Táboa de Contidos

VPN

Service description

Allows access to the internal network from anywhere trough Internet. When connected to the VPN you hay an internal IP address that allows secure access to all the CITIUS services. However Internet access is filtered so that only the internal network and a few chosen external sites are accessible. You can check which sites in the VPN white list

Activation

Check in Xici permissions whether the service Acceso ext. VPN is listed. If the service is listed, you don't need to register.

Depending on your user type, it can be possible that you're not allowed to access this page.

If needed, you have to register filling the requests and problem reporting form. This form is only available to CITIUS users.

The necessary configuration files are located in the VPN folder in Nextcloud.

The installation guides tell you when and how to use those files.

User guides

Frequent issues

DNS error when using SSH

Specially in Ubuntu, when using SSH to connect to CiTIUS servers it fails with a DNS error : “ SSH: Could not resolve hostname ….” . The solution is to use the correspondent IP address to connect instead of the hostname.

The VPN isn't working from anywhere (and never did)

In the configuration, check that the VPN server address is 193.144.83.110 (or vpn.citius.usc.es). When using the name check if it matches the ip address.

To do so, open a terminal window and enter ping vpn.citius.usc.es and check that the answers are from that ip address. If it is not, then use the address instead of the name in the configuration.

To change the configuration in Windows, right click the systray icon and choose “Edit configuration…”. In the text editor, change remote vpn.citius.usc.es to remote 193.144.83.110. Remove the whole line verify-x509-name “vpn.citius.usc.es” name. Save and close the editor.

The VPN worked until recently but not anymore

Check that you can open a session in the CiTIUS web with your username and password. If you can, then double check the password in the VPN configuration. Once you are sure the problem is not your username/password if it isn't working yet then it may be an outdated certificate's fault. Get in touch with the admins to make them check it.

VPN not working from EDUROAM or other networks

After this service was launched the list of ports that an EDUROAM network has to have open has been standardized. We use port 22 UDP for the VPN service and sadly that port was not in the list. The same thing happens when connecting from other networks like the SERGAS, which have that port filtered.

To work around that problem we redirect port 1194 UDP(which is open in EDUROAM) to 22 UDP. So if you are having trouble change the connection port to 1194 and try again.

To change the configuration in Windows, right click the systray icon and choose “Edit configuration…”. In the text editor, change 22 udp to 1194 udp (all lowecase). Save and close the editor.

Can't reach any computer using SSH

Certain combinations of SSH clients and servers can have traffic between them blocked by Internet providers when negotiating the connection encryption. To check if the problem applies to your case, try to connect with the -v parameter. You should see messages like these:

$ ssh -v jorge.suarez@172.16.54.31
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.16.54.31 [172.16.54.31] port 22.
debug1: Connection established.
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

and then keeps waiting for one minute until the server closes the connection. You can avoid this problem forcing the preferred encryption methods in the SSH client configuration file. For example:

$ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc,3des-cbc" > ~/.ssh/config

If this doesn't resolve the issue then you mast configure other encryption methods. Try shortening the list o changing the its order.

In Windows: Runs ok but connections fail

It is necessary to run OpenVPN GUI as administrator. If not, everything seems ok but routes are not correctly established an connections fail.

Windows installer is a 7z file and I don't know what is that

It's a file compressed with 7-zip, that is also protected with password citius. We use to send the configuration files by email in that format to avoid them being rejected by mail servers. Usually mail servers don't allow .exe files attached.