Setting up Dalhousie VPN on modern Linux systems
OUTDATED - use the Cisco AnyConnect client found at https://vpn.its.dal.ca/
The following instructions are no longer valid, as of (at least) Jan 1st 2020.
The Dalhousie VPN client software for Linux as found on https://wireless.dal.ca/vpn/vpnsoftware/index.html is for older Linux kernels (2.2.12+) and "does not support SMP (multiprocessor) or 64-bit processor kernels". To use the VPN on newer Linux installations, including SMP and 64-bit kernels, it is possible to use the vpnc package together with the configuration file distributed by Dalhousie. A method for doing this is described in this document. Tested on Slackware64-13.0 SMP. Feedback appreciated.
Quickstart:
- install vpnc:
- Redhat/CentOS:
sudo yum install vpnc
- Debian/Ubuntu:
sudo apt-get install vpnc
- Redhat/CentOS:
- download Dal VPN client: https://wireless.dal.ca/download.php?file=linuxvpn.tar.gz
tar xvzf linuxvpn.tar.gz vpnclient/DalhousieVPN.pcf
/usr/bin/pcf2vpnc vpnclient/DalhousieVPN.pcf DalhousieVPN.conf
sudo mv DalhousieVPN.conf /etc/vpnc/
sudo chown root: /etc/vpnc/DalhousieVPN.conf
sudo chmod 400 /etc/vpnc/DalhousieVPN.conf
rm -rf vpnclient
sudo /usr/sbin/vpnc DalhousieVPN Enter username for vpn.dal.ca: <Type your NetID> Enter password for NetID@vpn.dal.ca: <Type your NetID Password> Connect Banner: | Dalhousie VPN VPNC started in background (pid: 26579)...
The VPN service is now connected, and all traffic to the Internet will be routed through Dal. When finished, type:
sudo /usr/sbin/vpnc-disconnect
N.B. Rob Adamson contributes:
New versions of vpnc require that the line
NAT Traversal Mode cisco-udp
be added to the DalhousieVPN.conf
file in order to avoid getting a "no response from target error".
Advanced topics/Troubleshooting/Questions:
- I don't want to type my NetID everytime I connect!
- I don't want to type anything when I connect, not even my password!
- How do I know it's working?
- But I don't want ALL my traffic (e.g. to Google) to be routed through Dal! How can I make only Dal traffic go through the VPN?
- I can't find the vpnc package for my Linux distribution!
Q. I don't want to type my NetID everytime I connect!
A. Edit /etc/vpnc/DalhouiseVPN.conf, uncomment the line
# Xauth username <your username>
and substitute your NetID in place of <your username>
Q. I don't want to type anything when I connect, not even my password!
A. Edit /etc/vpnc/DalhouiseVPN.conf, uncomment the line
# Xauth password <your password>
and substitute your password in place of <your password>
. Note that this makes it doubly important to restrict the read permissions of this file. Don't do this on any system with multiple users, or where someone else has read access to the file. If you do this on your laptop or similar mobile device, and it is lost or stolen, change your NetID password immediately.
Q. How do I know it's working?
A. Your routing table will show that your default gateway is through Dal. Here is a typical routing table before enabling the VPN (your routing table may vary, but basically only important line is the default destination (0.0.0.0), which is reached through gateway 192.168.1.1 -- a typical home router/gateway IP address):
$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
Here is a typical routing table after starting the VPN:
$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 129.173.1.45 192.168.1.1 255.255.255.255 UGH 1500 0 0 eth0 129.173.240.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
The default destination (0.0.0.0) is now reached not through a gateway, but through the new device 'tun0'. That device is on the Dal VPN network (129.173.240.0/21).
Alternately, use traceroute to see the route taken for packets leaving your computer. For example:
$ traceroute www.google.ca traceroute to www.l.google.com (66.249.90.104), 30 hops max, 46 byte packets 1 VPN.Dal.Ca (129.173.1.45) 11.423 ms 22.278 ms 10.347 ms 2 dal-gw.Backbone.Dal.Ca (129.173.240.1) 11.598 ms 20.938 ms 9.704 ms 3 GigaPOP-gw.acorn-ns.Ca (198.166.1.17) 12.035 ms 11.654 ms 10.262 ms 4 ISInet-GW.Backbone.Dal.Ca (198.166.1.42) 14.863 ms 10.958 ms 11.399 ms ^C
Q. But I don't want ALL my traffic (e.g. to Google) to be routed through Dal! How can I make only Dal traffic go through the VPN?
A. Setup split network routing. To do this, create a new file /etc/vpnc/dal-script
with the following contents:
#!/bin/sh # this effectively disables changes to /etc/resolv.conf INTERNAL_IP4_DNS= # This sets up split networking regardless # of the concentrators specifications. # You can add as many routes as you want, # but you must set the counter $CISCO_SPLIT_INC # accordingly CISCO_SPLIT_INC=1 CISCO_SPLIT_INC_0_ADDR=129.173.0.0 CISCO_SPLIT_INC_0_MASK=255.255.0.0 CISCO_SPLIT_INC_0_MASKLEN=16 CISCO_SPLIT_INC_0_PROTOCOL=0 CISCO_SPLIT_INC_0_SPORT=0 CISCO_SPLIT_INC_0_DPORT=0 . /etc/vpnc/vpnc-script
and make it executable:
chmod +x /etc/vpnc/dal-script
Finally, edit /etc/vpnc/DalhousieVPN.conf
and add these lines at the end:
# this is used to setup split networking Script /etc/vpnc/dal-script
After editing, double-check the ownership and permissions of the file (especially if you have placed your NetID/password in it), and delete any leftover temporary files left by your text editor.
Now start the vpn client normally. Your routing table will look something like this:
$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 129.173.1.45 192.168.1.1 255.255.255.255 UGH 1500 0 0 eth0 129.173.240.0 0.0.0.0 255.255.248.0 U 0 0 0 tun0 129.173.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
The default destination (0.0.0.0) still goes to your home router/gateway, but any traffic to Dal (129.173.0.0/16) goes through the tun0 interface. Check this with traceroute:
~$ traceroute www.google.ca traceroute to www.l.google.com (66.249.91.104), 30 hops max, 46 byte packets 1 192.168.1.1 (192.168.1.1) 0.966 ms 0.849 ms 0.879 ms 2 blk-215-110-17.eastlink.ca (24.215.110.17) 25.825 ms 15.625 ms 9.783 ms 3 hlfx-asr1.eastlink.ca (24.222.226.117) 28.858 ms 12.913 ms 10.550 ms 4 hlfx-br1.eastlink.ca (24.222.79.205) 13.879 ms 27.228 ms 10.030 ms ^C
$ traceroute www.dal.ca traceroute to kil-ws-2.UCIS.dal.ca (129.173.1.241), 30 hops max, 46 byte packets 1 VPN.Dal.Ca (129.173.1.45) 17.642 ms 10.724 ms 9.696 ms 2 dal-gw.Backbone.Dal.Ca (129.173.240.1) 9.804 ms 12.920 ms 10.101 ms 3 kil-ws-2.UCIS.Dal.Ca (129.173.1.241) 11.629 ms !C 13.300 ms !C 11.902 ms !C
Q. I can't find the vpnc package for my Linux distribution!
A. Compile it yourself:
- Download http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
tar xzvf vpnc-0.5.3.tar.gz
cd vpnc-0.5.3
make
make install
N.B. By default this will put all the binaries in /usr/local/{bin,sbin}
. To place them in /usr/bin
and /usr/sbin
as described in this document, first edit Makefile
and change the line PREFIX=/usr/local
to read PREFIX=/usr
, then type make install
.