• CIT Home
• Student Services
• Faculty Services
• Staff Services

• Accounts
• Alerts
• Blackboard on UBlearns
• Central Email
• Computer Sites and Classrooms
• Computer Store
• Jobs
• HelpDesk
• MyUB
• Online Directory
• Remote Access
• Services
• Software
• Tech Tools
• WebMail
• Web Technologies
• Workshops

• Documentation
• Glossary
• Policies

VPN Client Installation and Use for UBLinux  

Introduction

The Virtual Private Network (VPN) Client allows you to securely access the University at Buffalo's computer systems from an Internet Service Provider (ISP). It allows you to see the shared files of a server or access campus resources as if you are connected directly to UB.

It also allows your laptop computer to securely access a Wireless Access Point at UB (if you are within range of one), provided you have a wireless network card installed and follow the setup instructions.

System Requirements

The VPN Client for Linux works under various Linux distributions and supports Red Hat version 6.2 Linux (x86), compatible libraries with glibc version 2.1.1-6 or later, using kernel version 2.5 or SMP (multiprocessor) kernels. In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running (installed in /usr/src/linux for Red Hat 6.x and /usr/src/linux-2.4 for Red Hat 7.x by default).

Once installed, VPN Client module will reside in the current kernel's module directory (located in /lib/modules/[kernel_ver]/build by default). This means that if you upgrade your kernel, you will need to reinstall the VPN Client.

Firewall Issues

If you are running a firewall (for instance, Linux ipchains or iptables) or a router for a home network, you must allow the following types of traffic to pass through: UDP port 500 (ISAKMP), IP protocol 50 (ESP), and UDP port 4500 (for use with NAT-T, for users utilizing NAT).

Logging on as Root

Making system changes to your computer or installing software often requires you to "log on as root" or enter commands "as root" or with "superuser privs" (privileges). These all mean the same thing. To get superuser privs, you can log on with the username root. Another way to do this is to run the su command. These are the simplest, but also the most dangerous methods to get superuser privs because any aspect of the system can be modified without safeguards. If you use them, be sure to use the exit command as soon as you no longer need superuser privs. The best way to get superuser privs is to use the sudo command prefix. sudo is included in the UBLinux and Red Hat distributions, but it requires a one time, simple setup before you can use it.

Read the man page on the sudo command. Get superuser privs using one of the first two methods described above. Open the /etc/sudoers file in a text editor. Add a line that says:
username ALL=(ALL) ALL

Replace username with the username of your regular user account on your Linux machine. Now you can prefix commands with sudo so that the superuser privs last only for that command. When you issue a command this way, it will prompt you for your password, not the root user's password.

Downloading the Software

Download and install the VPN Client, available at http://www.cit.buffalo.edu/linux/vpn. Authenticate to the site by entering your UBITName and Password. The VPN Client is in .gz format. There are two different downloads available: the first is in RPM file format for Redhat Workstation 4, Fedora Core 3, and other 2.6 kernel distribution users. The second download is for other Linux 2.6 distributions in tarball file format. Enter the following command to unzip and untar the file and form a directory named vpnclient:
tar -zxvf UBvpn-linux-37.tar.gz

Installing the Client

Make sure no other VPN software is running when you install the Client. If you have a previous version of the VPN Client, it should be removed before installing the new version. You may need to do this as the root user.

To install the Client, enter the following commands as root at your prompt:
./vpn_install

You will need to enter your computer's password. You will be prompted for a directory in which to install the binaries. The default is /usr/local/bin.

If you choose to, you can have the VPN service start automatically when the computer boots up. This does not establish a VPN tunnel to anywhere; the service just loads the kernel modules. It installs links in /etc/rc.d/rc3/d and /etc/rc/d/rc5.d to run the service automatically for run levels 3 (command line login) and 5 (graphical login).

As the install progresses, you will be asked to confirm that the selections are correct. Enter y if the files are where you want them to be.

The VPN Client kernel module must first be loaded. If you answered yes to automatically start the VPN service at boot, reboot your host now.

Accessing UB Using the VPN Client

To use the VPN Client, you must first connect to the Internet using a non-UB ISP or connect through the UB Wireless Network. As the root user, enter the following command if you did not have the VPN Client service start at boot:
/etc/rc.d/init.d/vpnclient_init start

To establish a VPN tunnel to a Wireless Access Point on campus, enter:
/usr/local/bin/vpnclient connect oncampus

To establish a VPN tunnel from a non-UB ISP to UB, enter:
/usr/local/bin/vpnclient/ connect offcampus

Enter your UBITName and Password when prompted. The VPN session will time out after three hours of on-campus inactivity, 30 minutes of off-campus inactivity, or 24 hours of use. If you want to continue using this window, you must suspend the timeout process by pressing Ctrl z, and then run it in the background by entering the command bg.

Disconnecting from the VPN

When you are finished accessing UB's network and want to disconnect from the VPN, bring up the terminal window where you entered the connection command. Click in the terminal window. If you did not suspend the process and run it in the background, press Ctrl c to disconnect. Otherwise, enter the command:
/usr/local/bin/vpnclient disconnect

Monitoring and Logging

You can monitor your VPN connection by issuing the following command:
/usr/local/bin/vpnclient stat

To reset the counter, enter the following command:
/ur/local/bin/vpnclient stat reset

It is also possible to enable logging. First, edit the file /etc/CiscoSystemsVPNClient/vpnclient.ini and change EnableLog=0 to EnableLog=1. The log levels for each component range from 0 (disabled) to 3 (verbose). Next, run the command:
/usr/local/bin/ipseclog/somewhere/logfile.txt

Somewhere is a directory and logfile is the name of the logfile. Do this before starting the VPN Client to enable logging. If the file already exists, the file will be overwritten by the new data.

Uninstalling the VPN Client

To uninstall the VPN Client, run the following command as root from the vpnclient directory that was created during installation:
./vpn_uninstall