Connecting to IU's SSL VPN using the OpenConnect client on a 64-bit Linux workstation

Following are instructions for connecting to Indiana University's SSL VPN using the OpenConnect client on a workstation running a current 64-bit Ubuntu, Fedora, or Red Hat Enterprise Linux distribution. For information about support for other platforms, see Supported Platforms on the OpenConnect website. OpenConnect versions 7.05 and later include support for Juniper's Network Connect protocol.

On this page:


Installing OpenConnect

OpenConnect is included in current releases of Ubuntu, Fedora, and Red Hat Enterprise Linux (RHEL); however, if OpenConnect is not already installed on your system, use the following instructions to download and install it:

  • Ubuntu: First, in a terminal window, use the apt-get utility (with super-user privileges) to update your system's package database:
  •   sudo apt-get update
    

    Then, use apt-get (with super-user privileges) to download and install the most recent version of OpenConnect:

      sudo apt-get install openconnect
    
  • Fedora: Use yum (with super-user privileges) to install OpenConnect:
  •   sudo yum install NetworkManager-openconnect
    
  • RHEL: Use Fedora's Extra Packages for Enterprise Linux (EPEL) repository to download and install OpenConnect:
    1. If the EPEL repository is not already installed on your system:
      1. Download the EPEL RPM:
      2.   wget https://dl.fedoraproject.org/pub/epel/epel-release-7.10.noarch.rpm
        
      3. Use rpm (With super-user privileges) to install the EPEL RPM:
      4.   sudo rpm -ivh epel-release-7-10.noarch.rpm
        
    2. Use yum (with super-user privileges) to enable the EPEL repository and install OpenConnect:
    3.   sudo yum --enablerepo=epel install NetworkManager-openconnect
      

Connecting to the VPN

Important:
As of February 2, 2017, connecting to IU's SSL VPN requires Two-Step Login (Duo) for everyone at IU, regardless of your university status.

To connect to the IU SSL VPN using OpenConnect, you need super-user privileges on your system.

  1. In a terminal window:
    • Ubuntu: Enter:
    •   sudo openconnect --cafile /etc/ssl/certs/ca-certificates.crt --juniper https://vpn.iu.edu
      
    • RHEL: Enter:
    •   sudo openconnect --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper https://vpn.iu.edu
      
    • Fedora: Enter:
    •   sudo openconnect --cafile /etc/pki/tls/certs/ca-bundle.crt --juniper https://vpn.iu.edu
      
    Note:

    If you use the IU Groups VPN or Health Sciences Network (HSN) VPN, append the VPN URL in the above examples with either /groups or /hsn; for example:

    • Groups VPN: Use https://vpn.iu.edu/groups.
    • HSN VPN: Use https://vpn.iu.edu/hsn.

    For more about these VPNs, see:

  2. When prompted for a username, enter your IU username.
  3. When prompted for a password, enter your IU passphrase.
  4. At the Duo authentication password#2 prompt, enter one of the following:
    • A passcode (e.g., 123456): Generated by Duo Mobile, an SMS text, or a single-button hardware token
    • push: Sends a push login request to the Duo Mobile app on your primary smartphone or tablet
    • phone: Calls your primary phone number (e.g., smartphone, landline)
    • sms: Sends a new SMS passcode to your primary device; once you receive the passcode via SMS, enter it at the password#2 prompt. (Entering sms may cause OpenConnect to return an error message; however, you will receive a text message with a passcode, which you then can enter at the password#2 prompt to authenticate successfully.)

    If you have more than one Duo device of a certain type registered (e.g., a second smartphone or tablet), you can add a number to the end of your secondary password to direct login requests to a particular device (e.g., push2 will send a login request to your second phone; phone3 will call your third phone).

Note:
You can connect a maximum of two devices at a time to IU's SSL VPN. If you try to connect a third device while you already have a connection running on two other devices, you'll see a prompt asking whether you want to maintain the existing connections and cancel the new connection request, or break one of the existing connections and establish a new connection. Exceptions are provided for group accounts in certain situations.

This is document bbte in the Knowledge Base.
Last modified on 2017-09-21 13:53:00.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.