Connect to IU's SSL VPN using OpenConnect on a 64-bit Linux workstation

On this page:

Note:
For workstations running 32- or 64-bit Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu, or Debian, UITS recommends using Pulse Secure to connect to Indiana University's SSL VPN. IU students, faculty, and staff can download Pulse Secure from IUware. For instructions, see Connect to IU's SSL VPN using Pulse Secure on a 32- or 64-bit Linux workstation.

Overview

You can use the OpenConnect VPN client included in current releases of 64-bit Ubuntu, Fedora, and Red Hat Enterprise Linux (RHEL) to connect to Indiana University's SSL VPN. For information about other supported platforms, see Supported Platforms on the OpenConnect website. OpenConnect versions 7.05 and later include support for Juniper's Network Connect protocol.

Notes:
Important:
  • Use the IU VPN only under one of these conditions:
    • If you are trying to access a service you can't get to another way.
    • If your IT Pro has told you that you need to use it.

    Generally, you won't need to use the VPN if you are a student. For example, you don't need a VPN connection to:

    • Use learning tools, such as Canvas, Zoom, or Kaltura.
    • Read your IU email over the web.
    • Work with your files in Microsoft OneDrive at IU or Google at IU My Drive.
  • If you have difficulty with the VPN: Try using IUanyWare (doesn't require a VPN connection).

    For example, you can use IUanyWare's Remote Desktop Connection app to remote into a device on campus. Additionally, IUanyWare's Chrome browser allows you to access sites as if you were on campus.

    In IUanyWare, search the available apps to find what may be helpful.

  • On the IU network: You cannot connect to the VPN, as it is for off-campus use only.

    If you receive a 1329 error when attempting to connect to the VPN, try connecting using a non-eduroam or non-IU Secure connection.

  • To ensure accountability of network communication, the University Information Policy Office prohibits group accounts from connecting to IU's SSL VPN. To make a VPN connection, you must log in using your personal IU username and passphrase.
  • For general VPN usage, you can connect one device at a time. If you connect a second device while you already have a connection running to another device, you'll see a prompt asking whether you want to maintain the existing connection and cancel the new connection request, or break the existing connection and establish a new connection. Groups VPN users can connect two devices concurrently.

Install OpenConnect

If OpenConnect is not already installed on your system, use the appropriate instructions below to download and install it.

Ubuntu

  1. Use the apt-get utility (with super-user privileges) to update your system's package database:
    sudo apt-get update
    
  2. Use apt-get (with super-user privileges) to download and install the most recent version of OpenConnect:
    sudo apt-get install openconnect
    

Fedora

Use yum (with super-user privileges) to install OpenConnect:

sudo yum install NetworkManager-openconnect

RHEL

  1. Use Fedora's Extra Packages for Enterprise Linux (EPEL) repository to download and install OpenConnect.

    If the EPEL repository is not already installed on your system:

    • In RHEL 7, enter:
      sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    • In RHEL 6, enter:
      sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
      
  2. Use yum (with super-user privileges) to enable the EPEL repository and install OpenConnect:
    sudo yum --enablerepo=epel install NetworkManager-openconnect
    

Connect and disconnect

To use the following instructions, you need super-user privileges on your system.

Note:
If your connection is unstable, you can use the --no-dtls flag when running the below commands, and create a firewall rule on your machine that blocks UDP traffic to vpn.iu.edu (forcing it to use TCP). This can sometimes result in a slower connection, but can increase stability if packet loss is occurring over UDP. For more information, see OpenConnect VPN client.
  1. Use the openconnect command to specify the appropriate certificate and VPN server:
    • Ubuntu:
      sudo openconnect -b --cafile /etc/ssl/certs/ca-certificates.crt --protocol=pulse https://vpn.iu.edu
      
    • RHEL:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --protocol=pulse https://vpn.iu.edu
      
    • Fedora:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --protocol=pulse https://vpn.iu.edu
      
    Note:

    If you use the IU Groups VPN or Health Sciences Network (HSN) VPN, replace the VPN URL in the above examples with either:

    • Groups VPN: https://vpn.iu.edu/groups
    • HSN VPN: https://vpn.iu.edu/hsn

    For more about these VPNs, see:

  2. When prompted for a username, enter your IU username.
  3. When prompted for a password, enter your IU passphrase.
  4. At the Duo authentication password#2 prompt, enter one of the following:
    • A passcode (for example, 123456): Generated by Duo Mobile, an SMS text, or a single-button hardware token
    • push: Sends a push login request to the Duo Mobile app on your primary smartphone or tablet
    • phone: Calls your primary phone number (for example, smartphone, landline)
    • sms: Sends a new SMS passcode to your primary device; once you receive the passcode via SMS, enter it at the password#2 prompt.
      Important:
      Entering sms may cause OpenConnect to return an error message. However, you also will receive a text message with a passcode to enter at the password#2 prompt to authenticate successfully.
      Note:
      If you have more than one Duo device of a certain type registered, such as a second smartphone or tablet, you can add a number to the end of your secondary password to direct login requests to a particular device (for example, push2 will send a login request to your second phone; phone3 will call your third phone).

To disconnect from the VPN, use the following command:

sudo killall -SIGINT openconnect

This is document bbte in the Knowledge Base.
Last modified on 2021-03-12 11:37:05.