Uni-ID

about Uni-ID (EST/ENG)

Uni-ID is required to use TalTech VPN.

eduVPN

NB!

• Since June 30, 2024 eduVPN will be closed and replaced with FortiClient VPN
• Since July 2021 has been old OpenVPN service replaced by eduVPN, used for library.

More information:

• eduVPN portal in TalTech - OpenVPN settings generation and download
• how to configure (EST, ENG)
• about eduVPN

Usually generated OpenVPN settings are enough. Still there is a separate eduvpn-client possible to use:

• Ubuntu and Debian client installation, configuration (also Fedora, CentOS and manual installation via pip available)

sudo apt install apt-transport-https curl
curl -L https://app.eduvpn.org/linux/deb/eduvpn.key | sudo apt-key add -
echo "deb https://app.eduvpn.org/linux/deb/ stable main" | sudo tee -a /etc/apt/sources.list.d/eduvpn.list
sudo apt update
sudo apt install eduvpn-client
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

For OpenVPN installation, please see here

For smart devices, there are an eduVPN clients available: Android | iOS, that makes connection via TAAT authentication.

Forticlient VPN

• FortiClient guidance in Estonian and English

Packages

OpenFortiVPN packages

• command-line client for GNU/Linux, macOS, BSD
  • https://github.com/adrienverge/openfortivpn - readme contains instructions for different Linux distros
  • for Arch Linux based distros there is openfortivpn-git which is same package as in Git. Also there is openfortivpn which might be older. Since v1.23 came the SAML authentication support (see CHANGELOG and search with CTRL+F text: 1.23.0). SAML authentication is required to use TalTech VPN.

FortiClient packages

• clean client https://www.fortinet.com/support/product-downloads#vpn - download the Forticlient VPN-only package
• for MS Windows, TalTech preconfigured software available here, there are also other packages and links for other operating systems
• FortiClient GUI app for GNU/Linux
  • Ubuntu, Debian, Mint - since SAML authentication this might work or might not, depends on desktop environment. E.g. in KDE it might not work but in XFCE it might work.
  • for Arch Linux and its based distros there is forticlient-vpn package, which is VPN-only package. Don't install forticlient, which is ZTNA edition and not used in TalTech. Before installing, it is worth to investigate package descriptions in AUR to ensure it is proper package (VPN-only).

OpenFortiGUI packages

Does not (yet) support SAML authentication:

• DEB repository for Debian, Ubuntu and its based distros https://apt.iteas.at
• Debian, Ubuntu related information https://hadler.me/linux/openfortigui/
• GitHub repository https://github.com/theinvisible/openfortigui

Installation

OpenFortiVPN installation

Arch and its based

Arch Linux and its based distros can be installed openfortivpn-git (often newer) or openfortivpn. Before installing it is worth to ensure, which one is newer version. Since version 1.23 there is also SAML authentication support (see CHANGELOG and search with CTRL+F text: 1.23.0). SAML authentication is required to use TalTech VPN.

yay -Sy openfortivpn-git --needed && yay -Scc --noconfirm && yay -Yc

Instead of yay there can be used any other AUR helper

In Ubuntu

sudo apt update && sudo apt install gcc automake autoconf libssl-dev make pkg-config && sudo apt-get clean
git clone https://github.com/adrienverge/openfortivpn
cd openfortivpn
# If any doubts that newer version does not work:
git checkout v1.23.1 # replace version number with actual version in future
./autogen.sh
./configure --prefix=/usr/local --sysconfdir=/etc
make
# To install into system:
# sudo make install

Other distros

Also in openfortivpn README are described usage and compilation in other Linux distros.

FortiClient installation

GUI app installation (VPN-only package)

• different operating systems, including smart devices
• installation at Ubuntu, Debian, Mint
• Arch Linux and its based distros:

yay -Sy forticlient-vpn --needed && yay -Scc --noconfirm && yay -Yc

Instead of yay there can be used any other AUR helper

OpenFortiGUI installation

Does not (yet) support SAML connection.

• in Debian and Ubuntu based distros there is a repository, which is suggested to use - https://apt.iteas.at/ For detailed information, please see https://hadler.me/linux/openfortigui/
• in Arch Linux and its based distros, there is a package openfortigui and also its Git version openfortigui-git. You need to check, which one is newer.
• in other Linux distribution, please search its software repository for openfortigui package. Also there are some general package websites for many Linux distros e.g.
  • https://linux-packages.com/
  • https://pkgs.org/download/openfortigui

OpenFortiGUI configuration

• please use SUDO -E parameter in OpenfortiGUI settings! (File→Settings). Might be necessary (not usually) to disable temporarily for certificate retrieval in first time.
• also it might be necessary to turn off the Set DNS parameter (see this report). Choose Edit connection and under Options tab uncheck Options > Advanced > Set DNS so that openfortivpn does not handle DNS or overwrite /etc/resolv.conf. Otherwise after disconnecting is Internet connectivity lost with error message Temporary failure in name resolution.

Also whenever needed, uncheck Options > PPPD > PPPD no peerdns so that pppd does handle DNS - and hopefully does the right thing.

• on first connection attempt, the certificate must be accepted
• next connection attempt can be actually connect via VPN
• at file /etc/sudoers.d/openfortigui there is a line (will be created automatically during OpenFortiGUI setup):

 %sudo  ALL=NOPASSWD:SETENV: /usr/bin/openfortigui --start-vpn *

This means, that all users in group sudo can use it without password with superuser rights. Although running the app is regular (as user in group sudo) without actual sudo command.

• When you got an error Peer refused to agree to his IP address in log then you need to enable ipcp-accept-remote (or possibly ipcp-accept-local - choose one at a time) in /etc/ppp/options - this will work immediately on next connection, no services need restart. More details at this issue

Connecting

TalTech guide for VPN

guide in Estonian and English

External IP

Before and after connecting you can check your external IP-address (will be changed after connecting with VPN):

• https://whatismyipaddress.com/
• https://www.whatismypublicip.com/
• https://www.whatismyip.com/
• https://www.whatsmyip.org/
• https://dnschecker.org/whats-my-ip-address.php
• http://www.icanhazip.com/
• http://checkip.dyndns.org/

...and also at command line, e.g. creating appropriate aliases in ~/.bash_aliases:

alias ipinfo='curl ipinfo.io'
alias ipinfo-ip='curl ipinfo.io/ip ; echo'
alias ipinfo-hostname='curl ipinfo.io/hostname ; echo'
alias ipinfo-city='curl ipinfo.io/city ; echo'
alias ipinfo-region='curl ipinfo.io/region ; echo'
alias ipinfo-country='curl ipinfo.io/country ; echo'
alias ipinfo-loc='curl ipinfo.io/loc ; echo'
alias ipinfo-org='curl ipinfo.io/org ; echo'

Also

curl ifconfig.me/ip ; echo
curl https://ipecho.net/plain ; echo
wget -qO- icanhazip.com

See also

• https://linuxnightly.com/check-external-ip-from-linux-command-line/
• https://myexternalip.com/

OpenFortiVPN connecting

if installed or make install is done, then:

sudo openfortivpn vpn.taltech.ee:443 --saml-login

if just compiled but not installed:

cd openfortivpn # if not in folder
sudo ./openfortivpn vpn.taltech.ee:443 --saml-login

There will be opened SAML auth web page

https://vpn.taltech.ee:443/remote/saml/start?redirect=1

which will redirect to

http://127.0.0.1:8020/?id=<ID>

Usually users have TalTech Uni-ID already authenticated in default web browser, then this will work immediately and VPN will be authenticated and start working. Be aware to avoid any other organization Microsoft account authentication in same (default) web browser to avoid authentication conflict.

Possible DNS issue

If there is an issue with DNS:

INFO:   Adding VPN nameservers...
Dropped protocol specifier '.openfortivpn' from 'ppp0.openfortivpn'. Using 'ppp0' (ifindex=8).
Failed to set DNS configuration: Could not activate remote peer 'org.freedesktop.resolve1': activation request failed: unknown unit

... then use following parameters (see also this issue):

sudo openfortivpn vpn.taltech.ee:443 --saml-login --set-dns=0 --pppd-use-peerdns=1

Although this error does not affect name resolving. There could be tried also to enable certain service

sudo systemctl enable --now systemd-resolved

To cancel VPN connection, press CTRL+C in terminal, where VPN is connected.

alias

For convenient usage in GNU/Linux you can use bash alias in ~/.bash_aliases file (or whatever shell you use - its alias):

alias vpn='sudo openfortivpn vpn.taltech.ee:443 --saml-login'

or in case of DNS issue

alias vpn='sudo openfortivpn vpn.taltech.ee:443 --saml-login --set-dns=0 --pppd-use-peerdns=1'

Here the vpn is the alias name, which can be typed into terminal to run following command(s). Before choosing alias name, test desired alias name in terminal to see whether it does not interfere with existing commands or aliases.

To empower created aliases, either run

source ~/.bash_aliases

... or reopen terminal window or if server, relogin user.

sudoers

To allow regular user use openfortivpn as superuser without entering password, there can be used sudoers and create a file e.g. with name /etc/sudoers.d/permissions

sudo visudo -f /etc/sudoers.d/permissions

...containing (among others):

Cmnd_Alias VPN = /usr/bin/openfortivpn, /usr/bin/sshuttle
username ALL=(ALL) NOPASSWD:VPN

Here is also sshuttle added for its convenient use. Instead of username write actual username or use group name, e.g. %sudo to allow all sudo group members.

config file

Using openfortivpn config file with SAML authentication might not work as described in this issue.

Open default web browser

To open default web browser automatically there is yet not know working parameter (see this issue).

There seems to be openfortivpn-webview, also Arch packages openfortivpn-webview-qt, openfortivpn-webview-electron are available but none of them worked.

pinentry is not meant to open default web browser but for authentication:

--pinentry=<name>
The pinentry program to use. Allows supplying the password in a secure manner.  For example: pinentry-gnome3 on Linux, or pinentry-mac on macOS.

Available pinentry values can be read from pinentry README.

FortiClient VPN connecting

• Connection name - e.g. TalTech VPN, cannot be empty, use whatever you want to name the connection
• Description - can be empty, use whatever you want to describe the connection
• Remote gateway (VPN-server): vpn.taltech.ee
• Customize port: 443
• Enable Single Sign On (SSO) for VPN Tunnel - check to enable SAML authentication (required)
• Use external browser as user-agent for SAML authentication - use if authentication in-app does not work but avoid any other organization authentication of Microsoft 365 authentication in default browser
• Client Certificate leave empty
• Enable Dual-stack IPv4/IPv6 address leave unchecked
• Enable auto-login with Azure Active Directory leave unchecked

Web access: https://vpn.taltech.ee:443/

To connect, choose created profile in GUI app and press SAML connection button.

To cancel connection, disconnect with appropriate button.

For sudoers to allow user(s) run FortiClient as root without password:

Cmnd_Alias VPN = /opt/forticlient/gui/FortiClient-linux-x64/FortiClient
user ALL=(ALL) NOPASSWD:VPN

Instead of user write real username. Also you can use e.g. %sudo to allow all in sudo group.

For desktop icon, after sudoers is configured, the target should be:

sudo /opt/forticlient/gui/FortiClient-linux-x64/FortiClient --no-sandbox

IT College VPN is deprecated (does not support SAML authentication) and at some point will not work as TalTech VPN has same capabilities and newer software

• use your Uni-ID credentials to login (NB! without @taltech.ee)
• Web: https://portal.itcollege.ee:10443/
• Remote gateway (VPN-server): portal.itcollege.ee
• Customize port: 10443

Then you can use remote access:

• Mesh Central to switch operating systems remotely
• RDP for remote usage <-- suggested as on screen is nothing then visible

In IT College there is an option to use SSH tunnel using http://enos.itcollege.ee/ server using your Uni-ID credentials. For convenient usage there is a Sshuttle (article in Estonian) available. This SSH tunnel is available also for students. MS Windows users can use puTTY. Also macOS users can use SSH tunnel.

OpenVPN

NB! Since July 2021 OpenVPN has been replaced by eduVPN, which in turn will be since June 30, 2024 replaced by Forticlient VPN.

Allows to access the TalTech library outside university. Additionally you will get a secure VPN connection. Uni-ID account is required.

OpenVPN client software

• for MS Windows and macOS clients, please login https://eduvpn.taltech.ee/ and download university-customized version directly from there
  • official OpenVPN client for MS Windows | documentation
  • official OpenVPN client for macOS | documentation
• GNU/Linux https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/
• Android https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-android/
• iOS https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-apple-ios/

OpenVPN installation in Debian/Ubuntu

• open the terminal, e.g. CTRL+ALT+T and copy-paste the following line and press Enter

copy-paste in terminal: SHIFT+CTRL+C, SHIFT+CTRL+V

sudo apt-get update && sudo apt-get install openvpn
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

You may want to search also openvpn-blacklist package, but it might be also deprecated and not available.

• for GUI Network Manager:

sudo apt-get update && sudo apt-get install network-manager-openvpn-gnome
sudo ldconfig && sudo dpkg --configure -a && sudo apt-get clean

You may want to search the package openvpn-systemd-resolved and also install it to integrate OpenVPN with systemd. ^[1]

OpenVPN configuration

• download the preconfigured client.ovpn from https://eduvpn.taltech.ee/
• use your Uni-ID credentials to login and also later to authenticate in OpenVPN
• for GNU/Linux in file client.ovpn after setenv PUSH_PEER_INFO please add the following lines and then save the file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

OpenVPN connecting in Debian/Ubuntu

• use your Uni-ID credentials
• open the terminal, e.g. using CTRL+ALT+T
• navigate to folder where the client.ovpn is saved or provide the full path
• sudo openvpn --config client.ovpn or use more convenient way - the alias created below

Usually there is possible to import *.ovpn files into graphical network manager^[2]. In Ubuntu 16.04 LTS cannot be imported current but in Ubuntu 18.04 LTS already can.

OpenVPN convenient login in GNU/Linux

• open the terminal, e.g. using CTRL+ALT+T
• create an alias:
  • nano ~/.bash_aliases #open CLI text editor
  • alias vpn-taltech-openvpn='sudo openvpn --config /path/client.ovpn' #add appropriate alias and path to client.ovpn, then save the file
• source ~/.bash_aliases (or reopen terminal or relogin)
• add permissions to run OpenVPN without entering a password
  • sudo nano /etc/sudoers.d/permissions #the file name permissions could be replaced whatever else you like
  • username ALL=(ALL) NOPASSWD: /usr/sbin/openvpn #replace username with your real one and then save the file
• type your new alias vpn-taltech-openvpn in terminal to start a VPN session

in nano text editor

• save the file:
  • CTRL+O and Enter if you agree the proposed file name (or enter a new one if needed)
  • or F3
• quit the file:
  • CTRL+X
  • or F2

More information about...

• sudoers at https://help.ubuntu.com/community/Sudoers
• alias
  • https://askubuntu.com/questions/1414/how-to-create-a-permanent-alias
  • EST Alias bash shellis
  • EST https://viki.pingviin.org/Alias

Benefits of TalTech VPN

• you have a secure tunnel over insecure network, e.g. public WiFi, mobile internet or similar
• you can access internal network resources in TalTech, which are outside not accessible, e.g. shared network drives, internal websites, etc.
• TalTech VPN can be used for TalTech library and its paid databases outside TalTech:
  • EST https://www.taltech.ee/koik-andmebaasid
  • ENG https://www.taltech.ee/en/all-databases

TalTech helpdesk

• in case of questions, issues - please contact TalTech helpdesk
  • https://taltech.atlassian.net/wiki/spaces/ITI/overview
  • https://it.taltech.ee/ (choose website language if needed)
  • self-service: http://helpdesk.taltech.ee/ (to visit self-service you must own Uni-ID account)

References