VPN Setup Guide

Linux and Rice VPN

What it is/What it Does

Allows secure TCP/UDP connections from off-campus to Rice-only sites, based on open standards (IPSec).
Available to anyone with a Rice e-mail account.
Go to the Rice VPN Website for information on getting an account and software.

Installing and Using

Install Script:

The install script assumes that init files are in /etc/rc.d/init.d. This is not the case in Debian or recent releases of Red Hat. In these cases, you should search and replace all occurences of /etc/rc.d/init.d with /etc/init.d.

Compiling:

The install script (which also compiles the kernel module) assumes a complete kernel hierarchy. Note that on Debian systems when a default kernel is used, you should install the kernel headers package for that kernel version, and point the install script to this directory.

Configuration:

The init file copied to /etc/init.d/vpn or /etc/rc.d/init.d/vpn assumes a Red Hat 6.x setup. In particular, it sources /etc/rc.d/init.d/functions. On later Red Hat systems, this should be changed to /etc/init.d/functions. On Debian systems, this line should be commented out.
The default configuration file (/etc/vpn_config) should be modified with Rice-appropriate settings. The following is an example of such a configuration file:
[VPN Partner Aliases]
Rice = 128.42.83.17

[VPN User]
UserName = username
IPPrimary = 128.42.83.17
IPEnabled = True
ExcludeLocalLAN = False
ExcludeDHCP = True
UseFTCP = False
FTCPDestinationPort = 80
LoginMethod = Shared Key
The given configuration file appears to work file behind a network address translation (NAT, aka IP Masquerading) gateway. If you have any problems, though, set UseFTCP to True. Also, don't forget to replace username with your username.

Running:

Starting vpn happens in two parts. First, the vpn module must be loaded. This is done with by running the init script (/etc/init.d/vpn or /etc/rc.d/init.d/vpn).
Then, a VPN tunnel must be opened. This is done using the open_tunnel script. Assuming the configuration file above, the command line to use is open_tunnel Rice username.

Limitations

SMP: The VPN client software does not support SMP. Whether this includes only multiprocessor machines or uniprocessor machines with SMP compiled in is unclear.
Binary-Only: Note that the VPN module is a binary-only library linked in with a source wrapper. This means that if it causes problems with your kernel, the source is not available to debug it. The VPN system is based on IPSec, so in principle, open-source IPSec software should work. I have not verified this, however.
Gateways: The VPN client software only affects packets originating on the local machine. If the machine is a gateway, packets in transit will not be rerouted by the VPN software.
Kernel Version: The VPN client software supports kernel 2.2.x, but using kernel 2.4.x is highly recommended.
Host Access: There are two sorts of VPN accounts. In the normal account, all traffic from your computer is routed through the VPN. In the Rice-only account, only traffic to 128.42.x.y or other zzz.rice.edu IP addresses is routed through the VPN. The problem is that some sites, notably online references available through the Fondren Library website, require that the connection come from Rice University.
It is not possible to change from one mode to the other without effectively deleting your VPN account and getting a new one. with a normal account, even traffic that doesn't need to is routed through the VPN. If the VPN is shut off (for instance, to allow for more efficient access to outside websites), all connections will be terminated.

For More Information

Page maintained by Algis Rudys.
Suggestions, constructive criticism, and commentary always welcome!

Last modified: Tue Mar 12 17:06:48 CST 2002