How to connect to UQ servers with VPN from Linux (Ubuntu)

Connecting to UQ servers

Once everything is setup (see below), these steps lead to ssh-ing to a UQ server:

$ /opt/cisco/anyconnect/bin/vpnui
- connect to vpn.uq.edu.au
- authenticate with UQ login in the browser
- verify 2FA with Duo
gpclient¹ connect to prn-pa-gp.inf.dc.uq.edu.au
- authenticate with UQ login in the browserish modal window
- verify 2FA with Duo
ssh cmuq

Prerequisities

A UQ login (with a multi-factor authentication).
Palo Alto Networks GlobalProtect Client (or GlobalProtect openconnect),
Cisco AnyConnect Secure Mobility Client,
A server with your SSH key enabled.

There is some useful info on the UQ VPN help page.

For MFA I am using Duo App.

`~/.ssh/config`

Host cmuq
    HostName <your-server-hostname>
    IdentityFile ~/.ssh/<your-ssh-key>
    User <your-username>

GlobalProtect

There is a GUI and a CLI version, here I am using CLI version.

This gist is a bit outdated.

You need to download the tar.gz file with a deb package.
I downloaded PanGPLinux-6.0.1-c6.tgz and
picked the DEB package from the archive.

$ sudo dpkg -i GlobalProtect_deb-6.0.1.1-6.deb
[sudo] password for █████:
Selecting previously unselected package globalprotect.
(Reading database ... 443335 files and directories currently installed.)
Preparing to unpack GlobalProtect_deb-6.0.1.1-6.deb ...
Start installing gp...
Unpacking globalprotect (6.0.1-6) ...
Setting up globalprotect (6.0.1-6) ...
Enable gp service...
Starting gp service...
enable ping
net.ipv4.ping_group_range = 0 0
Create symlink for gp cli...
Starting gpa...
start GPA for sudo user ████
Processing triggers for man-db (2.10.2-1) ...

AnyConnect

You need to install the client which is available for download using the UQ login.
The client is not freely available.

Info about the installation under Linux.

Login here,
download it from here (your OS is detected and the link is probably generated).
Install the .sh script with sudo.

$ sudo bash anyconnect-linux64-4.10.05111-core-vpn-webdeploy-k9.sh
[sudo] password for █████:
Installing Cisco AnyConnect Secure Mobility Client...
Extracting installation files to /tmp/vpn.2ERvUI/vpninst421920656.tgz...
Unarchiving installation files to /tmp/vpn.2ERvUI...
Starting Cisco AnyConnect Secure Mobility Client Agent...
Done!
Exiting now.

Run it /opt/cisco/anyconnect/bin/vpnui
Use vpn.uq.edu.au address.
Continue in the browser.
Now you are in a VPN.

Connect to a server

After the previous step, continue with:

Run globalprotect globalprotect connect --portal prn-pa-gp.inf.dc.uq.edu.au

If you see

Retrieving configuration...
Retrieving configuration...
Failed to connect to prn-pa-gp.inf.dc.uq.edu.au.
Error: Default browser is not enabled.

To mitigate the error, you may need to set the default browser. sudo update-alternatives --config x-www-browser

If this doesn’t help (which was my case) here they advise to use an alternative client:

GlobalProtect openconnect

There is a clear description how to install it and run it.

Run the client gpclient and
authenticate with the university login.
After the authentication,
you will be able to ssh to a UQ server.

On 2023-03-16 I found out that the gpclient is not needed. This is great as it is permanently using 100% of one CPU core and can’t be properly stopped. ↩︎

first published: 2023-01-15
last modified: 2023-03-16

#instruction #howto