Allows access to the internal network from anywhere trough Internet. When connected to the VPN you hay an internal IP address that allows secure access to all the CITIUS services. However Internet access is filtered so that only the internal network and a few chosen external sites are accessible. You can check which sites in the VPN white list
Check in Xici permissions whether the service Acceso ext. VPN is listed. If the service is listed, you don't need to register.
If needed, you have to register filling the requests and problem reporting form. This form is only available to CITIUS users.
The necessary configuration files are located in the VPN folder in Nextcloud.
The installation guides tell you when and how to use those files.
Specially in Ubuntu, when using SSH to connect to CiTIUS servers it fails with a DNS error : “ SSH: Could not resolve hostname ….” . The solution is to use the correspondent IP address to connect instead of the hostname.
In the configuration, check that the VPN server address is 193.144.83.110
(or vpn.citius.usc.es
). When using the name check if it matches the ip address.
To do so, open a terminal window and enter ping vpn.citius.usc.es
and check that the answers are from that ip address. If it is not, then use the address instead of the name in the configuration.
To change the configuration in Windows, right click the systray icon and choose “Edit configuration…”. In the text editor, change remote vpn.citius.usc.es
to remote 193.144.83.110
. Remove the whole line verify-x509-name “vpn.citius.usc.es” name
. Save and close the editor.
Check that you can open a session in the CiTIUS web with your username and password. If you can, then double check the password in the VPN configuration. Once you are sure the problem is not your username/password if it isn't working yet then it may be an outdated certificate's fault. Get in touch with the admins to make them check it.
After this service was launched the list of ports that an EDUROAM network has to have open has been standardized. We use port 22 UDP
for the VPN service and sadly that port was not in the list. The same thing happens when connecting from other networks like the SERGAS, which have that port filtered.
To work around that problem we redirect port 1194 UDP
(which is open in EDUROAM) to 22 UDP
. So if you are having trouble change the connection port to 1194 and try again.
To change the configuration in Windows, right click the systray icon and choose “Edit configuration…”. In the text editor, change 22 udp
to 1194 udp
(all lowecase). Save and close the editor.
Certain combinations of SSH clients and servers can have traffic between them blocked by Internet providers when negotiating the connection encryption. To check if the problem applies to your case, try to connect with the -v
parameter. You should see messages like these:
$ ssh -v jorge.suarez@172.16.54.31 OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 172.16.54.31 [172.16.54.31] port 22. debug1: Connection established. debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7 debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
and then keeps waiting for one minute until the server closes the connection. You can avoid this problem forcing the preferred encryption methods in the SSH client configuration file. For example:
$ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes128-cbc,3des-cbc" > ~/.ssh/config
If this doesn't resolve the issue then you mast configure other encryption methods. Try shortening the list o changing the its order.
It is necessary to run OpenVPN GUI as administrator. If not, everything seems ok but routes are not correctly established an connections fail.
It's a file compressed with 7-zip, that is also protected with password citius
. We use to send the configuration files by email in that format to avoid them being rejected by mail servers. Usually mail servers don't allow .exe
files attached.