These notes are designed to help staff and research students at the University of South Wales connect to their desktop machines using GNU/Linux. You will of course have had to register your username as using vpn with LCSS. The information here is just a consolidation of information held on other publically accessible web servers.
The advantages with this approach are:
Download a copy of vpnc from here and extract it. You can do this from the command line (open a gnome-terminal) as follows:
$ wget http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz $ tar zxf vpnc-0.5.3.tar.gz
now install the libcrypt11 and libgpg-error-dev libraries
$ sudo apt-get install libgcrypt11-dev libgpg-error-dev (redhat users can install these by) $ sudo yum install libgcrypt-devel libgpg-error-devel
now we build and install the software:
$ cd vpnc-0.5.3 $ make $ sudo make install
download a copy of the Windows XP UoG vpn package, extract the pcf file convert and install it into the vpnc directory.
$ cd .. $ wget http://inform.glam.ac.uk/media/files/documents/2008-11-10/uogvpn-4.8.01.0300.exe $ mkdir xp-vpn $ cd xp-vpn $ unzip ../uogvpn-4.8.01.0300.exe $ cd ../vpnc-0.5.3 $ ./pcf2vpnc ../xp-vpn/uog-vpn.pcf uog.conf $ sudo cp uog.pcf /etc/vpnc/uog.conf
at this point you should be able to create a vpn tunnel with the University but it won’t be much use yet.. Anyhow it would be a good idea to test what has been installed. To do this you can:
$ sudo vpnc uog VPNC started in background (pid: 15343)... $ sudo route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface j1vpn3030g-e2.n merlin.example. 255.255.255.255 UGH 0 0 0 eth1 localnet * 255.255.255.0 U 0 0 0 eth1 192.168.120.0 * 255.255.252.0 U 0 0 0 tun0 default * 0.0.0.0 U 0 0 0 tun0 $ sudo vpnc-disconnect Terminating vpnc daemon (pid: 15343)
Notice that the tun0 device has come to life and it is set as the default route. The tun0 device will encrypt all packets securely and send them to the University vpn server which in turn decrypts and passes them onto the local network.
Now install dnsmasq which will resolve our dns queries and decide which queries need to go along the slow tunnel to work and which ones can be more efficiently sent directly unencrypted to our ISP. The dnsmasq package has a pleasant side effect of caching dns requests, vastly improving the browsing experience.
$ sudo apt-get install dnsmasq
edit /etc/dnsmasq.conf, and search for the three lines which are:
# Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1
then add the following line
# Add other name servers here, with domain specs if they are for # non-public domains. #server=/localnet/192.168.0.1 server=/glam.ac.uk/220.127.116.11
this says any dns query matching .glam.ac.uk will be resolved by the University nameserver (18.104.22.168)
also alter the last line of these three
# If you don’t want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. #no-poll
# If you don’t want dnsmasq to poll /etc/resolv.conf or other resolv # files for changes and re-read them then uncomment this. no-poll
Now copy and paste this script into a file called vpn. Essentially all packets which are destined to the University go slowly over the tun0 device and all other go quickly unencrypted to our ISP.
You should check (and maybe modify the line following "YOUR desktop net id"). Currently the script will redirect any 22.214.171.124 traffic to the tun0 device. Your desktop net id might be different - to check run /usr/sbin/ifconfig on your desktop and note the network address.
#!/bin/bash export PATH=/sbin:/usr/local/sbin:$PATH echo "Starting vpn..." vpnc uog # # default route goes to ISP # route add default gw 192.168.0.1 # # add route for .glam.ac.uk nameserver (remember that # dnsmasq only uses this for .glam.ac.uk requests) # route add -net 126.96.36.199 netmask 255.255.255.0 dev tun0 # # add route onto 188.8.131.52 network: mcgreg, floppsie # and moppsy # route add -net 184.108.40.206 netmask 255.255.255.0 dev tun0 # # and add route to desktop subnet # # you might need to alter the following line to match # YOUR desktop net id route add -net 220.127.116.11 netmask 255.255.255.0 dev tun0 # # finally print route info # route echo "Press enter to stop vpn" read ans vpnc-disconnect sleep 2 route
Now make this script executable via:
$ chmod 700 vpn $ cp vpn /usr/local/sbin
to invoke the vpn script type:
$ sudo /usr/local/sbin/vpn
you should see the following:
Starting vpn... VPNC started in background (pid: 15972)... Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface j1vpn3030g-e2.n merlin.example. 255.255.255.255 UGH 0 0 0 eth1 localnet * 255.255.255.0 U 0 0 0 eth1 18.104.22.168 * 255.255.255.0 U 0 0 0 tun0 22.214.171.124 * 255.255.255.0 U 0 0 0 tun0 126.96.36.199 * 255.255.255.0 U 0 0 0 tun0 192.168.120.0 * 255.255.252.0 U 0 0 0 tun0 default merlin.example. 0.0.0.0 UG 0 0 0 eth1 default * 0.0.0.0 U 0 0 0 tun0 Press enter to stop vpn
You can now connect to mcgreg.comp.glam.ac.uk using ssh, or to your Windows desktop via the GNU/Linux rdesktop client. To test that different routes are taken try using traceroute:
$ traceroute www.google.com traceroute to www.l.google.com (188.8.131.52), 30 hops max, 52 byte packets 1 merlin.example.org (192.168.0.1) 0.232 ms 0.125 ms 0.114 ms 2 sgrs-lns-01-lo0.onetel.net.uk (184.108.40.206) 18.814 ms 19.826 ms 19.942 ms ^C $ traceroute mcgreg.comp.glam.ac.uk traceroute to mcgreg.comp.glam.ac.uk (220.127.116.11), 30 hops max, 52 byte packets 1 j1vpn3030g-e2.net.glam.ac.uk (18.104.22.168) 30.713 ms 28.655 ms 28.890 ms ^C
It is interesting to see that the encrypted route is nearly twice as slow as the unencrypted route.
When you wish to disconnect the vpn tunnel press the <enter> key in the gnome-terminal window. You should see the following messages:
Terminating vpnc daemon (pid: 15972) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth1 default merlin.example. 0.0.0.0 UG 0 0 0 eth1