VPN and GNU/Linux at the University of South Wales

Advantages
Disadvantages
vpnc

These notes are designed to help staff and research students at the University of South Wales connect to their desktop machines using GNU/Linux. You will of course have had to register your username as using vpn with LCSS. The information here is just a consolidation of information held on other publically accessible web servers.

Advantages

The advantages with this approach are:

Disadvantages

vpnc

Download a copy of vpnc from here and extract it. You can do this from the command line (open a gnome-terminal) as follows:

$ wget http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
$ tar zxf vpnc-0.5.3.tar.gz

now install the libcrypt11 and libgpg-error-dev libraries

$ sudo apt-get install libgcrypt11-dev libgpg-error-dev
(redhat users can install these by)
$ sudo yum install libgcrypt-devel libgpg-error-devel

now we build and install the software:

$ cd vpnc-0.5.3
$ make
$ sudo make install

download a copy of the Windows XP UoG vpn package, extract the pcf file convert and install it into the vpnc directory.

$ cd ..
$ wget http://inform.glam.ac.uk/media/files/documents/2008-11-10/uogvpn-4.8.01.0300.exe
$ mkdir xp-vpn
$ cd xp-vpn
$ unzip ../uogvpn-4.8.01.0300.exe
$ cd ../vpnc-0.5.3
$ ./pcf2vpnc ../xp-vpn/uog-vpn.pcf uog.conf
$ sudo cp uog.pcf /etc/vpnc/uog.conf

at this point you should be able to create a vpn tunnel with the University but it won’t be much use yet.. Anyhow it would be a good idea to test what has been installed. To do this you can:

$ sudo vpnc uog
VPNC started in background (pid: 15343)...
$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
j1vpn3030g-e2.n merlin.example. 255.255.255.255 UGH   0      0        0 eth1
localnet        *               255.255.255.0   U     0      0        0 eth1
192.168.120.0   *               255.255.252.0   U     0      0        0 tun0
default         *               0.0.0.0         U     0      0        0 tun0
$ sudo vpnc-disconnect
Terminating vpnc daemon (pid: 15343)

Notice that the tun0 device has come to life and it is set as the default route. The tun0 device will encrypt all packets securely and send them to the University vpn server which in turn decrypts and passes them onto the local network.

Now install dnsmasq which will resolve our dns queries and decide which queries need to go along the slow tunnel to work and which ones can be more efficiently sent directly unencrypted to our ISP. The dnsmasq package has a pleasant side effect of caching dns requests, vastly improving the browsing experience.

$ sudo apt-get install dnsmasq

edit /etc/dnsmasq.conf, and search for the three lines which are:

# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1

then add the following line

# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
server=/glam.ac.uk/193.63.147.61

this says any dns query matching .glam.ac.uk will be resolved by the University nameserver (193.63.147.61)

also alter the last line of these three

# If you don’t want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll

to

# If you don’t want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
no-poll

Now copy and paste this script into a file called vpn. Essentially all packets which are destined to the University go slowly over the tun0 device and all other go quickly unencrypted to our ISP.

You should check (and maybe modify the line following "YOUR desktop net id"). Currently the script will redirect any 193.63.148.0 traffic to the tun0 device. Your desktop net id might be different - to check run /usr/sbin/ifconfig on your desktop and note the network address.

#!/bin/bash

export PATH=/sbin:/usr/local/sbin:$PATH
echo "Starting vpn..."
vpnc uog

#
#  default route goes to ISP
#
route add default gw 192.168.0.1
#
#  add route for .glam.ac.uk nameserver  (remember that
#  dnsmasq only uses this for .glam.ac.uk requests)
#
route add -net 193.63.147.0 netmask 255.255.255.0 dev tun0
#
#  add route onto 193.63.129.0 network:  mcgreg, floppsie
#                                        and moppsy
#
route add -net 193.63.129.0 netmask 255.255.255.0 dev tun0
#
#  and add route to desktop subnet
#
#  you might need to alter the following line to match
#      YOUR desktop net id
route add -net 193.63.148.0 netmask 255.255.255.0 dev tun0

#
#  finally print route info
#
route

echo "Press enter to stop vpn"
read ans

vpnc-disconnect
sleep 2
route

Now make this script executable via:

$ chmod 700 vpn
$ cp vpn /usr/local/sbin

to invoke the vpn script type:

$ sudo /usr/local/sbin/vpn

you should see the following:

Starting vpn...
VPNC started in background (pid: 15972)...
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
j1vpn3030g-e2.n merlin.example. 255.255.255.255 UGH   0      0        0 eth1
localnet        *               255.255.255.0   U     0      0        0 eth1
193.63.148.0    *               255.255.255.0   U     0      0        0 tun0
193.63.129.0    *               255.255.255.0   U     0      0        0 tun0
193.63.147.0    *               255.255.255.0   U     0      0        0 tun0
192.168.120.0   *               255.255.252.0   U     0      0        0 tun0
default         merlin.example. 0.0.0.0         UG    0      0        0 eth1
default         *               0.0.0.0         U     0      0        0 tun0
Press enter to stop vpn

You can now connect to mcgreg.comp.glam.ac.uk using ssh, or to your Windows desktop via the GNU/Linux rdesktop client. To test that different routes are taken try using traceroute:

$ traceroute www.google.com
traceroute to www.l.google.com (216.239.59.99), 30 hops max, 52 byte packets
 1  merlin.example.org (192.168.0.1)  0.232 ms  0.125 ms  0.114 ms
 2  sgrs-lns-01-lo0.onetel.net.uk (212.67.121.44)  18.814 ms  19.826 ms  19.942 ms
^C
$ traceroute mcgreg.comp.glam.ac.uk
traceroute to mcgreg.comp.glam.ac.uk (193.63.129.1), 30 hops max, 52 byte packets
 1  j1vpn3030g-e2.net.glam.ac.uk (193.63.147.135)  30.713 ms  28.655 ms  28.890 ms
^C

It is interesting to see that the encrypted route is nearly twice as slow as the unencrypted route.

When you wish to disconnect the vpn tunnel press the <enter> key in the gnome-terminal window. You should see the following messages:

Terminating vpnc daemon (pid: 15972)
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth1
default         merlin.example. 0.0.0.0         UG    0      0        0 eth1