This guide provides basic information for users of the UMS OpenVPN service with the Viscosity VPN client software.
- Install the Viscosity VPN client available from the University Application Catalog.
- In a browser, go to the web portal (https://openvpn.net.maine.edu) and login, using your UMS credentials ([username]@maine.edu). Select the Profile Configuration option from the menu.
- If requested, a profile may have been preconfigured for you, if you see a messaging stating you have no profiles, click the Add Profile button. You should make use of one profile per client devices; only one VPN connection per profile can be active at a time.
- Select the profile you wish to download the configuration for by clicking on the profile name.
- Viscosity users should use the Profile Download button to download a copy of your VPN client configuration and certificates. This file will be associated with the Viscosity client once installed, and double-clicking the file should import the connection into Viscosity.
- Once Viscosity is installed and a profile download as been imported you will find a Viscosity icon in your notification area (Windows), or menu bar near your spotlight icon (Mac). Click this icon and select Connect for the name of your profile. Upon connection, you will be prompted to login with your UMSID.
- To disconnect, click on the Viscosity icon once more and select Disconnect.
Access & Authorization
The OpenVPN service does not provide VPN access to resources until authorization has been requested and approved. Following the steps above, a user will be able to authenticate and connect to the VPN service but will not have VPN access to UMS resources until authorization has been granted.
There are three methods of obtaining authorization:
Using the web portal to request VPN access and having it approved by a service administrator.
Being added to an existing group by a group administrator.
Having access preconfigured by a service administrator.
The majority of users have authorization managed through group membership or preconfigured access and generally need to take no action.
However, authorization for specific resources can be requested via the web portal by selecting a VPN profile and using the Request Access button.
Access requests are based on IP address.
When viewing a specific profile in the web portal, both individual authorizations and group memberships will be displayed. Note that authorizations are profile-based and not account-based and authorization must be granted for each profile.
Two-Factor Authentication (Optional)
The VPN service provides optional Two-Factor Authentication, or 2FA, using Google Authenticator.
Some addresses or networks may be flagged to require 2FA for access by service administrators. If a resource is flagged as 2FA-required, a VPN client will not be able to access it unless the current connection was established using 2FA, despite having an active authorization on a profile.
2FA support must be enabled in two places:
At the account level (this restricts web portal access to 2FA)
On each VPN profile
To enable 2FA, select the Account Configuration option from the menu in the web portal and click on the Enable 2FA button.
Unless you have been provided with a hardware authenticator as an alternative for users without a device capable of running Google Authenticator, you should select Google Authenticator as the type.
Google Authenticator is a free app download for Android or Apple iOS through their respective app stores. Make sure the download selected is published by Google, Inc. and not a third party. Once installed, Google Authenticator is a stand-alone application and stores the authentication key securely on your device. It does not require an active data connection to make use of, is not associated to a Google account, and does not upload your key to Google.
The Apple version of Google Authenticator allows QR code import. The Android version requires manual entry of the 32-character Authenticator Key.
To avoid being locked out due to a typo, 2FA will not be enabled on your account until you can provide a valid one-time-password token using the unique 2FA key generated for your account. The code will be a time-based 6-digit number generated by Google Authenticator.
Upon successfully activating 2FA on your account, you will be prompted for your authentication code after providing your password to login to the web portal.
2FA will not be enabled on your VPN connection until it is enabled on the profile. To do this, select Enable Two-Factor from the Actions menu when viewing a profile.
Enabling or Disabling 2FA on a VPN profile requires a separate profile configuration download. Upon enabling 2FA on a VPN profile, the profile will fail to connect until you have downloaded and imported the updated 2FA configuration using the Profile Download button. Upon import, this will add a new connection to your list with the label 2FA. You do not need to remove the non-2FA connection, but you must select the correct connection to established based on whether 2FA is enabled or disabled for the profile in the web portal.
Because 2FA is enabled per-profile, users can make use of 2FA and non-2FA profiles, limiting 2FA profiles to devices that need to access a 2FA-required resource.
If you have been provided a Hardware Authenticator, then instead of configuring Google Authenticator you will be asked to provide the serial number of your authenticator to associate it to your account. The serial number should be entered exactly as shown, including any leading zeros. From there, you will be presented a challenge to prove that you are the owner of the token and if successful it will be enabled for your account.
Concurrent usage from multiple Machines
In order to use an OpenVPN profile on multiple machines at the same time, you need to create multiple profiles. Multiple profiles can be members of the same groups.
Login to https://openvpn.net.maine.edu/ and go to Profile configuration. You should see a clone button next to your existing profile. (Group memberships are preserved.) Click Clone, and a newly name profile will be created.
Configure your second machine to use the new profile and you should be all set. The machines will get different Ip addresses.
The Viscosity client is for Windows and Mac only, however the OpenVPN service supports the open source OpenVPN client and can be used on Linux.
When viewing a profile, where you would select Profile Download, Linux users should instead select the Mobile Download option from the Actions drop-down menu; this will download a standard .ovpn configuration bundle which can be called from the CLI openvpn client.
To use the .ovpn configuration bundle, the CLI openvpn client package is required, generally named openvpn-client. The client must also be run as root to have correct permissions to create a network tunnel interface and modify the network routing table for VPN traffic. To establish a connection open a terminal window and run:
sudo openvpn --config <filename>
where <filename> is your .ovpn configuration file.
The VPN connection will terminate upon either closing the terminal window, or issuing an interactive kill signal using Ctrl+C.