Using the Truman VPN from Linux

Basic VPN setup

Faculty and students who live off campus cannot directly use some Truman resources from their home computers. Examples include the network drives, some library databases, and the Safari Bookshelf at oreilly.com.

To provide access to Truman-only resources, ITS maintains a virtual private network (VPN) server. When you use the VPN, an encrypted connection is created between your computer and Truman. Your non-Truman computer receives a Truman internet address and can access any resource that a Truman computer could.

There is a free software program called vpnc available for Linux that is compatible with Truman's VPN. Configuration consists of a small file called /etc/vpnc/default.conf (which you create as root). This file must contain at least the following 4 lines.

Example 7-9. /etc/vpnc/default.conf


IPSec gateway vpn.truman.edu
IPSec ID GroupName
IPSec secret GroupPwd
Xauth username Username

For Username, you should use your own user name on the Truman network. For the GroupName and GroupPwd values, check the VPN Client for Linux directions at the ITS web site.

You will be prompted for your Truman password each time you connect to the VPN.

Some versions of Linux come with a helper script called vpnc-connect which connects to the VPN and routes network traffic though it.


# vpnc-connect
Enter password for dbindner@vpn.truman.edu:
VPNC started in background (pid: 25872)...

On systems that do not have the vpnc-connect program, running vpnc directly will start the VPN and route network traffic.

To stop the VPN, run vpnc-disconnect.

Advanced routing with VPN

One negative effect of starting the VPN is that it interrupts already existing network connections. For example if you were connected to another system via ssh, or if you were running an instant messager, the session will freeze when the VPN is connected. The cause of this is the change in network routing that occurs. With the VPN, your computer effectively has a new internet address, so network traffic to the old address breaks.

This behavior can be avoided with a little care using an advanced technique called policy routing. The goal is to introduce a routing rule that protects existing network traffic while allowing the VPN to work correctly for new connections.

To invoke the correct rule, it is necessary to know some information about the way traffic is routed on your system. Routes differ from system to system, and can be reviewed using the ip tool.


# ip route show
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
default via 192.168.1.1 dev eth0

There are two things to be looking for. The first is the set of routes that exist on our ethernet device (look for the lines containing eth0). The second is our source address, which is 192.168.1.2.

Using this information, we create a new routing policy:


# ip route add 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2 table 1
# ip route add default via 192.168.1.1 dev eth0 table 1
# ip rule add from 192.168.1.2/32 table 1 priority 501
# ip route flush cache

The first two lines simply recreate the existing routes in a new policy table, table 1. The third line adds policy to that table: table 1 is to be used for internet traffic whose source address is 192.168.1.2. The last line ensures that the new policy takes effect immediately.

This only needs to be done once (each time the computer is booted). The policy is correct whether the VPN is connected or disconnected, so there should be no need to delete it. If you wish, however, it can be removed by typing the same three lines while substituting "del" for "add".