VPN and Eduroam in St Andrews

It appears that, according to the information on the website, the University generally recognises two computer (eco)systems:

• PC (read Microsoft)
• Mac

This means that although Linux is mentioned in several places on the website, the occurrences usually do not lead to very useful information and, generally, Linux users are on their own when it comes to configuring their systems to interoperate with the University ones.

Hence this short memo.

VPN

The official guide recommends a client by Cisco. The official Cisco client:

• has already been EOL'ed (hence no support from Cisco)
• requires registration with Cisco to download from the Cisco website
• even then, it will cease to be available from the Cisco website beginning with July 2014
• while it is available only for x86_64 linux archs from the University website (wtf?)
• and, of course, it is closed-source non-free binary blob you have to install and trust

After some searching, I found vpnc, which is an open source, free software alternative to the Cisco client. Apart from the Github sources, it is also available in the Debian repositories as vpnc and I guess it might be available in other major distributions' repositories as well.

Installation is easy but the somewhat harder thing is to put together a suitable configuration file from the information on the University website. After some experimentation and searching, I found the iDevice configuration info most informative.

This yields the following vpnc configuration:

# St Andrews VPN config
Interface name tun-sta
IPSec gateway vpn.st-andrews.ac.uk
IPSec ID remote
IPSec secret <ipsec-secret>
IKE Authmode psk
Xauth username <your-st-andrews-username>
#Xauth password <your-st-andrews-password>

The ipsec-secret is the secret found in the iDevice configuration info; the username and password are your standard St Andrews credentials.

I commented out the password clause so that I needn't store my St Andrews password in plain text somewhere in /etc -- I prefer to enter the password in the console whenever I start the VPN (which is not often).

Finally, I like to name my VPN interfaces mnemonically but your preferences might differ. The interface name can of course be changed to the more standard tun0 or something else.

When you start up the VPN, it will automatically set up a route for the corresponding subnet, which you can use to access the HTTP proxy servers or anything else within the internal network.

Eduroam

Eduroam connection configuration info is provided via the uos-connect access points. Unfortunately, the only described connection method for Linux is using the network-manager, nothing else.

Below is a configuration block for wpa-supplicant, which is what I use:

network={
    ssid="eduroam"
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="<your-st-andrews-username>@st-andrews.ac.uk"
    password="<your-st-andrews-password>"
    phase2="auth=PAP"
    ca_cert="/etc/wpa_supplicant/st-andrews.crt"
    priority=0
}

You can get the certificate (originally named uos.crt) via the uos-connect connection.