Help:VPN

From CECS wiki
(Redirected from Help:Vpn)
Jump to navigation Jump to search

A Virtual Private Network (VPN) allows your computer to connect to a remote secure network (such as the campus network) when you are connected to internet from another location (i.e., off campus).

Cisco AnyConnect client[edit]

To download and install the VPN software, visit

Other helpful links:

Note that if the automatic install fails, you will need to configure it with the hostname secure.vpn.ucf.edu

You may also need to reboot after installing the software before it will work.

NOTE: VPN requires MFA now. It is highly recommended you use the Duo client on your phone

Cisco AnyConnect in Ubuntu[edit]

(Note: this hasn't been check against current versions of the client. These issues may have been fixed.)

The official Cisco Anyconnect client can be downloaded from https://secure.vpn.ucf.edu/ has several bugs:

  • It does not install all of its dependencies. You can fix this with:
apt-get install libpangox-1.0-0
  • It has bugs in its init scripts that may cause a boot loop during booting.
  • The same init script bugs will prevent upgrades from working correctly. This can be corrected by uninstalling Cisco Anyconnect or removing the offending init scripts.

Linux openconnect in Ubuntu[edit]

An alternative to Cisco Anyconnect is the open source openconnect clone. The openconnect client and its GUI can be installed in ubuntu or debian with

  1. sudo apt-get install network-manager-openconnect-gnome
  2. Open settings -> network
  3. Click on + in the lower left of the network panel
  4. choose VPN from the Add Network Connection panel
  5. Cisco AnyConnect Compatible VPN (openconnect should be in the list (choose it)
  6. In Gateway, enter secure.vpn.ucf.edu
  7. If desired, change the vpn name at the top
  8. click ADD (No other settings need to be changed.)

This will add a VPN network to your network manager menu that can be turned on and off. When you activate the vpn connection, it should ask for your vpn group, NID, and nid password.

Login requires MFA. Older OpenConnect clients don't support MFA, so the SBL (Sign-in Before Login) method is required, and a default MFA method must be set in your account. Newer OpenConnect clients will prompt you for MFA method.

After connecting, if you still are unable to connect to campus hosts by name, you may have a DNS cache issue.

One of these might work:

  • systemd-resolve --flush-caches
  • systemctl restart dnsmasq
  • systemctl restart nscd

Debugging VPN issues[edit]

If you are having problems with the vpn, try this interactive guide.

The guide covers the following problems:

Test vpn[edit]

Visit http://t.cs.ucf.edu/vtest to check if everything is working. Possible messages are:

  • You seem to be using the vpn.
  • It doesn't seem like you are using the VPN (vpn not connected or DNS error)
  • browser fails to find the site (multiple errors)

DNS issues[edit]

Symptoms:

  • external address instead of internal address --> cache or proxy
  • not found --> typo or internal only address
  • timeout --> broken OS or misconfiguration
  • browser fails (vtest) but other tools are correct --> dns by ssh or in browser dns proxy
  • Connection refused : wrong protocol or wrong server (http vs ssh)

Tests:

  • try vtest (above)
  • ping -> check internal/external ip and reachability
  • check with nslookup

causes:

  • dns proxy
  • web proxy (isues in browser only)
  • stale cache
  • firewall rules blocking something (accidentally triggered? edit firewall settings)

fixes:

  • check system settings, remove external DNS servers (such as google)
  • disable DNS proxy from AV software
  • flush DNS cache
  • Reset windows TCP/IP stack

DNS proxy[edit]

Please note that a number of antivirus software packages add a DNS proxy to your system configuration that is intended to validate websites you browse. Other than being spyware and allowing the antivirus company to collect and sell information about what websites you browse, it also causes internal UCF hostnames to not resolve. This feature goes under a number of names:

  • DNS protection
  • DNS Proxy
  • Real site shield
  • Smart DNS
  • Safe Web Browsing
  • Safe Web
  • Smart DNS
  • Web shield

These will need to be disabled to access internal UCF hosts with the VPN.

Flush DNS cache[edit]

  • windows: (admin) ipconfig /flushdns
  • windows: reboot and reconnect
  • linux: sudo systemd-resolve --flush-caches

Reset windows TCP/IP stack[edit]

  1. Type netsh winsock reset and hit enter.
  2. Type netsh int ip reset and hit enter.
  3. Type ipconfig /flushdns and hit enter.
  4. Restart your computer and see if you are still having connectivity issues.

Test dns with nslookup[edit]

Use nslookup to try your target address and/or newton.i2lab.ucf.edu

Possible results:

  • nslookup is correct but ping is wrong --> fix os name resolution
  • nslookup can't find hostname (typo? not connected to vpn with an internal hostname?)
  • nslookup gives off campus answer (vpn not connected, dns proxy, malware in tcp/ip stack)
  • nslookup times out (broken network, hardcoded dead dns server, unpingable dns server)

Check dns config linux[edit]

  • systemd-resolve --status
  • cat /etc/resolv.conf
  • dnsmasq config?

check net config in windows[edit]

  • ipconfig /all
Retrieved from "http://newton.i2lab.ucf.edu/w/index.php?title=Help:VPN&oldid=16207"