Skip to main content

TCD VPN Connection Instructions (Linux/Debian)

This document outlines how to securely connect to the Trinity College Dublin (TCD) network from a Linux (Debian/Ubuntu) machine without giving Cisco root access to your machine.

1. Avoid the Proprietary Cisco Client

IT may provide a link to download the proprietary Cisco Secure Client (AnyConnect), such as an .rpm or .sh file. The proprietary client runs as root, has telemetry, and often enforces invasive posture scanning. Instead, we use OpenConnect, a highly secure, open-source Linux client designed to be fully compatible with Cisco AnyConnect servers.

2. Installation

Install the necessary OpenConnect packages and NetworkManager integration tools via standard repositories:

sudo apt update
sudo apt install openconnect network-manager-openconnect network-manager-openconnect-gnome

3. The VPN Gateway

The target server address for TCD is: anyconnect.tcd.ie

4. How to Connect

Because TCD uses Microsoft Multi-Factor Authentication (MFA), the GUI can sometimes fail to render the secondary MFA challenge prompt. The terminal is the most reliable way to handle the dual-prompt.

  1. Open a terminal and run:

    sudo openconnect anyconnect.tcd.ie

  2. Accept the server certificate if prompted.

  3. Enter your TCD short username and password.

  4. When prompted with Enter your Microsoft verification code:, enter the 6-digit code from your authenticator app (or type push if using app notifications).

  5. Leave the terminal open to maintain the connection. Press Ctrl+C to disconnect.

Method B: GUI (Network Manager)

  1. Open Debian/GNOME Settings -> Network (or Wi-Fi).
  2. Under VPN, click + to add a connection.
  3. Select Cisco AnyConnect Compatible VPN (openconnect).
  4. Name it "TCD VPN" and enter the Gateway: anyconnect.tcd.ie.
  5. Connect via the system tray. Note: If the login immediately fails without asking for an MFA code, refer to the Troubleshooting section below.

5. Troubleshooting Microsoft MFA Login Failures

A known bug exists where OpenConnect immediately fails the POST request during the Microsoft 365 login challenge before giving you a chance to type the code.

Fix 1: Change User Agent (Quick Fix)

Trick the server into thinking you are the official Windows client:

sudo openconnect --useragent="AnyConnect" anyconnect.tcd.ie

Fix 2: Use OpenConnect-SSO (Most Reliable)

For modern SAML/SSO authentications, install the openconnect-sso wrapper. It opens a browser window for normal Microsoft 365 authentication, then passes the secure token back to OpenConnect.

sudo apt install openconnect-sso
openconnect-sso --server anyconnect.tcd.ie

6. How Split Tunneling Works

When connected to the TCD VPN, you will notice that checking your public IP address (via curl ifconfig.me) still returns your home ISP's IP address.

This is expected behavior called Split Tunneling.

  • Internal TCD Traffic (e.g., library journals, internal 134.226.x.x addresses) is routed securely through the virtual VPN interface (tun0).
  • General Internet Traffic (e.g., YouTube, Google, ifconfig.me) is routed directly out of your standard home Wi-Fi connection to save TCD server bandwidth.

To verify the VPN is active and routing correctly, run:

ip route

You will see the TCD IP subnets (e.g., 134.226.0.0/16) pointing to dev tun0 alongside your default local network paths.