Information Systems & Technology (IST) provides a Virtual Private Network (VPN) service to the campus community to facilitate telecommuting and other access to campus-based network resources.
The VPN uses the public Internet to connect a remote computer, such as a home computer or a laptop, securely to the UWaterloo network. The underlying principle is to make the remote computer seem as if it were physically connected to the campus network.
Users will need to install the VPN software in order to get access to all campus network resources. In this case, you would run the Cisco AnyConnect client software, then do what you need to do to access the resource. For example, you would start the VPN client before running site-licensed software on your laptop that needs to connect to our license server, before mapping a network drive, or before starting your Remote Desktop client
Table of contents
- Installation Video
- Installation VPN in Windows
- Using VPN in Windows
- Installation VPN in MacOS
- Using VPN in MacOS
- Installation and using VPN in Ubuntu
- How to connect with the two factor authentication
Here is a video on how to install Cisco VPN
Install the VPN client on Windows OS (applies to IE, Edge, Firefox, and Chrome)
- To begin, log into the VPN website with your WatIAM credentials. Go to: https://cn-vpn.uwaterloo.ca/ (this link only works off campus)
- From the VPN download page shown below, click Download for Windows to download the installation file.
- Select Save.
- Go to your Downloads folder (via File Explorer) and double-click on the installation file.
- Click Next to start AnyConnect Secure Mobility Client Wizard.
- Click Install on the Ready to Install window.
- Accept End User License Agreement and click Next.
- Click the Finish button.
Using the VPN client after installation
The installation process only needs to be done once. After the client is installed, you can use the "Start Menu" item to launch the client connection window.
- Search for Cisco AnyConnect in the Windows start menu and launch the application.
- Enter in the server address (cn-vpn.uwaterloo.ca) and click Connect.
- Type in your WatIAM credentials and click OK. Wait for the connection to establish. This may take a few seconds if there are pending updates.
If you are having issues connecting, please confirm the AnyConnect client settings, including location and log in details.
When the VPN client is running, you will see an icon in the taskbar notification area (lower right corner of Windows). This can be used to control the VPN connection:
- Double-click to open the Cisco AnyConnect client
- Right click to close the Cisco AnyConnect client
Settings at a glance
If you already have the Cisco VPN client installed, you can use the following settings to connect:
- Server/connect to address: cn-vpn.uwaterloo.ca
- Username: WatIAM ID
- Password: WatIAM password
Install the VPN client on Mac OS
If you already have the Cisco VPN client installed, you can use the following settings to connect:
- Server/connect to address: cn-vpn.uwaterloo.ca
- Username: WatIAM ID
- Password: WatIAM password
Installation steps
-
To begin, log in to the VPN website with your WatIAM credentials.
Go to: https://cn-vpn.uwaterloo.ca (only off campus)
- From the VPN download page shown below, click Download for macOS to download the installer disk image.
- Go to your downloads folder and double-click on the installer image, which will have a name such as anyconnect-macos-4.6.01103-core-vpn-webdeploy-k9.dmg. This will mount and open the image and you should see the following window:
- Double-click on the .pkg installer file and you will be taken through the installation process. Click Continue to move through the steps.
- If you are running OS 10.14 (Mojave) you will get the following warning. Click OK to continue.
- At some point in the installation you may get the below dialogue window. If so, click Open Security Preferences and enable Cisco software. Note: you may also get the "Cisco AnyConnect Secure Mobility Client Notification" shown below. In which case, click on the Allow button, which will also take you to the Security & Privacy settings dialogue.
- To authorize Cisco's apps, you will need to authorize them in the Security & Privacy settings shown below.
- Click on the lock icon on the bottom left and enter your admin credentials to unlock so you can make changes.
-
Click on the Allow button to allow software from Cisco. After which you can close this preference window.
-
You should eventually get to the final screen shown below. Click Close.
-
Depending on your OS version you might get the following dialogue after closing the installer. Clicking on Move to Trash will delete the installer disk after closing. If you don't get the above option, you will have to eject the installer volume and delete the installer disk manually.
Running the Mac VPN client
You do not need to repeat the installation process each time you want to use the VPN. The installation process installs the Cisco VPN client into the Applications folder. You can run it from there or add it to your Dock.
If you haven't connected before, you will need to specify the VPN server cn-vpn.uwaterloo.ca as shown below.
- Select "cn-vpn.uwaterloo.ca" and click Connect. This brings you to a login window where you can authenticate with your UWaterloo credentials (i.e. your 8-character UWaterloo username and password). Under the Group drop-down menu, select UW-General-Campus.
Note: 'UW-General-Campus' is the recommended profile. 'UW-Campus' should be used as an alternative profile.
- Enter your 8-character UWaterloo username into the username field--without the @uwaterloo.ca.
- Enter the Second Password:
-
Type push for Duo Mobile push; enter ‘push2’ to receive the prompt on a secondary device, ‘push3’ to receive the prompt on a tertiary device, etc. To avoid multiple prompts on your phone, accept the push within 10 seconds.
-
Type sms for text codes (
this option is for students only ); you will get a text message with 10 codes. Re-enter your password, and type the first code in the second password field. -
Type phone to get a phone call (
this option is for students only ); enter ‘phone2’ to receive the prompt on a secondary device, ‘phone3’ to receive the prompt on a tertiary device, etc. -
For Duo hardware token or Duo app, enter the 6-digit code from the token or app
-
For a Yubikey, touch the YubiKey with your cursor in the text box
- Click OK in the bottom right.
- Accept the Duo 2FA prompt on your device to continue.
-
- Successful authentication to the VPN client will result in the following dialogue appearing for a short time in the top-right corner of the screen.
- When the client is active, the VPN connection can be controlled from the Menu Bar icon:
Connecting to VPN on Linux (Ubuntu)
- First you will need to login to the webpage using the appropriate link: https://cn-vpn.uwaterloo.ca (only off campus)
- After logging in, download the “Cisco AnyConnect Secure Mobility Client” by clicking “Download for Linux” and download the script file “anyconnect-linux64-4.6.01103-core-vpn-webdeploy-k9.sh”
- Another window will pop up and it will prompt to save the installer.
- Open up the command terminal (crtl+alt+t) and input these commands:
~$ cd Downloads/ (makes it so that the directory is downloads and allow interaction with the installer file)
Ls – l (looks through the downloads folder to look for the script file)
Chmod o+x anyconnect-linux64-4.6.01103-core-vpn-webdeploy-k9.sh (marks the script as an executable file)
Sudo ./anyconnect-linux64.4.6.01103-core-vpn-webdeploy-k9.sh (this runs the script)
- Input the computer password when prompted (it will prompt you to do this after you run the script).
- After you enter the password, the program should be fully installed on your computer. You can then open the client by selecting “Show applications” on the bottom right of your screen. Then click on Cisco AnyConnect.
- After Cisco AnyConnect opens, you can then type in cn-vpn.uwaterloo.ca to connect to the UWaterloo server.
-
Enter your 8-character username (e.g. j25rober)
-
Two-factor authentication (2FA) will be required in order to connect to the VPN. In the 'Second Password' field, enter one of the following, then click Connect.
-
For Duo Mobile push (app):
-For Duo hardware token: enter your 6-digit code
-For Duo Bypass code: enter your bypass code
-For SMS codes (
this option is for students only ): enter ‘sms’; you will get a text message with 10 codes. Re-enter your password, and type the first code in the second password field.-For Yubikey: enter the code generated by touching the Yubikey
-For Phone Call (
this option is for students only ): enter 'phone'-
To avoid multiple prompts on your phone, accept the push within 10 seconds.
-
Open your Duo app, select University of Waterloo, enter the code in the second password field [Recommended option], or
-
Enter ‘push' or 'push1’ to send the prompt to your primary device, or
-
Enter ‘push2’ to receive the prompt on a secondary device, ‘push3’ to receive the prompt on a tertiary device, etc.
-
Enter ‘phone2’ to receive the prompt on a secondary device, ‘phone3’ to receive the prompt on a tertiary device, etc.
-
If you are not receiving Duo phone calls, you may have a setting that is blocking the phone calls. Some possible solutions include adding the Duo phone number, (306) 900-4884, to your device whitelist, or if the service is blocking unknown callers, add the Duo phone number as a contact on the device.
-
iPhone: 'Silence Unknown Callers'
-
Telus/Koodo: 'Call Control'
-
Android: 'Block Unknown Callers'
-
Call Control or Call Blocker app
-
Any anti-spam service
-
-
-
-
You should now be connected! If you want to make sure you are connected, then you can click on Cisco AnyConnect, which should show you it as “Connected”.
Alternative Method to install VPN in Ubuntu
- First run the command below to activate the TUN module
sudo /sbin/modprobe tun Note: Some users may receive an error stating that TUN cannot be found, however it can be disregarded if steps 2 and 3 below- Install and Connect --Open Connect successfully.
If the installation fails, the most likely error that will be received is
modprobe: FATAL: Module tun not found in directory /lib/modules/...
To resolve this error, switch to a stable release. If you are already running a stable release, the following steps can be taken to resolve the issue:
-
Reboot your device
-
Remove any network-related kernel packages you have installed and update/upgrade your operating system
-
Install Open connect
sudo apt-get install network-manager-pptp network-manager-vpnc network-manager-openvpn - Connect to VPN, run:
sudo openconnect -v cn-vpn.uwaterloo.ca
When prompted to choose a group, type the appropriate VPN group name (UW-Campus, UW-General-Campus, UW-PART) and press enter.
It prompts you to type in your 8-character UWaterloo username (e.g. myuserna) and password and a second password. Once these are authenticated, the VPN connection is established. You will also be presented with the time and date your VPN session will expire.
Keep the terminal window open while the VPN session is active.
Network resources such as shared folders, NAS drives, servers, and workstations should now be available.
To close the VPN session, press Ctrl+Z in the terminal window. Abruptly killing the terminal window without properly closing out of the VPN session can lead to issues when attempting to reconnect in the future. These issues can typically be resolved by restarting the machine.
--------------------------------------------------------------------------------------------------------------------------
Optional – Install VPN plug-ins for Network Manager
-
Install some VPN plug-ins for Network Manager:
sudo apt-get install network-manager-pptp network-manager-vpnc network-manager-openvpn
-
If prompted for your password, type it, and press Enter.
-
If you are told that a package “is already the newest version,” ignore it and continue with the next command.
-
If asked to “continue [Y/n],” press Y, followed by Enter.
-
Open the connections settings dialogue, go to the VPN tab and add a new connection.
-
Select “Cisco AnyConnect”
How to connect with two factor authentication (2FA)
The installation process only needs to be done once. After the client is installed, you can use the "Start Menu" item to launch the client connection window.
-
If you haven't connected before, you will need to specify the VPN server:
-
cn-vpn.uwaterloo.ca : Accessed from off-campus and from wireless when on-campus
-
vpn-inside.private.uwaterloo.ca : Accessed from on-campus, wired connections only
-
-
Click Connect.
-
This brings you to a login window where you can authenticate with your credentials. Under the 'Group' drop-down menu, select 'UW-General-Campus'. Note: 'UW-General-Campus' is the recommended profile. 'UW-Campus' should be used as an alternative profile.
-
Enter your 8-character username into the username field
-
Two-factor authentication (2FA) will be required in order to connect to the VPN starting November 17, 2020. In the 'Second Password' field, enter one of the following, then click OK.
-
For Duo Mobile push: type in the second password field the word 'push' (without quotation marks) and it will send you the approved/denied access to your phone
-
For Duo hardware token or Duo app: type your 6-digit code in the second password field
-
For Duo Bypass code: type your bypass code in the second password field
-
For Yubikey: enter the code generated by touching the Yubikey
-
For Phone Call: type in the second password field the word 'phone' (without quotation marks)
-
If you are having issues connecting, please confirm the AnyConnect client settings, including location and log in details.
When the VPN client is running, you will see an icon in the taskbar notification area (lower right corner of Windows). This can be used to control the VPN connection:
-
Right click to close the Cisco AnyConnect client
- Double-click to open the Cisco AnyConnect client
