OIT > Security > VPN > VPN software for Linux

Configuring and Installing VPN software
for Linux

Summary: This handout is a comprehensive set of instructions to configure and install the UCI VPN software.

Linux and VPN Issues

The client needs a 2.4.x kernel or a 2.2.12 or greater kernel. It does not work with the 2.5 kernel series kernels or SMP (multiprocessor) kernels.

 

 

Getting Started

To get started you will first untar the file and then run the setup file.

1. As root, untar the gzip'd tar file (tar xzvf).  This will create a directory called vpnclient. 
2. Go in to the vpnclient directory and type ./vpn_install.
3. If you want the vpn driver module loaded at boot time, answer 'y' to that question.
4. Accept the defaults for all the others.

• If you are using IPCHAINS, you may need to update /etc/sysconfig/ipchains to allow IPSec to work. Look in /etc/sysconfig/ipchains for the following line:
  -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
• If that line is in your ipchains config file, you'll need to add this line just before it:
  -A input -p udp -s 0/0 -d 0/0 500 -j ACCEPT
• This will allow UDP port 500 to pass thru the ipchains filters.

Starting the VPN Connection

• Split Tunnel
  The "split" tunnel only sends traffic destined for UCI over the VPN connection. All other traffic goes through your normal cable modem/dsl connection. Use the "split" tunnel for connections to and from UCI only. If you are using online Library resources, use the "full" tunnel. It allows you to talk directly to the Internet, but when your machine "talks" to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address. This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).
• Full Tunnel
  The "full" tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI's connection. The "full" tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can't get to it with a split tunnel because it's off campus and your off-campus packets aren't network address translated to UCI addresses. By using the "full" tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI's internet connection. You should use the "full" tunnel VPN connection with care since heavy use can cause an increase in UCI's internet connection costs, and is likely slower than the split tunnel method.

1. If you chose to not have the VPN kernel module started at boot time, you'll need to start it with /etc/init.d/vpnclient_init start. 
2. After the kernel module is loaded, you can use vpnclient connect UCI or vpnclient connect UCIFull to start the VPN connection. 
3. You will be asked for your username and password; use your UCInetID and password.  You will see a banner message and you will be asked if you want to continue. 
4. Type "y" to finish setting up the VPN connection.

You are now ready to use your VPN connection. If you have any problems, please call the OIT Help Desk at 949-824-2222, Monday through Friday, 8:00 AM to 5:00 PM.