skip to content
Home

IT Help and Support

University Information Services
 

Ubuntu 20.04 Desktop

Configuring the UIS VPN on Ubuntu 20.04 LTS Desktop

Caution! Due to the wide variations in Linux, these instructions are likely to be incompatible, or require adaptation to work, with other versions of Ubuntu.

Generic instructions for configuring the VPN service are provided, which may be helpful when setting up alternative systems.

Important note: The following are best-efforts instructions provided by the UIS Servers and Storage team and will allow the VPN service be used from Ubuntu 20.04.

Unfortunately, due to some limitations in Ubuntu, the setup and control of the VPN must be performed using the command line (Terminal); if you are unsure about this process, please seek assistance from someone familiar with Linux. 

StrongSwan is available for other distributions, and this document may help you with the setup of StrongSwan once you have obtained suitable packages for your distribution.

You'll need root access to your machine. All the steps below assume you are using a root shell (or know how to use "sudo" to execute commands as root) and have a reasonable familiarity with Linux (utilities, filesystem, editors, etc.)

For general information on configuration, see our generic instructions and information on our managed VPN service.

Periodically, the certificate used by the VPN server will need to be updated.  When this happens, you'll need to download and install the new server certificate and restart the ipsec service to reconnect. In this case, follow the instructions from the certificate section onwards.
 

Install the StrongSwan packages

Various packages are required to support the VPN, from the StrongSwan family.  They should be installed using "apt-get":

sudo apt-get install -y strongswan libstrongswan-extra-plugins libstrongswan-standard-plugins libcharon-extra-plugins resolvconf

 

VPN configuration file — ipsec.conf

The contents of ubuntu2020-ipsec should be inserted into /etc/ipsec.conf, just underneath the section starting "config setup".  Substitute "username" with that of the Network Access Token you created for this device in the format CRSid+device@cam.ac.uk – for example "abc123+myhomelaptop@cam.ac.uk":

 

VPN password file — ipsec.secrets

The file /etc/ipsec.secrets needs to have the following two lines appended.  Replace "username" with the Network Access Token username (as above) and "token" with the password, for this device:

# ipsec.secrets - strongSwan IPsec secrets file
username@cam.ac.uk : EAP "token"

 

Certificate

A copy of the server's certificate is required so that the client can authenticate the identity of the server, before supplying your username and password (token).

Download links for the certificates for the UIS VPN and the managed VPNs are available on the generic instructions page and the managed VPN page, respectively. You must put your certificates in /etc/ipsec.d/certs – this is the only place that charon (part of the strongSwan VPN software) can read.

You can download the certificate using a browser and move it into place, or use a utility such as wget:

sudo wget -O /etc/ipsec.d/certs/vpn-server-cert.crt https://help.uis.cam.ac.uk/system/files/documents/vpn.crt

If you're using a managed VPN connection, you will need to adapt the above line as required (changing the download filename to match the one you entered into the configuration above, plus using the appropriate download link for the certificate).

Note that this will need to done in the event of the server certificate changing.  The client changeover must be done in coordination with the certificate changing on the server: it cannot be done in advance, nor later — if the certificates mismatch, the VPN will not connect.
 

Connecting and disconnecting

To connect and disconnect from the VPN, you must use a command line (in a Terminal window).

You only need to do a 'restart' after changing configuration files (e.g. during the setup above, or updating the certificate).  You then use the 'up' or 'down' commands to start or stop the VPN connection itself, as required.  For example:

sudo ipsec restart
sudo ipsec up CAM
sudo ipsec down CAM

Replace "CAM" with "BOTOLPHS" (or other) to use an institutional Managed VPN.
 

Debugging

  • Check /var/log/syslog for messages.
  • Put charondebug="all" in the ipsec.conf configuration file.
  • Periodically, the certificate used by the VPN server will need to be updated. When this happens, you will need to download and install the new server certificate and restart the ipsec service to reconnect. In this case, follow the instructions from the certificate section onwards.
  • If you see intermittent hangs, you may have an MTU mismatch. You can sometimes solve this by setting the MTU of your network device – that is, change enp4s0 as required in the following statement:

ip link set dev enp4s0 mtu 1422

 

Last updated: 22 February 2021

UIS Service Desk

MFA support team  MFA support team
Website  Self-service portal
  
Phone padded  01223 332999

UIS Service Status

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Beware fake NHS 'Covid vaccine passport' emails

3 August 2021

We’re aware that University email accounts are currently receiving phishing emails that appear to be from the NHS encouraging people to apply for a ‘Covid vaccine passport’ or mentioning other Covid-related issues. What to do if you are suspicious of an email Don’t click on the email or any of the links. Follow the advice...

New digital certificate service launched

30 July 2021

We've launched a new digital certificate service, and are now onboarding institutions and IT staff. The new Jisc-based service enables IT staff to create and manage a broader range of certificates (TLS, client and code signing) in minutes and at no cost to their institution. Comparing the old and new certificate services...

Moodle maintenance Tuesday 3 August 07:00-09:00

28 July 2021

The Moodle service will be subject to interruption on Tuesday 3 August 07:00–09:00 due to essential maintenance. While Moodle is unavailable, users will not be able to log in to the Panopto cloud service. Panopto recordings can still be made offline for later upload. If you have any questions, please contact the Moodle...

View all news

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge