Connect to the VPN on your linux device

Supported Operating Systems for the VPN

Our VPN provider PaloAlto supports the following Linux distributions: https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app

Multi-factor authentication

In order to sign into the VPN you will now need to use multi-factor authentication (MFA) using a Time-based One Time Password (TOTP) each time you log in. This involves being sent a code via a secure method to ensure that only you are able to sign in using your login details. These passwords are only usable for a limited time and you will probably be familiar with this method when signing into your bank or other websites.

You will be prompted for a code when signing in and by default your MFA code will be sent to your personal email address you provided us with when you registered. If you have any trouble with this please contact the service desk.

Once your device is connected to the VPN you'll be able to access internal University resources via SSH, or access the intranet in the same way as though you were on campus.

Please note: It is assumed that you are familiar with using the command-line in order to set up the VPN. If you are installing GlobalProtect VPN and you are not logged in as a superuser (root), then you will need to prefix these commands with sudo. If you are using a university issued linux device, and do not have sudo access, please log a request with the Service Desk for further assistance.

Prerequisite Packages

When installing you may notice your OS asks for additional packages to be installed. Without these, your installation won’t work.

Eg. ubuntu 20.04 asks to install libqt5webkit5

Install the packages requested and try running the installation again

apt install libqt5webkit5

Instructions

1. Download the GlobalProtect VPN archive

PanGPLinux-5.3.0-c32.tgz

2. Open a terminal and untar the archive file.
tar -xzvf PanGPLinux-5.3.0-c32.tgz

This archive file supports both CentOS/RedHat and Ubuntu/Debian Linux operating systems (and some other platforms). The archive file contains the following files:

./GlobalProtect_deb-5.3.0.0-32.deb
./GlobalProtect_deb_arm-5.3.0.0-32.deb
./GlobalProtect_rpm-5.3.0.0-32.rpm
./GlobalProtect_rpm_arm-5.3.0.0-32.rpm
./GlobalProtect_tar-5.3.0.0-32.tgz
./GlobalProtect_tar_arm-5.3.0.0-32.tgz
./GlobalProtect_UI_deb-5.3.0.0-32.deb
./GlobalProtect_UI_rpm-5.3.0.0-32.rpm
./GlobalProtect_UI_tar-5.3.0.0-32.tgz
./manifest
./PanGPLinux-5.3.0-c32.tgz
./relinfo

3. Select the file relevant to your Linux OS distribution and install.

Ubuntu Linux

apt-get install -f (The -f flag here attempts to fix missing and/or broken packages, which we have found when testing may sometimes be necessary).
dpkg -i GlobalProtect_UI_deb-5.3.0.0-32.deb

NB: If you are on Ubuntu 22.04 you must also do the following:

Open a terminal window

Edit the ssl config file by running this command

nano /etc/ssl/openssl.cnf

Scroll down to the end of the file

Add the following extra settings so it looks like this.

[openssl_init]

providers = provider_sect

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect]

Options = UnsafeLegacyRenegotiation

Press Ctrl-O and then Enter to save the changes, then Ctrl-X to exit

Reboot or restart the vpn service

Redhat/CentOS Linux

yum localinstall GlobalProtect_UI_rpm-5.3.0.0-32.rpm

4. Once installed a small icon will appear in the top menu bar, and a ‘Welcome to GlobalProtect’ form will appear asking to enter the Portal address for connection. Enter the relevant vpn address for your account:

Staff

staff.vpn.port.ac.uk

Students

student.vpn.port.ac.uk

5. Click Connect

6. Enter your username in the browser window asking you to sign in eg. up1234567 / bloggsj

7. You will be asked to enter a OTP code. Type in this code and click Next.

Please note: For students your OTP code will be sent by default to the email address you provided when you registered with the University.

You can set up alternative authentication methods see our MFA page

Your device will now be connected to the VPN. You can confirm that you have connected successfully from the globe icon in the menu bar. (This does not appear by default in Ubuntu). The next time you connect, the authentication screen will open with your default browser. There may be additional checks to allow the browser to work with the VPN. Please accept/allow these browser requests. If the connection appears to be slow, select the 'click here' link in the 'Authentication Complete' browser notification.

Please note: There is a known error with the Firefox browser. See the notes section for further information on how to set up Google Chrome as an alternative default browser.

Making your default browser google-chrome (Firefox browser known error)

There is a known error with Firefox. The workaround is to install and use an alternative browser. eg. Google Chrome.

1. Install google-chrome according to the relevant Linux OS distribution

Ubuntu Linux:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb

Redhat/CentOS Linux:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
yum localinstall google-chrome-stable_current_x86_64.rpm

Please note: If you install google-chrome as a superuser (root), then to use the application, you will need to ensure the following is added into the config file. This is not necessary to do if you are not a superuser.

gedit /opt/google/chrome/google-chrome

find the line at the bottom of the file

exec -a “$0” “$HERE/chrome” “$@”

append that line with:

--no-sandbox

2. Select google-chrome as the default browser.

Ubuntu Linux:

Settings > Default Applications > Web > Google Chrome

Redhat/CentOS Linux:

Settings > Details > Default Applications > Web > Google Chrome

Once installed, and selected as the default browser, you will need to tell GlobalProtect to use it, otherwise it will continue to try to use Firefox.

3. Edit the xml file. You will need to use nano to do this, as gedit and vim may pick up errors in the syntax
nano /opt/paloaltonetworks/globalprotect/pangps.xml

4. Add the line under the <Settings> section

<default-browser>yes</default-browser>

Please note: If the icon launches in a text editor when double clicking, you will need to associate it with the GlobalProtect application. Right-click and Open with another application and select GlobalProtect, or if this does not work Right click, Show in Files, Right click on the icon, Open with other application, select GlobalProtect.

5. Save the file

[CTRL+X], [y], [ENTER]

6. Reboot your PC

7. Relaunch GlobalProtect. If this does not re-launch automatically, then you can type the following command into a terminal window.

/usr/bin/globalprotect launch-ui

Add a GlobalProtect shortcut icon to your desktop for quick access (Ubuntu users)

Ubuntu does not show the globe icon in the top right corner of your screen, and therefore you may wish to have a shortcut icon on your desktop to enable you to launch the VPN quickly.

1. Copy the icon to your desktop (in this case we are using up668466 user’s desktop, but substitute the path for your own desktop location).

cp /opt/paloaltonetworks/globalprotect/gp.desktop /home/up668466/Desktop

You may need to change the ownership and group to allow it to launch the application

chown up668466.up668466 gp.desktop

2. Edit the newly copied gp.desktop file

gedit /home/up668466/Desktop/gp.desktop

3. Make sure to change the Exec line to

Exec=/usr/bin/globalprotect launch-ui %usudo

4. Add in the following line to show the GP globe icon on the desktop

Icon=gnome-globe

5. Save and close the file

6. Right-click on the desktop icon and select Allow Launching

7. Double-click the icon to launch GlobalProtect VPN

If you have worked through these notes and are still unable to get GlobalProtect VPN to work, log a call with the Service Desk using the Linux form, including screenshots of any errors encountered.

You can watch a video demonstration of these instructions below