Connecting a Linux Computer to SU Network

Since I am working with Linux, which is considered to be “insecure” by Syracuse University’s ITS, there is no official approach to connect to SU’s network with VPN. Fortunately, if you have an OSX or Windows machine around, which are capable of using SU’s VPN, we can set up a NAT rule to allow Linux computers in the same LAN to access SU hosts.


If the other machine is OSX

  1. Enable Firewall in OSX

    System Prerefences -> Security & Privacy -> Firewawll -> Turn On Firewall

  2. Turn on IP forwarding

     sudo systemctl -w net.inet.ip.forwarding=1
  3. Connect to SU’s VPN
  4. Use netstat -nr command to find out VPN’s tunnel interface

    For example, running netstat -nr on my computer yields the following output. The highlighted line indicates that the tunnel interface is ppp0, because all SU traffic is redirected there.

     Alans-MacBook-Pro:~ xiang$ netstat -nr
     Routing tables
     Destination        Gateway            Flags        Netif Expire
     default          UGSc           en0
     default            link#20            UCSI          ppp0
     127                UCS            lo0          UH             lo0
     128.230            ppp0               USc           ppp0        UGHS           en0    UH            ppp0
     169.254            link#6             UCS            en0      !
     192.168.0          link#6             UCS            en0      !     link#6             UCS            en0      !        d8:d:17:b3:8f:6d   UHLWIir        en0   1165        link#6             UHRLWI         en0      !      5c:ea:1d:56:6d:af  UHLWI          en0    496      9c:f4:8e:4f:ad:c4  UHLWIi         en0   1115      54:62:e2:59:d6:9a  UHLWIi         en0    668      bc:54:36:37:93:fd  UHLWI          en0    890   link#6             UCS            en0      !      f0:18:98:32:cf:3a  UHLWI          lo0
     224.0.0/4          link#6             UmCS           en0      !
     224.0.0/4          link#20            UmCSI         ppp0        1:0:5e:0:0:fb      UHmLWI         en0    1:0:5e:7f:ff:fa    UHmLWI         en0 link#6             UCS            en0      ! link#20            UCSI          ppp0
  5. Add NAT rules to OSX’s firewall

    Open /etc/pf.conf with root privilege and add NAT rule below nat-anchor. Here, is the IP address of my Linux machine (I want to allow this machine only since I don’t want to get into trouble by abusing my VPN account. You can use CIDR notation to allow more computers in the subnet.); ppp0 is the VPN tunnel interface. Note: this line must be added to the correct position, otherwise pfctl will complain syntax error!

     # anchor point
     scrub-anchor "*"
     nat-anchor "*"
     nat on ppp0 from to -> (ppp0)
     rdr-anchor "*"
     dummynet-anchor "*"
     anchor "*"
     load anchor "" from "/etc/pf.anchors/"

    After updating the config file, run the following commands:

     sudo pfctl -d #disables pfctl
     sudo pfctl -F all #flushes all pfctl rules
     sudo pfctl -f /etc/pf.conf -e #starts pfctl and loads the rules

    We can use pfctl -s nat to see if the rule is set up correctly.

     Alans-MacBook-Pro:~ xiang$ sudo pfctl -s nat
     No ALTQ support in kernel
     ALTQ related functions disabled
     nat-anchor "*" all
     nat on ppp0 inet from to -> (ppp0) round-robin
     rdr-anchor "*" all
  6. Add rules in Linux computer’s routing table

    We need to route SU’s traffic towards the OSX computer. To do so, we use the following command:

    (base) user@machine:~$ sudo ip route add via

    We can use route -n to see if the routing table is updated correctly.

    (base) user@machine:~$ route -n
     Kernel IP routing table
     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    100    0        0 enp0s31f6     UG    0      0        0 enp0s31f6     U     1000   0        0 anbox0   U     100    0        0 enp0s31f6   U     0      0        0 anbox0

Now everything should be done! We can use ping utility to see if we can access SU’s internal hosts.

(base) user@machine:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=252 time=62.6 ms
64 bytes from icmp_seq=2 ttl=252 time=83.6 ms
64 bytes from icmp_seq=3 ttl=252 time=104 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 62.607/83.503/104.299/17.020 ms

The traceroute results shows that our packets will go through our OSX machine and eventually reach SU’s network.

(base) user@machine:~$ sudo traceroute -I
[sudo] password for user:
traceroute to (, 30 hops max, 60 byte packets
 1 (  128.133 ms  128.145 ms  128.151 ms
 2 (  311.626 ms  311.632 ms  311.915 ms
 3 (  311.043 ms  311.053 ms  311.329 ms
 4 (  311.333 ms  311.333 ms  311.334 ms
 5 (  311.315 ms  311.315 ms  311.314 ms
 6 (  313.140 ms  298.395 ms  298.412 ms

If the other machine is Windows…

The steps should be similar. I do not have a Windows computer at hand, so this part is temporarily empty.