How to connect to UQ servers with VPN from Linux (Ubuntu)
Connecting to UQ servers
Once everything is setup (see below), these steps lead to ssh-ing to a UQ server:
$ /opt/cisco/anyconnect/bin/vpnui
- connect to
vpn.uq.edu.au
- authenticate with UQ login in the browser
- verify 2FA with Duo
- connect to
gpclient
1 connect toprn-pa-gp.inf.dc.uq.edu.au
- authenticate with UQ login in the browserish modal window
- verify 2FA with Duo
- ssh cmuq
Prerequisities
- A UQ login (with a multi-factor authentication).
- Palo Alto Networks GlobalProtect Client (or GlobalProtect openconnect),
- Cisco AnyConnect Secure Mobility Client,
- A server with your SSH key enabled.
There is some useful info on the UQ VPN help page.
For MFA I am using Duo App.
~/.ssh/config
Host cmuq
HostName <your-server-hostname>
IdentityFile ~/.ssh/<your-ssh-key>
User <your-username>
GlobalProtect
There is a GUI and a CLI version, here I am using CLI version.
This gist is a bit outdated.
You need to download the tar.gz file with a deb package.
I downloaded PanGPLinux-6.0.1-c6.tgz and
picked the DEB package from the archive.
$ sudo dpkg -i GlobalProtect_deb-6.0.1.1-6.deb
[sudo] password for █████:
Selecting previously unselected package globalprotect.
(Reading database ... 443335 files and directories currently installed.)
Preparing to unpack GlobalProtect_deb-6.0.1.1-6.deb ...
Start installing gp...
Unpacking globalprotect (6.0.1-6) ...
Setting up globalprotect (6.0.1-6) ...
Enable gp service...
Starting gp service...
enable ping
net.ipv4.ping_group_range = 0 0
Create symlink for gp cli...
Starting gpa...
start GPA for sudo user ████
Processing triggers for man-db (2.10.2-1) ...
AnyConnect
You need to install the client which is available for download using the UQ login.
The client is not freely available.
Info about the installation under Linux.
- Login here,
- download it from here (your OS is detected and the link is probably generated).
- Install the
.sh
script withsudo
.
$ sudo bash anyconnect-linux64-4.10.05111-core-vpn-webdeploy-k9.sh
[sudo] password for █████:
Installing Cisco AnyConnect Secure Mobility Client...
Extracting installation files to /tmp/vpn.2ERvUI/vpninst421920656.tgz...
Unarchiving installation files to /tmp/vpn.2ERvUI...
Starting Cisco AnyConnect Secure Mobility Client Agent...
Done!
Exiting now.
- Run it
/opt/cisco/anyconnect/bin/vpnui
- Use
vpn.uq.edu.au
address. - Continue in the browser.
- Now you are in a VPN.
Connect to a server
After the previous step, continue with:
- Run globalprotect
globalprotect connect --portal prn-pa-gp.inf.dc.uq.edu.au
If you see
Retrieving configuration...
Retrieving configuration...
Failed to connect to prn-pa-gp.inf.dc.uq.edu.au.
Error: Default browser is not enabled.
To mitigate the error,
you may need to set the default browser.
sudo update-alternatives --config x-www-browser
If this doesn’t help (which was my case) here they advise to use an alternative client:
GlobalProtect openconnect
There is a clear description how to install it and run it.
Run the client gpclient
and
authenticate with the university login.
After the authentication,
you will be able to ssh to a UQ server.
-
On 2023-03-16 I found out that the gpclient is not needed. This is great as it is permanently using 100% of one CPU core and can’t be properly stopped. ↩︎
last modified: 2023-03-16