Connecting to the FAS RC VPN from Linux clients

We recommend using openconnect to connect to the Research Computing VPN from Linux.

First, install OpenConnect on Ubuntu/Debian or Fedora/CentOS, respectively:

• Ubuntu/Debian: sudo apt-get install network-manager-openconnect-gnome

• Fedora/CentOS: sudo yum install NetworkManager-openconnect

Option 1: The NetworkManager GUI

• NOTE: If you prefer to connect using the command line, see “Using OpenConnect from command line” at the bottom of this page after installing OpenConnect.

Under your network settings, add a VPN connection and specify vpn.rc.fas.harvard.edu as your gateway:

Turn on your VPN connection to bring up the connect dialog:

In the “Username” field, be sure to append “@fasrc” (the VPN realm).
Enter your password and 6 digit verification code:

You should now be connected to the RC VPN.

Option 2: CLI and Build from Source

If you don’t use NetworkManager, need a different version of the software, or otherwise don’t have success with the above, you can try building oath-toolkit and openconnect from source and using them from the command line. The following scriptlets build each under its own prefix in /opt/src and install each under its own prefix in /opt; adjust accordingly if you want to use other locations.

Build oath-toolkit

You will need the distro version of xmlsec, xmlcatalog, etc. On Ubuntu, make sure you have installed (at least) xmlsec1, libxmlsec1, libxmlsec1-dev, and libxml2-utils.
The installation is a very straighforward GNU-toolchain-style build; the following just embellishes it with some automation. Version 2.4.1 is the latest at the time of writing; newer may work better.
SW=/opt
SRC=$SW/src
cd $SRC
umask 022
wget --no-clobber http://download.savannah.gnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz
tar xvf $(basename $) APP=$(basename $ .tar.gz)
cd $APP
./configure --prefix=$SW/$APP
make
sudo make install

Create /opt/oath-toolkit-2.4.1/setup.sh with the following content:

Build openconnect

On Ubuntu, make sure you have installed (at least) vpnc and gettext.
The installation is a very straighforward GNU-toolchain-style build; the following just embellishes it with some automation. Note that we found that version 5.99 does not compile easily on Unbutu 14.04. Version 5.03 is the next-to-latest at the time of writing.
source /opt/oath-toolkit-2.4.1/setup.sh
SW=/opt
SRC=$SW/src
cd $SRC
umask 022
wget --no-clobber ftp://ftp.infradead.org/pub/openconnect/openconnect-5.03.tar.gz
tar xvf $(basename $)
APP=$(basename $ .tar.gz)
cd $APP
./configure --prefix=$SW/$APP --with-vpnc-script=/etc/vpnc/vpnc-script
make
sudo make install

Create /opt/openconnect-5.03 with the following content:

After installing OpenConnect, you can connect to the VPN via the command line using:
sudo openconnect -s /usr/share/vpnc-scripts/vpnc-script vpn.rc.fas.harvard.edu Then provide:

Using OpenConnect from command line with auto token generation

Put your openauth (the 15-character alphanumeric string shown on your personalized OpenAuth download page) secret in a file such as ~/.s and make sure only you can read it (e.g. chmod 600 ~/.s). Run the following, replacing USERNAME appropriately:

source /opt/oath-toolkit-2.4.1/setup.sh
source /opt/openconnect-5.03/setup.sh
openconnect --user USERNAME@fasrc --token-mode=totp --token-secret=base32:$(cat ~/.s) --background vpn.rc.fas.harvard.edu


• NOTE: If you get a Permission Denied error, you need to use sudo: sudo openconnect –user USERNAME@fasrc –token-mode=totp –token-secret=base32:$(cat ~/.s) –background vpn.rc.fas.harvard.edu You will then need to type your computer password (not your RC password) at the [sudo] password for xxxxxx: prompt.

You should then see the connection being negotiated and will be prompted for your RC password:

After that you should be connected to the VPN. Leave the window open. You can terminate the session at any time by going back to the window and pressing Ctrl+C