Connecting to VPN (Linux)

Using the VPN client (graphical)

Michigan Technological University enforces DUO authentication on its network. Below are the instructions for how to get properly authenticated and connected. 

Note: The web dashboard provides an .rpm and a .deb file for the VPN client, and MTU IT only supports those packages on some versions of Red Hat Enterprise Linux (RHEL) and Ubuntu, although other rpm/deb based Linux distributions may also work. Some third party VPN clients exist that may be compatible with MTU's VPN infrastructure and could possibly work on non rpm/deb based Linux distributions.  However, MTU IT is unable to provide support for any third party VPN clients.  

Using the VPN client (graphical)

1. Open the Michigan Tech VPN login page (https://vpn.mtu.edu) in a web browser (e.g., Firefox, Chrome) and log in with your Michigan Tech username and password. You will need to authenticate using DUO.
   
2. Download the VPN Client for your operating system:
   • The deb file for Ubuntu, Debian, or other Debian derivatives
   • The rpm file for Fedora, Red Hat Enterprise Linux, or other rpm based Linux distributions.
     

3. In the File Explorer, locate the downloaded package and double-click the icon to open. Alternatively, in a terminal you can use 'apt' and 'dnf' respectively to install the .deb or .rpm packages. This will put an application in your applications list. 
   
   Note: This client is not a stand-alone client and still requires users to initiate the VPN connection through an authenticated web browser session.
   

4. On the VPN Web Dashboard, in the Network Access section, click on the network you wish to access. The example below shows Access MTU Network 111.
   

5. In the pop-up window, select Start to launch the connection.
   

6. Validate the installation request.
   

7. Once connected, you can verify the connection by checking the VPN window. It should display a successful connection message.
   

Disconnecting from the VPN

You can disconnect from the VPN by either:

• Selecting the Disconnect button in the VPN window, or
• Logging off the machine, which will automatically disconnect your session.

Troubleshooting and common considerations

VPN stands for Virtual Private Network, allowing you to create a secure connection to another network over the Internet. MTU requires the BigIP VPN Client from F5. When attempting to print on an off-campus network, the BigIP VPN is required to start a print job. With all things Linux, the client is dependent on what OS you are currently running. Additionally, users off campus will be able to connect to campus computers.

DNS Manual Setup

In some cases, when connecting to the VPN from a non-Michigan Tech or personal machine, you may have issues accessing resources in your Multidrive or other places on campus. For example, you may have problems listing out files in your Multidrive. To fix these issues, you will need administrator (sudo) access on your machine. If your machine uses systemd-resolved, you can use the following commands to add the DNS servers when you are connected to the campus VPN:

sudo resolvectl domain tun0 mtu.edu
sudo resolvectl dns tun0 141.219.70.130

If your machine does not use systemd-resolved to configure its DNS servers, you may need to manually add the campus DNS servers based on your Linux distribution. You should review the documentation for your distribution. 

DNS Conflicts

While connected to the VPN, your routes and DNS configurations have been adjusted by the VPN. If you experience DNS issues after connecting to the VPN, you may be experiencing a conflict. This is likely related to how the VPN makes those adjustments on your local device. To resolve this, ensure all connections are closed, change your DNS configuration to any DNS server other than 1.1.1.1, and attempt to reconnect.

File Interactions

A number of files may be modified when the VPN client begins its initialization process. This list is subject to change by the upstream provider with no warning:

• /etc/nsswitch.conf
• /etc/host.conf
• /etc/resolv.conf
• /etc/hosts
• /tmp/f5Standalone.lock
• $HOME/.F5Networks/f5networks.conf
• $HOME/.F5Networks/standalone.log

Discontinued CLI Client

Previously, connecting to the MTU VPN had a F5 VPN Command-Line Interface (CLI) client (f5fpc).  This client no longer meets Michigan Tech’s security standards and policies, and thus will not be able to initiate the VPN connection. 

Please ensure you are using a web browser connected to https://vpn.mtu.edu to authenticate and launch the VPN connection.

Third Party VPN Clients

Alternatively, some have reported that they are able to use third-party command-line clients, such as:

• OpenConnect
• gof5

These clients do require first logging into vpn.mtu.edu in a web browser, on the same machine as the CLI VPN client, and using the browser's session authentication cookie when launching the client.

Use the steps below as a guide, but reference upstream documentation for details.  Note that MTU IT is unable to provide support nor any troubleshooting help for third party VPN clients.
Login with a browser to vpn.mtu.edu and complete Duo verification.

1. Open your browser's developer tools, and navigate to the JavaScript console. Issue the following command in the console, to retrieve the session ID:
   document.cookie.match(/MRHSession=(.*?); /)[1]

2. Stay logged in to the browser, and use that session ID when using either gof5 or openconnect:

• gof5 --server vpn.mtu.edu --session 0123456789abcdef0123456789abcdef or
• echo MRHSession=0123456789abcdef0123456789abcdef | openconnect --protocol=f5 --cookie-on-stdin vpn.mtu.edu