Difference between revisions of "VPN Instructions for Linux"

(Created page with "The IKEv2 and Clientless SSL VPN options are supported on Linux. The following instructions will help you create and use the VPN option of your choice. For more informat...")
 
(Configuration on Debian-based distributions)
 
(13 intermediate revisions by 4 users not shown)
Line 2: Line 2:
  
 
==Using the IKEv2 VPN Option on Linux==
 
==Using the IKEv2 VPN Option on Linux==
Instructions are provided for Ubuntu, but are similar for other Linux distributions. Most distributions have StrongSwan packages in their package repositories (specifically Debian, Fedora, and OpenSUSE). Red Hat Enterprise Linux, however, is the notable exception and will require adding either a trusted third-party repository and installing with yum, manually downloading the RPM from a trusted third-party repository and installing with rpm, or downloading the source code from strongswan.org and compiling from source. More information is available at strongswan.org.  
+
The easiest way to use StrongSwan on Linux is using the StrongSwan Network Manager Plugin.  Command-line options also exist if you so desire, and instructions are available at https://wiki.strongswan.org.
  
For these instructions, it is assumed you are using NetworkManager to manage your network connections. Other methods are also available, but configuration of such is left as an exercise for the reader. https://wiki.strongswan.org is the best place for advanced configuration information.  
+
General instructions are provided for Debian-based distributions. You may adapt these instructions for other distributions, just be aware the packages may be named and arranged differently.
  
===Setup the CAEDM IKEv2 VPN on Linux (Ubuntu)===
+
===Installation on Debian-based distributions===
    Open the Package Manager and install the strongswan-nm Network Manager plug-in and the strongswan-plugin-eap-mschapv2 packages.
+
For recent Debian-based distributions, you will need to install Network Manager's StrongSwan plugin and StrongSwan's eap-identity and eap-mschapv2 plugins.
    Restart Network Manager with sudo stop NetworkManager, then sudo start NetworkManager. You could reboot instead if you find that easier.
+
    Open the network connections menu from the top right and select 'Edit Connections'.
+
    Choose the VPN tab and click 'Add'.
+
    Select IPsec/IKEv2 (strongswan) and click "Create".
+
    Name the connection "CAEDM IKEv2 VPN".
+
    In the 'VPN (strongswan)' tab
+
        Set 'Gateway' to vpn.et.byu.edu
+
        For Authentication select "EAP"
+
        For Username enter your CAEDM username.
+
        Select both "Request an inner IP address" and "Enforce UDP encapsulation"
+
        Click 'Save'
+
    Click 'Close'
+
  
To connect to the CAEDM IKEv2 VPN:
+
#With root privileges, install the following packages using your package manager of choice (e.g. Synaptic, apt, apt-get, aptitude, etc):
 +
#*network-manager-strongswan
 +
#*libstrongswan-extra-plugins
 +
#*libcharon-extra-plugins
 +
#*libcharon-extauth-plugins
  
    Go back to the network connections menu from before, hover your mouse over the 'VPN Connections' menu item, then click on the CAEDM IKEv2 VPN connection that you just created.
+
As a concrete example, using sudo for root privilege and apt as the package manager, the following command would install the needed packages:
    Wait a few seconds and a network message should pop up to inform you that the VPN successfully connected.
+
        A small lock will also appear next to the network icon in the top right of the menu bar.
+
  
To disconnect:
+
<code>sudo apt install network-manager-strongswan libstrongswan-extra-plugins libcharon-extra-plugins libcharon-extauth-plugins</code>
  
    Select network connection menu, go to VPN connections, and click disconnect.  
+
If you prefer, it is also possible to download the StrongSwan source code from strongswan.org and compile from source.  If you choose this option, remember to also compile and install the eap-identity and eap-mschapv2 plugins.  More information is available at https://wiki.strongswan.org.
 +
 
 +
===Configuration on Debian-based distributions===
 +
#Open your desktop's Network Manager application and edit it's connections
 +
#'''Add''' a new VPN connection using '''IPsec-based VPN (strongswan)'''
 +
##Set the '''Connection Name''' to <code>CAEDM IKEv2 VPN</code>
 +
##Set '''Gateway:''' to <code>vpn.et.byu.edu</code>
 +
##If using the KDE desktop instead of Gnome:
 +
###Set '''Certificate:''' to <code>/etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem</code>
 +
##Set '''Authentication''' to <code>EAP</code>
 +
##Enter your '''Username'''
 +
##Enter your '''Password''' (or leave blank to be prompted when you connect)
 +
##Under '''Options''' select only '''Request an inner IP address''' and '''Enforce UDP encapsulation'''
 +
#Click OK
 +
 
 +
As of Debian Bullseye, leaving the certificate field blank in KDE creates an invalid config, and it will refuse to connect.  You will need to specify the "DigiCert High Assurance EV Root CA" as shown above for the time being.  The same workaround may be required on other Linux distributions as well.  Other desktops are not know to have this problem.
 +
 
 +
For additional help in installing or configuring StrongSwan Network, consult the wiki at https://wiki.strongswan.org.
  
 
==Using the Clientless SSL VPN Option on Linux==
 
==Using the Clientless SSL VPN Option on Linux==
Go to https://vpn.et.byu.edu with the browser of your choice.
+
#Go to https://vpn.et.byu.edu/ using your browser of choice.
 +
#Enter your CAEDM username and password, and then click "Login"

Latest revision as of 14:45, 16 September 2022

The IKEv2 and Clientless SSL VPN options are supported on Linux. The following instructions will help you create and use the VPN option of your choice. For more information on the VPN types, see VPN.

Using the IKEv2 VPN Option on Linux

The easiest way to use StrongSwan on Linux is using the StrongSwan Network Manager Plugin. Command-line options also exist if you so desire, and instructions are available at https://wiki.strongswan.org.

General instructions are provided for Debian-based distributions. You may adapt these instructions for other distributions, just be aware the packages may be named and arranged differently.

Installation on Debian-based distributions

For recent Debian-based distributions, you will need to install Network Manager's StrongSwan plugin and StrongSwan's eap-identity and eap-mschapv2 plugins.

  1. With root privileges, install the following packages using your package manager of choice (e.g. Synaptic, apt, apt-get, aptitude, etc):
    • network-manager-strongswan
    • libstrongswan-extra-plugins
    • libcharon-extra-plugins
    • libcharon-extauth-plugins

As a concrete example, using sudo for root privilege and apt as the package manager, the following command would install the needed packages:

sudo apt install network-manager-strongswan libstrongswan-extra-plugins libcharon-extra-plugins libcharon-extauth-plugins

If you prefer, it is also possible to download the StrongSwan source code from strongswan.org and compile from source. If you choose this option, remember to also compile and install the eap-identity and eap-mschapv2 plugins. More information is available at https://wiki.strongswan.org.

Configuration on Debian-based distributions

  1. Open your desktop's Network Manager application and edit it's connections.
  2. Add a new VPN connection using IPsec-based VPN (strongswan)
    1. Set the Connection Name to CAEDM IKEv2 VPN
    2. Set Gateway: to vpn.et.byu.edu
    3. If using the KDE desktop instead of Gnome:
      1. Set Certificate: to /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem
    4. Set Authentication to EAP
    5. Enter your Username
    6. Enter your Password (or leave blank to be prompted when you connect)
    7. Under Options select only Request an inner IP address and Enforce UDP encapsulation
  3. Click OK

As of Debian Bullseye, leaving the certificate field blank in KDE creates an invalid config, and it will refuse to connect. You will need to specify the "DigiCert High Assurance EV Root CA" as shown above for the time being. The same workaround may be required on other Linux distributions as well. Other desktops are not know to have this problem.

For additional help in installing or configuring StrongSwan Network, consult the wiki at https://wiki.strongswan.org.

Using the Clientless SSL VPN Option on Linux

  1. Go to https://vpn.et.byu.edu/ using your browser of choice.
  2. Enter your CAEDM username and password, and then click "Login"
Retrieved from "https://caedm.et.byu.edu/wiki/index.php?title=VPN_Instructions_for_Linux&oldid=11253"