Connect to IU's SSL VPN using the OpenConnect client on a 64-bit Linux workstation

On this page:


These instructions are for connecting to Indiana University's SSL VPN using the OpenConnect client on a workstation running a current 64-bit Ubuntu, Fedora, or Red Hat Enterprise Linux distribution. For information about support for other platforms, see Supported Platforms on the OpenConnect website. OpenConnect versions 7.05 and later include support for Juniper's Network Connect protocol.

Install OpenConnect

OpenConnect is included in current releases of Ubuntu, Fedora, and Red Hat Enterprise Linux (RHEL); however, if OpenConnect is not already installed on your system, use the following instructions to download and install it:


  1. In a terminal window, use the apt-get utility (with super-user privileges) to update your system's package database:
    sudo apt-get update
  2. Use apt-get (with super-user privileges) to download and install the most recent version of OpenConnect:
    sudo apt-get install openconnect


Use yum (with super-user privileges) to install OpenConnect:

sudo yum install NetworkManager-openconnect


Use Fedora's Extra Packages for Enterprise Linux (EPEL) repository to download and install OpenConnect:

  1. If the EPEL repository is not already installed on your system:
    • RHEL 7: Enter:
      sudo rpm -Uvh
    • RHEL 6: Enter:
      sudo rpm -Uvh
  2. Use yum (with super-user privileges) to enable the EPEL repository and install OpenConnect:
    sudo yum --enablerepo=epel install NetworkManager-openconnect

Connect to the VPN

As of February 2, 2017, connecting to IU's SSL VPN requires Two-Step Login (Duo) for everyone at IU, regardless of your university status.

IU's SSL VPN is for off-campus use only; it will not allow you to establish a connection if your device is connected (via wireless or Ethernet) to an IU network.

To connect to the IU SSL VPN using OpenConnect, you need super-user privileges on your system.

  1. In a terminal window:
    • Ubuntu: Enter:
      sudo openconnect -b --cafile /etc/ssl/certs/ca-certificates.crt --juniper
    • RHEL: Enter:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper
    • Fedora: Enter:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper

    If you use the IU Groups VPN or Health Sciences Network (HSN) VPN, append the VPN URL in the above examples with either /groups or /hsn; for example:

    • Groups VPN: Use
    • HSN VPN: Use

    For more about these VPNs, see:

  2. When prompted for a username, enter your IU username.
  3. When prompted for a password, enter your IU passphrase.
  4. At the Duo authentication password#2 prompt, enter one of the following:
    • A passcode (e.g., 123456): Generated by Duo Mobile, an SMS text, or a single-button hardware token
    • push: Sends a push login request to the Duo Mobile app on your primary smartphone or tablet
    • phone: Calls your primary phone number (e.g., smartphone, landline)
    • sms: Sends a new SMS passcode to your primary device; once you receive the passcode via SMS, enter it at the password#2 prompt. (Entering sms may cause OpenConnect to return an error message; however, you will receive a text message with a passcode, which you then can enter at the password#2 prompt to authenticate successfully.)

    If you have more than one Duo device of a certain type registered (e.g., a second smartphone or tablet), you can add a number to the end of your secondary password to direct login requests to a particular device (e.g., push2 will send a login request to your second phone; phone3 will call your third phone).

To disconnect from the VPN, run the following command:

sudo killall -SIGINT openconnect

You can connect a maximum of two devices at a time to IU's SSL VPN. If you try to connect a third device while you already have a connection running on two other devices, you'll see a prompt asking whether you want to maintain the existing connections and cancel the new connection request, or break one of the existing connections and establish a new connection. Exceptions are provided for group accounts in certain situations.

This is document bbte in the Knowledge Base.
Last modified on 2019-02-01 17:10:37.

Contact us

For help or to comment, email the UITS Support Center.