The Duke VPN
As of ~Jan-Feb 2018, Papio users wanting to access the database or server with nearly anything besides phpPgAdmin will first need to be connected to Duke's network. You can do this either by being physically at Duke and connecting to the network, or by using Duke's VPN.
Important: Duke's VPN is different from the old custom VPN we had created solely for our use, documented elsewhere in this wiki. If you have previously used that VPN, be aware that it won't work anymore.
For information about how to connect to this VPN, check with Duke OIT, who manages and supports it:
VPN info (https://oit.duke.edu/what-we-do/services/vpn), via Duke OIT
You may also find our tips for authenticating with Duke useful.
Connecting via OpenConnect
Duke OIT provides software to connect to the VPN, and for most users this should be sufficient. However, FOSS users may wish to use the Open Source openconnect program instead. openconnect is probably already packaged by your OS supplier, so consider installing the OS supplied package first.
Basic openconnect usage
The openconnect command must be run as root.
The usual command for this is:
openconnect -u YourDukeNetID --authgroup '-Default-' https://vpn.duke.edu/
Supplying your NetID and the authgroup saves you a bit of typing later.
You will be prompted for a password. This is your Duke NetID password.
The Duke VPN uses TCP port 443 at the Duke end. It also uses UDP port 443 (although this is undocumented). Your firewall will need to be configured to allow outbound traffic to these ports. This will probably not be a problem. TCP 443 is used for https connections and will typically already be open. Most firewalls are not configured using the most secure "default deny" policy and so allow users on the LAN to connect to any port at all at the remote end.
The alternative to opening outbound connections to UDP port 443 is to use the --no-dtls argument. This will also work should Duke change their configuration to use a different UDP port.
Advanced openconnect usage
The problem with the above command, and the Duke supplied VPN software, is that both the routing and the DNS server used by your box are changed. This can cause problems, from not being able to connect to non-web-based email servers to problems accessing local LAN services like X clients or printers. Fortunately there is a solution that sets up what amounts to a local virtual machine, though which you then connect to the Duke side of things. This is established using the vpnc-script-sshd helper script as follows (note the \ line continuation character):
openconnect -u YourDukeNetID --script=/usr/share/vpnc-scripts/vpnc-script-sshd \ --authgroup '-Default-' https://vpn.duke.edu/
The path to the vpnc-script-sshd script may vary on your system. The above path is for Debian based systems.
The next step is to use the new virtual machine. (Really, this is a new network namespace on your local box.)