Connect to IU's SSL VPN using OpenConnect on a 64-bit Linux workstation

On this page:

For workstations running 32- or 64-bit Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu, or Debian, UITS recommends using Pulse Secure to connect to Indiana University's SSL VPN. IU students, faculty, and staff can download Pulse Secure from IUware. For instructions, see Connect to IU's SSL VPN using Pulse Secure on a 32- or 64-bit Linux workstation.


You can use the OpenConnect VPN client included in current releases of 64-bit Ubuntu, Fedora, and Red Hat Enterprise Linux (RHEL) to connect to Indiana University's SSL VPN. For information about other supported platforms, see Supported Platforms on the OpenConnect website. OpenConnect versions 7.05 and later include support for Juniper's Network Connect protocol.

  • IU's SSL VPN is for off-campus use only; it will not allow you to establish a connection if your device is connected (via wireless or Ethernet) to an IU network.
  • To ensure accountability of network communication, the University Information Policy Office prohibits group accounts from connecting to IU's SSL VPN. To make a VPN connection, you must log in using your personal IU username and passphrase.
  • You can connect a maximum of two devices at a time to IU's SSL VPN. If you try to connect a third device while you already have a connection running on two other devices, you'll see a prompt asking whether you want to maintain the existing connections and cancel the new connection request, or break one of the existing connections and establish a new connection.

Install OpenConnect

If OpenConnect is not already installed on your system, use the appropriate instructions below to download and install it.


  1. Use the apt-get utility (with super-user privileges) to update your system's package database:
    sudo apt-get update
  2. Use apt-get (with super-user privileges) to download and install the most recent version of OpenConnect:
    sudo apt-get install openconnect


Use yum (with super-user privileges) to install OpenConnect:

sudo yum install NetworkManager-openconnect


  1. Use Fedora's Extra Packages for Enterprise Linux (EPEL) repository to download and install OpenConnect.

    If the EPEL repository is not already installed on your system:

    • In RHEL 7, enter:
      sudo rpm -Uvh
    • In RHEL 6, enter:
      sudo rpm -Uvh
  2. Use yum (with super-user privileges) to enable the EPEL repository and install OpenConnect:
    sudo yum --enablerepo=epel install NetworkManager-openconnect

Connect and disconnect

To use the following instructions, you need super-user privileges on your system.

  1. Use the openconnect command to specify the appropriate certificate and VPN server:
    • Ubuntu:
      sudo openconnect -b --cafile /etc/ssl/certs/ca-certificates.crt --juniper
    • RHEL:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper
    • Fedora:
      sudo openconnect -b --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper

    If you use the IU Groups VPN or Health Sciences Network (HSN) VPN, replace the VPN URL in the above examples with either:

    • Groups VPN:
    • HSN VPN:

    For more about these VPNs, see:

  2. When prompted for a username, enter your IU username.
  3. When prompted for a password, enter your IU passphrase.
  4. At the Duo authentication password#2 prompt, enter one of the following:
    • A passcode (e.g., 123456): Generated by Duo Mobile, an SMS text, or a single-button hardware token
    • push: Sends a push login request to the Duo Mobile app on your primary smartphone or tablet
    • phone: Calls your primary phone number (e.g., smartphone, landline)
    • sms: Sends a new SMS passcode to your primary device; once you receive the passcode via SMS, enter it at the password#2 prompt.
      Entering sms may cause OpenConnect to return an error message. However, you also will receive a text message with a passcode to enter at the password#2 prompt to authenticate successfully.
      If you have more than one Duo device of a certain type registered, such as a second smartphone or tablet, you can add a number to the end of your secondary password to direct login requests to a particular device (for example, push2 will send a login request to your second phone; phone3 will call your third phone).

To disconnect from the VPN, use the following command:

sudo killall -SIGINT openconnect

This is document bbte in the Knowledge Base.
Last modified on 2019-04-02 13:37:07.

Contact us

For help or to comment, email the UITS Support Center.