The Duke VPN

As of ~Jan-Feb 2018, Papio users wanting to access the database or server with nearly anything besides phpPgAdmin will first need to be connected to Duke's network. You can do this either by being physically at Duke and connecting to the network, or by using Duke's VPN.

For information about how to connect to this VPN, check with Duke OIT, who manages and supports it:

You may also find our tips for authenticating with Duke useful.

Connecting via OpenConnect

Duke OIT provides software to connect to the VPN, and for most users this should be sufficient. However, FOSS users may wish to use the Open Source openconnect program instead. openconnect is probably already packaged by your OS supplier, so consider installing the OS supplied package first.

Basic openconnect usage

The openconnect command must be run as root.

The usual command for this is:

Supplying your NetID and the authgroup saves you a bit of typing later.

You will be prompted for a password. This is your Duke NetID password.

The Duke VPN uses TCP port 443 at the Duke end. It also uses UDP port 443 (although this is undocumented). Your firewall will need to be configured to allow outbound traffic to these ports. This will probably not be a problem. TCP 443 is used for https connections and will typically already be open. Most firewalls are not configured using the most secure "default deny" policy and so allow users on the LAN to connect to any port at all at the remote end.

The alternative to opening outbound connections to UDP port 443 is to use the --no-dtls argument. This will also work should Duke change their configuration to use a different UDP port.

Advanced openconnect usage

The problem with the above command, and the Duke supplied VPN software, is that both the routing and the DNS server used by your box are changed. This can cause problems, from not being able to connect to non-web-based email servers to problems accessing local LAN services like X clients or printers. Fortunately there is a solution that sets up what amounts to a local virtual machine, though which you then connect to the Duke side of things. This is established using the vpnc-script-sshd helper script as follows (note the \ line continuation character):

The path to the vpnc-script-sshd script may vary on your system. The above path is for Debian based systems.

The next step is to use the new virtual machine. (Really, this is a new network namespace on your local box.)

DukeVPN (last edited 2018-02-05 15:41:50 by JakeGordon)

Wiki content based upon work supported by the National Science Foundation under Grant Nos. 0323553 and 0323596. Any opinions, findings, conclusions or recommendations expressed in this material are those of the wiki contributor(s) and do not necessarily reflect the views of the National Science Foundation.