vpnc or openvpn

Hi,

Are there instructions anywhere on how one can use vpnc [1] or
openvpn [2] to connect to Duke's network?

[1] http://www.unix-ag.uni-kl.de/~massar/vpnc/
[2] http://openvpn.net/

Thanks.
Dmitriy

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

I've gotten the Cisco client to work, if it helps.

http://typiconman.wordpress.com/2007/12/22/connect-to-duke-via-cisco-vpn/

A

2008/1/14, Dmitriy Morozov <morozov@...>:
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Thanks, Aleks, it works like a charm. D

On Mon, Jan 14, 2008 at 09:07:49AM -0500, Aleksandr Andreev wrote:
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Dmitriy Morozov wrote:
> Hi,
>
> Are there instructions anywhere on how one can use vpnc [1] or
> openvpn [2] to connect to Duke's network?
>
> [1] http://www.unix-ag.uni-kl.de/~massar/vpnc/
> [2] http://openvpn.net/
>

I was able to get vpnc to work on Fedora 8.

Step 1:  Rebuild vpnc with a modified Makefile that enables building
against openssl (or steal my rpms from http://www.duke.edu/~sean/rpms/vpnc/)

Step 2: Download https://software.oit.duke.edu/pub/vpn/vpnclient_win_5.zip

Step 3: Run pcf2vpnc (found in /usr/share/doc/vpnc-0.5.1/) on
duke-broadband.pcf the zip file in step 2.

Step 4. Copy the output from Step 3 to /etc/vpnc/default.conf

Step 5:  Copy the rootcert file from the zip file to
/etc/pki/tls/certs/<hash>.0  (that's a .0 after the hash)

You can get the hash by doing:  openssl x509 -in rootcert -noout -hash

Now you can run '/usr/sbin/vpnc' as root and enter in your NetID then
NetID password when prompted.

And /usr/sbin/vpnc-disconnect when you're done.

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

As a followon, here are instructions to setup splitrouting.   Copy the
attached vpnc-wrapper.sh into /etc/vpnc, and chmod +x
/etc/vpnc/vpnc-wrapper.sh

Then add the following line to /etc/vpnc/default.conf:

Script /etc/vpnc/vpnc-wrapper.sh


If you do this, when you turn on vpnc, it will route campus traffic
through the VPN, but all other traffic will go through its normal route.


_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Fri, 1 Feb 2008, Sean Dilda wrote:

Bless you for this.  I've been waiting so long for it, since building
vpnclient is a PITA and it doesn't integrate with NetworkManager.

I'll give it a try as soon as I have a spare moment.

    rgb

--
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Robert G. Brown wrote:
While vpnc does integrate with NetworkManager, I've not yet gotten it to
work with Duke's VPN.  If you manage to get it to work, please let me
know the secret.

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

I heard today from a source at OIT that a working version of the Cisco
client will be released "some time soon."

A

2008/2/4, Sean Dilda <sean@...>:
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Aleksandr Andreev wrote:
> I've gotten the Cisco client to work, if it helps.
>
> http://typiconman.wordpress.com/2007/12/22/connect-to-duke-via-cisco-vpn/
>  
I followed your instructions and things went seemingly without a hitch,
except that when I actually try to connect, I get the following message:

Initializing the VPN connection.
Contacting the gateway at 152.3.219.82
Secure VPN Connection terminated locally by the Client
Reason: Remote peer is no longer responding.
There are no new notification messages at this time.

Now, I haven't contacted anybody at OIT to get authorized for VPN
access, but I do have a dempo ID and figured I could test it up to the
point where I authenticated.  However, this didn't seem to even get that
far.  Does anyone know what the cause of this error message is?

--

David Cherryholmes
PET Facility

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

How many disgruntled Linux users will it take to get OIT to release a
working VPN client?

2008/2/19, David Cherryholmes <david.cherryholmes@...>:
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Tue, 19 Feb 2008, Aleksandr Andreev wrote:

> How many disgruntled Linux users will it take to get OIT to release a
> working VPN client?

Wait, is this a joke?

I know, I know!  "Infinity"

Or is the right answer "What's a Linux user?"

    rgb

--
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Robert G. Brown wrote:
>
> Wait, is this a joke?
>
> I know, I know!  "Infinity"
>
> Or is the right answer "What's a Linux user?"
>
>  
I only really know my little corner of the pond (don't get out much),
but it seems especially ridiculous considering just how much stuff --
how much *revenue generating stuff* -- runs on linux around here.

--

David Cherryholmes
PET Facility

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Wed, 20 Feb 2008, David Cherryholmes wrote:

Sorry to revive an old thread, but I finally had time and need to use a
VPN connection to Duke from home, and of course my old patched vpnclient
doesn't build under F8 without further hacking on my part.  So I gave
Sean's RPMs a try, rebuilding them from the source rpms and forcing them
in over the existing vpnc clients already installed by yum which
naturally have more recent release numbers.

I then precisely followed the ritual.  Download the windows vpnclient
zip.  Copy rootcert into /etc/pki..../<hash>.0 where hash is generated
by openssl from rootcert.  Run pcf2whatever on duke-broadband.pcf, put
in /etc/default.conf.  Run vpnc as root.

It then runs, but laughs at me:

rgb@cain|B:1036#vpnc
Enter username for duke-vpn-public.netcom.duke.edu: rgb
Enter password for rgb@...:
/usr/sbin/vpnc: no response from target

So it is connecting to the gateway, I am putting in my standard
netid/password combo (which I reverified by logging into godzilla, since
I don't use it often anymore) and -- no response from target.

Any advice?  Anybody?

    rgb

--
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Mon, 2008-03-10 at 19:21 -0400, Robert G. Brown wrote:

Setup openvpn on your desktop in physics and tunnel yourself through? :)

-sv


_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Mon, 10 Mar 2008, seth vidal wrote:

Sure, that's probably the best of all possible solutions, come to think
about it.  In fact, it's brilliant.  I'll do it.

Tough on everybody who doesn't have their own on-campus desktop, but hey
-- that would let me actually use NetworkManager to connect from my
laptop...

    rgb

>
> -sv
>
>
> _______________________________________________
> Dulug mailing list
> Dulug@...
> https://lists.dulug.duke.edu/mailman/listinfo/dulug
>

--
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert G. Brown wrote:
So, in the interest of all Duke-Linux users, is there any University
policy preventing us from setting up an openvpn server that uses the
Kerberos to authenticate users? Maybe set a bandwidth cap so you don't
top your personal 5G upload limit? Or, set one up, and then convince the
University to sanction it and remove the upload limit...

Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iQEVAwUBR9XffXlxmnp6j2qxAQKQ1Af/clZlBB9CWmahfXPkrYlXvLiOOj9xjUsJ
BTAEpXzI7Q1/MxXG2P6nXw822y/fj7Ht5eIb0AQXVJxFwmx306r2OKIp+KaFSLm2
VlWCAhHZgzJIJzz05iTLhGQ9r+tqyeL69Z/zYhycM5VsD0fePY0bVbpQ+N0FAd/Y
daaxiIkqELMalUo8c1DHTVIryJGjp+51lsPoFgw+/Woy77wAjHXqzn/058ux9Zl3
y5k5cQo9m+9rdSbvIm0qHML6Wr+AtqTnTld+00SR7mLeIbOIJtoGzWChK9N0rVGf
drh/GzlX9ut3noZENHdoAy/EgCSnskaLdCOoPPMOxZBWZGJ1X4ZFUg==
=eFjQ
-----END PGP SIGNATURE-----

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Well I have gotten the Cisco VPN client to work for me, so that is an
alternative. Of course, it's not open source.

A

2008/3/10, Michael Ansel <michael.ansel@...>:
_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

On Mon, 10 Mar 2008, Michael Ansel wrote:

> So, in the interest of all Duke-Linux users, is there any University
> policy preventing us from setting up an openvpn server that uses the
> Kerberos to authenticate users? Maybe set a bandwidth cap so you don't
> top your personal 5G upload limit? Or, set one up, and then convince the
> University to sanction it and remove the upload limit...

OK, now you've done it.  Triggered the first real rgb rant in a long
time.  Skip the following if you have anything like real work to do.

There are, of course, many, many ways to solve this problem.  This
problem has existed, unsolved, for maybe four or five years now -- well
back into the era where there was a proxy server that COULD provide at
least one weakly authenticated way to access duke.edu (and the various
online resources therein) from home.  At that time, the OIT-provided and
"tested" cisco client would simply lock my system up if I tried to run
it, usually in around three seconds.

A short list:  If OIT had the slightest interest in actually solving the
problem, THEY could set up an openvpn server.  THEY could tackle
patching vpnclient and packaging it and distributing it on the campus
linux server/yum repo and the OIT authenticated download site (to avoid
the catch-22 issue for home users).  THEY could tackle patching vpnc and
repackaging it as duke-vpnc on the "private" campus linux server/yum
repo and the OIT authenticated download site ditto, and could actually
keep it up to date and "plug-and-play" ready, fully tested.  THEY could
(I believe) configure the cisco so that the existing vpnc client could
manage it and distribute the required shared secret ditto.  THEY could
stop using cisco products altogether unless/until they provide real
support for non-WinXX operating systems.  THEY could provide
comprehensive IT leadership and service to the campus community.
Several of these solutions -- notably an openvpn server in an
unprivileged anonymous VM -- would cost very, very little money and
could very likely handle the off-campus linux (and Mac) load with ease.

Of course, implementing several of the other solutions would require
that THEY actually invest the time required to set up an maintain a
campus server for fedora 8 and migrating and maintaining not only a VPN
client, but all of the various campus-only packages for linux --
mathematica, maple, and so on.  You'd think THEY'D >>want<< to do this,
since they took it over this repo from A&S computing when A&S computing
was doing just fine running it on our own, but it is a simple matter of
empirical fact that THEY don't want to invest the 1/6 to 1/12 of an FTE
required for somebody who knows what they're doing to actually run it on
an annual basis.  After all, we ran it out of physics for a number of
years on the opportunity cost time of TWO sysadmins who were also
managing something like 500 systems and hundreds of users between them.
So I'm cynical beyond all measure that this problem will ever be solved
by THEM -- by OIT.

At this point, the only solution I can see to the dilemma is for US to
solve it -- for A&SIST to take back the linux repo for campus, and
either take on the responsibility for maintaining the vpnclient software
(a nasty ugly solution because Cisco doesn't give a rat's ass about
supporting linux and therefore their "linux" software is perpetually
broken) OR -- seth pegged it.  Set up our OWN openvpn VPN gateway on one
of our OWN servers with matching software and double-dog-dare OIT to do
something about it.  At the very least, we might be able to "force" them
to fix the vpnclient situation and accept responsibility for the campus
linux repo (again) as a price for our compliance.

If I sound a bit pissed off, it's because I am.  I know precisely -- and
I do mean precisely -- how much effort is required to patch and maintain
the cisco vpnclient from source as kernels change.  I know because I've
now been the person who has patched it on two separate occasions and
subsequently thrown it out into the campus grapevine for "authenticated"
passing between individuals who know individuals who have a copy (since
there is no longer an official distribution channel, what else can one
do). It took a matter of a few hours -- a mix of figuring out what data
structs were no longer correctly represented and internet searches for
suggested fixes for the less obvious changes.  I really, really didn't
want to have to do it again for F8 -- seth's solution is therefore
infinitely appealing.

The whole situation is as annoying as all hell, because >>cisco<< should
be paying for this or doing it with their own engineers, not a few
hundred or thousand sysadmins all over the world having to reverse
engineer their bugs and share the fixes independently, who knows how
many users off campus having to waste hours and hours of time EACH
trying to figure out a workaround.  A triple pain because ORDINARY
people cannot download the software from the cisco site.  You have to be
an "approved customer" or some such crap -- sign up, pay them, something
-- to get a copy of the "current" vpnclient tarball in the first place,
which then almost never works.

>>Duke<< should be telling cisco that if they don't get their act in
gear and provide perfectly functional client software that is easily
retrieved and installed -- ideally open source client software -- that
we don't have to "touch" to drop on an F8 or Centos repository, we will
be changing vendors or implementing an alternative solution that may
well not involve them at all.  Or, if Duke chooses to continue using
Cisco, they should do so in the full awareness of and acceptance of the
responsibility for filling in the missing pieces and should take on the
AGGRESSIVE management and provision of a working Cisco client to all off
campus computer users independent of their operating environment.  You
can't force people to use just one portal and then refuse to provide a
big chunk of your customers with a key!

The point, of course, is that I'm just a humble faculty person.  I spend
roughly 60% of every day (when I'm not actively teaching) on a computer
in my office or, quite often, at home.  Sometimes my work (like today)
requires literature searches and grabbing of papers.  It costs me a
minimum of 40 wasted minutes and several dollars in gas to drive onto
campus just to do this, however many times a month I might need to do
it.  So why am I spending hours of my life figuring out how to get a
working vpnclient to avoid this?

And it isn't just me.  Dr. Walter in our department has also wasted time
fixing this and sharing the solution.  Clearly Sean has worked on it.
I'm guessing that there are a bunch more sysadmins, students, power
users, and even ordinary users of linux, each of them independently
trying to solve this one problem, over and over and over.  Why am >>I<<,
why are >>we<< having to waste my/our presumably valuable time IN
AGGREGATE when ONE PERSON who is employed (in part) for this purpose and
made resonsible for it could so ONCE (repeat as required for maintenance
and update) and set it up so everyone could benefit?

Even if one argued that the OIT employee that might be assigned the task
of doing so makes more money than I do -- alas a plausible hypothesis --
surely he or she doesn't make more than I and Chris put together.  And
then there is everybody else.  The whole point of centralizing certain
services is to AVOID WASTING DUKE'S MONEY by duplicating effort, and oh
yeah, if the central organization does the job right and tests the
solution, there is a security benefit as well.  It IS all about
security, right?

Next stop, setting up an openvpn server -- but maybe I'll talk to Jimmy
about setting one up for the entire department in a VM or something.
That would probably be the more responsible way to proceed, at least
until A&S decides to do it at the college level.  Otherwise I'll have
ex-students and off-campus duke-employed friends asking me for duke.edu
access via my system, and I'll have to virtualize a server anyway to be
able to make them happy without creating a security risk.

When people are forced to route around a security FEATURE because of a
lack of support, it does, after all, create additional security risks.

Grrrr.  Rant over.

     rgb

--
Robert G. Brown                            Phone(cell): 1-919-280-8443
Duke University Physics Dept, Box 90305
Durham, N.C. 27708-0305
Web: http://www.phy.duke.edu/~rgb
Book of Lilith Website: http://www.phy.duke.edu/~rgb/Lilith/Lilith.php
Lulu Bookstore: http://stores.lulu.com/store.php?fAcctID=877977

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Robert G. Brown wrote:
I've (just) gotten both Cisco's vpnclient and vpnc to work on my laptop
at home. I use Gentoo, but I know most others on this list don't, so
I'll try to leave the Gentoo specific stuff out.

($ commands are run as root, # as user)

VPNC

1) Kernel Configuration

Make sure the kernel has Universal TUN/TAP device driver support built
in or loaded as a module. You probably already have this, but just to
make sure you can check if its built in with:
# dmesg | grep TUN
tun: Universal TUN/TAP device driver, 1.6

or as a module with:
$ modprobe tun
$ lsmod
Module                  Size  Used by
tun                     7296  0

2) Install VPNC

VPNC must be installed with support for hybrid authentication (I belive
vpnc-0.5.0+ have this option). Most distributions should install vpnc
with this enabled.

3) Generate a root certificate from OIT's rootcert:
$ openssl x509 -in rootcert -inform der -out /etc/ssl/certs/duke.pem

4) Generate vpnc configuration file from OIT's profile:
$ pcf2vpnc duke-broadband.pcf /etc/vpnc/default.conf

5) Edit the configuration file so vpnc knows where to find the
certificate you generated in step 3:
$ echo "CA-File /etc/ssl/certs/duke.pem" >> /etc/vpnc/default.conf

6) Start vpnc:
$ vpnc


Cisco's VPN Client

1) Compile/install vpnclient.

As mentioned previously on the list, don't use OIT's version, rather get
the latest version offered/supported by your distribution. I wasn't able
to download the client directly from cisco's website, though I was under
the impression that it was free, but was able to find the version
portage (Gentoo's package manager) wanted with a quick google search.

2) After installation, make sure the installed modules have been loaded.

3) Download OIT's vpnclient for Linux:
http://www.oit.duke.edu/network/remote/vpn/linux.html

4) Import the root certificate:
# /opt/cisco-vpnclient/bin/cisco_cert_mgr -R -op import

5) Copy the .pcf files to cisco vpnclient configuration directory:
$ cp duke*.pcf /etc/opt/cisco-vpnclient/Profiles/

6) Run vpnclient
# vpnclient connect duke-broadband

- Nadeem

_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug

Robert G. Brown wrote:
> Grrrr.  Rant over.
>

FYI: OIT has talked about launching a "SSL VPN" this summer.  I don't
know any details, but that may help with journal access and such.

-Jimmy


_______________________________________________
Dulug mailing list
Dulug@...
https://lists.dulug.duke.edu/mailman/listinfo/dulug