also installed libgcrypt and/or libgpg-error you can uninstall those, too by running sudo make uninstall from inside their source directories.

Mac OS X Leopard Using Our Installer

If you installed vpnc using our installer then uninstallation is very simple. Open the Terminal, then run the following two commands (you can copy and paste them for simplicity):

sudo pkgutil -f --regexp --unlink uk.ac.cam. > /dev/null 2>&1
sudo kextunload -b foo.tun

The first of the above commands will delete all installed files whilst the second will unload the Tun kernel extension thus there is no need for you to reboot after uninstalling.

You can then also delete the configuration files by running sudo rm -rf /etc/vpnc.

Mac OS X Using Source Archive

If you are using the source archive, go into the directory where you unpackked the downloaded archive. If you have deleted this directory this is not a problem, simply download the source archive again then unpack it using for example tar xvjf vpnc-0.5.2-svn.r340.ucs.2.tar.bz2. Then, change into the created directory cd vpnc-0.5.2.

Once in the unpacked source directory, you can perform the uninstall by running sudo make uninstall.

You can then also delete the configuration files by running sudo rm -rf /etc/vpnc.

You then need to uninstall the TUN/TAP driver and the libraries you installed using the Ports command.

For the TUN/TAP driver, follow the description provided in their FAQ on how to uninstall it.

For the libraries installed using MacPorts you can uninstall the whole of MacPorts by following their uninstall documentation.

Support

Unix Support provides support to University of Cambridge Linux/Unix System Administrators. If you are having problems trying to setup the above described vpn client on your system(s), please email unix-support@ucs.cam.ac.uk.