Setting up Dalhousie VPN on modern Linux systems


The Dalhousie VPN client software for Linux as found on https://wireless.dal.ca/vpn/vpnsoftware/index.html is for older Linux kernels (2.2.12+) and "does not support SMP (multiprocessor) or 64-bit processor kernels". To use the VPN on newer Linux installations, including SMP and 64-bit kernels, it is possible to use the vpnc package together with the configuration file distributed by Dalhousie. A method for doing this is described in this document. Tested on Slackware64-13.0 SMP. Feedback appreciated.

Quickstart:

  1. install vpnc:
    • Redhat/CentOS: sudo yum install vpnc
    • Debian/Ubuntu: sudo apt-get install vpnc
  2. download Dal VPN client: https://wireless.dal.ca/download.php?file=linuxvpn.tar.gz
  3. tar xvzf linuxvpn.tar.gz vpnclient/DalhousieVPN.pcf
  4. /usr/bin/pcf2vpnc vpnclient/DalhousieVPN.pcf DalhousieVPN.conf
  5. sudo mv DalhousieVPN.conf /etc/vpnc/
  6. sudo chown root: /etc/vpnc/DalhousieVPN.conf
  7. sudo chmod 400 /etc/vpnc/DalhousieVPN.conf
  8. rm -rf vpnclient
  9. sudo /usr/sbin/vpnc DalhousieVPN
    Enter username for vpn.dal.ca: <Type your NetID>
    Enter password for NetID@vpn.dal.ca: <Type your NetID Password>
    Connect Banner:
    | Dalhousie VPN
    
    VPNC started in background (pid: 26579)...

The VPN service is now connected, and all traffic to the Internet will be routed through Dal. When finished, type:

sudo /usr/sbin/vpnc-disconnect



N.B. Rob Adamson contributes:
New versions of vpnc require that the line

NAT Traversal Mode cisco-udp

be added to the DalhousieVPN.conf file in order to avoid getting a "no response from target error".



Advanced topics/Troubleshooting/Questions:




Q. I don't want to type my NetID everytime I connect!

A. Edit /etc/vpnc/DalhouiseVPN.conf, uncomment the line

# Xauth username <your username>

and substitute your NetID in place of <your username>


Q. I don't want to type anything when I connect, not even my password!

A. Edit /etc/vpnc/DalhouiseVPN.conf, uncomment the line

# Xauth password <your password>

and substitute your password in place of <your password>. Note that this makes it doubly important to restrict the read permissions of this file. Don't do this on any system with multiple users, or where someone else has read access to the file. If you do this on your laptop or similar mobile device, and it is lost or stolen, change your NetID password immediately.


Q. How do I know it's working?

A. Your routing table will show that your default gateway is through Dal. Here is a typical routing table before enabling the VPN (your routing table may vary, but basically only important line is the default destination (0.0.0.0), which is reached through gateway 192.168.1.1 -- a typical home router/gateway IP address):

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

Here is a typical routing table after starting the VPN:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
129.173.1.45    192.168.1.1     255.255.255.255 UGH    1500 0          0 eth0
129.173.240.0   0.0.0.0         255.255.248.0   U         0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 tun0

The default destination (0.0.0.0) is now reached not through a gateway, but through the new device 'tun0'. That device is on the Dal VPN network (129.173.240.0/21).

Alternately, use traceroute to see the route taken for packets leaving your computer. For example:

$ traceroute www.google.ca
traceroute to www.l.google.com (66.249.90.104), 30 hops max, 46 byte packets
 1  VPN.Dal.Ca (129.173.1.45)  11.423 ms  22.278 ms  10.347 ms
 2  dal-gw.Backbone.Dal.Ca (129.173.240.1)  11.598 ms  20.938 ms  9.704 ms
 3  GigaPOP-gw.acorn-ns.Ca (198.166.1.17)  12.035 ms  11.654 ms  10.262 ms
 4  ISInet-GW.Backbone.Dal.Ca (198.166.1.42)  14.863 ms  10.958 ms  11.399 ms
^C

Q. But I don't want ALL my traffic (e.g. to Google) to be routed through Dal! How can I make only Dal traffic go through the VPN?

A. Setup split network routing. To do this, create a new file /etc/vpnc/dal-script with the following contents:

#!/bin/sh

# this effectively disables changes to /etc/resolv.conf
INTERNAL_IP4_DNS=

# This sets up split networking regardless
# of the concentrators specifications.
# You can add as many routes as you want,
# but you must set the counter $CISCO_SPLIT_INC
# accordingly
CISCO_SPLIT_INC=1
CISCO_SPLIT_INC_0_ADDR=129.173.0.0
CISCO_SPLIT_INC_0_MASK=255.255.0.0
CISCO_SPLIT_INC_0_MASKLEN=16
CISCO_SPLIT_INC_0_PROTOCOL=0
CISCO_SPLIT_INC_0_SPORT=0
CISCO_SPLIT_INC_0_DPORT=0

. /etc/vpnc/vpnc-script

and make it executable:

chmod +x /etc/vpnc/dal-script

Finally, edit /etc/vpnc/DalhousieVPN.conf and add these lines at the end:

# this is used to setup split networking
Script /etc/vpnc/dal-script

After editing, double-check the ownership and permissions of the file (especially if you have placed your NetID/password in it), and delete any leftover temporary files left by your text editor.

Now start the vpn client normally. Your routing table will look something like this:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
129.173.1.45    192.168.1.1     255.255.255.255 UGH    1500 0          0 eth0
129.173.240.0   0.0.0.0         255.255.248.0   U         0 0          0 tun0
129.173.0.0     0.0.0.0         255.255.0.0     U         0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

The default destination (0.0.0.0) still goes to your home router/gateway, but any traffic to Dal (129.173.0.0/16) goes through the tun0 interface. Check this with traceroute:

~$ traceroute www.google.ca
traceroute to www.l.google.com (66.249.91.104), 30 hops max, 46 byte packets
 1  192.168.1.1 (192.168.1.1)  0.966 ms  0.849 ms  0.879 ms
 2  blk-215-110-17.eastlink.ca (24.215.110.17)  25.825 ms  15.625 ms  9.783 ms
 3  hlfx-asr1.eastlink.ca (24.222.226.117)  28.858 ms  12.913 ms  10.550 ms
 4  hlfx-br1.eastlink.ca (24.222.79.205)  13.879 ms  27.228 ms  10.030 ms
^C
$ traceroute www.dal.ca
traceroute to kil-ws-2.UCIS.dal.ca (129.173.1.241), 30 hops max, 46 byte packets
 1  VPN.Dal.Ca (129.173.1.45)  17.642 ms  10.724 ms  9.696 ms
 2  dal-gw.Backbone.Dal.Ca (129.173.240.1)  9.804 ms  12.920 ms  10.101 ms
 3  kil-ws-2.UCIS.Dal.Ca (129.173.1.241)  11.629 ms !C  13.300 ms !C  11.902 ms !C

Q. I can't find the vpnc package for my Linux distribution!

A. Compile it yourself:

N.B. By default this will put all the binaries in /usr/local/{bin,sbin}. To place them in /usr/bin and /usr/sbin as described in this document, first edit Makefile and change the line PREFIX=/usr/local to read PREFIX=/usr, then type make install.