According to posts found on the Internet, T-Mobile is aware of this and has responded to customers that:

The issue is that while 5G can provide broadband level speeds and bandwidth wireless solutions, such as 5G, have a higher tolerance [NOTE: they mean ‘higher incidence’] for “packet loss.”  Packet loss is when individual pieces of data are dropped/lost during transmission.  For most applications this is a minimal issue that 5G speeds may render unnoticeable, but a live connection, such as the AnyConnect VPN or Voice Over IP phone services, will experience connection degradation or be completely disconnected forcing you to reconnect.

This is not an issue MTS can mitigate.  For this reason the only recommended Internet service types are fully wired based connections including DSL, Broadband, Cable, and Fiber Optic services.

This information is current as of the time of this posting: Jan 25, 2024

• The preferred method is to attempt to connect, if possible, and allow the client to update itself
• Another method is to update an existing client it to connect to a special Harvard VPN site which will present you with an update if possible:
  https://update.vpn.harvard.edu/
• Alternately, you can connect to a Harvard VPN front-end page and download the client:
  – Harvard VPN http://vpn.harvard.edu (login as you would Harvard Key + code from Duo Mobile app)
  See this HUIT Help Page for details
  – FAS affiliates can also try https://vpn.fas.harvard.edu

If none of the above works for you, please see the HUIT VPN Help Page

If you prefer not to install our pre-configured client or you have a class account not tied to your email address, you can set up your OpenAuth token manually. This will require an OpenAuth token code which is either gained from:

1. Your TA or instructor if you have been given a class account that is not tied to your email address.
2. Logging into the OA page with your RC username and password, receiving an email with a link to the OA, and copying the code shown at the bottom of that page.

Download the non-configured client for your OS (Mac, Windows, Linux) here

Jauth on Github (Harvard Informatics)

Remember, you have to enter your secret token manually during installation when prompted for the Authentication Secret String. There is no token code embedded in these clients.

Troubleshooting

OSX Error Message
With the gui installer, Mac OSX 10.8 and above users may receive one of two error messages. In those cases you will need to open the app differently the first time you run it:

• “The app cannot be opened, as it’s from an unknown developer”
  See the Apple documentation for your version of Mac OSX here: Open a Mac app from an unidentified developer 

• “JAuth OpenAuth Desktop Client Installer” is damaged and can’t be opened. You should eject the disk image.”
  • Got to System Preferences and click Security & Privacy
  • If “Allow apps to be downloaded from” is grayed out, click the lock at bottom to unlock this pane.
  • Note what it’s currently set to and then change the option to ‘Anywhere’ and confirm the change when prompted.
  • Run the installer now (and click Open or OK when dialogue pops up).
  • Once complete, go back to the Security & Privacy pane and change the setting back to its previous setting.

OSX Error Message
With the gui installer, Mac OSX 10.8 and above users may receive one of two error messages. In those cases you will need to open the app differently the first time you run it:

• “The app cannot be opened, as it’s from an unknown developer”
  See the Apple documentation for your version of Mac OSX here: Open a Mac app from an unidentified developer

• “JAuth OpenAuth Desktop Client Installer” is damaged and can’t be opened. You should eject the disk image.”
  • Got to System Preferences and click Security & Privacy
  • If “Allow apps to be downloaded from” is grayed out, click the lock at bottom to unlock this pane.
  • Note what it’s currently set to and then change the option to ‘Anywhere’ and confirm the change when prompted.
  • Run the installer now (and click Open or OK when dialogue pops up).
  • Once complete, go back to the Security & Privacy pane and change the setting back to its previous setting.

Preface

Many of the resources available through the FASRC cluster must be accessed through VPN (virtual private network – a sort of tunnel into the Harvard network) to protect sensitive data and prevent unauthorized access. When working outside the Harvard network, a VPN connection is generally necessary. This page describes the process for installing software and connecting to the RC VPN.

If you are just SSH’ing in to our login nodes, VPN is not required. But it is needed for many other services. Some (but not all) examples are:

• Mounting shared drives to your laptop/desktop
• Accessing Open OnDemand (former VDI)
• Accessing level 3 environments
• License server access
• Accessing Starfish https://starfish.rc.fas.harvard.edu/

Requirements

• You will need a FAS Research Computing (aka “FASRC”) account to connect to the FASRC VPN. If you do not have an FASRC account, please see How Do I Get a FAS Research Computing Account?
• Once you have an RC account, you will need to set your FASRC password and set up your two-factor authentication token (OpenAuth).
• You will need to install the Cisco AnyConnect client before proceeding. If you already have AnyConnect installed, and most Harvard users will, you do not  need to install it again.

VPN Software Installation

IMPORTANT NOTE: You need to add a VPN realm, typically @fasrc, after your username in order to login to the FASRC VPN. The FASRC VPN (the client or web page) is the only place you do this. You will not use the username@fasrc format for login anywhere else but the FASRC VPN.
See example below.

Install

The Cisco AnyConnect client can be installed from our VPN portal: https://vpn.rc.fas.harvard.edu
NOTE: If you already have a current Cisco AnyConnect client installed for Harvard VPN access, you do not need to install it again. Skip to ‘Logging In’

If the automatic installation fails, you should then be offered an option to download an installer. After downloading the software, click on the executable to run the AnyConnect installation wizard.

If you are unable to install the client from this page, we recommend following instructions here: Connecting to Harvard VPN tunnels – IT Help

Logging in

Start Cisco AnyConnect and enter the FASRC VPN server name: vpn.rc.fas.harvard.edu

Enter your credentials and click OK to connect:

• USERNAME: When connecting to the VPN you will use your username + @ + VPN realm name. For most people, this will be @fasrc (example: jharvard@fasrc ). If you are in the NCF or another FASSE group, this will be @fasse or a realm provided to you by your PI/lab group.
• PASSWORD: The password you will enter is your FASRC account password as noted above
• TWO-STEP VERIFICATION CODE: You enter your OpenAuth token code here

Once connected, you will have normal Internet and Harvard network access as well as access into the FASRC environment.

First, install OpenConnect on Ubuntu/Debian or Fedora/CentOS, respectively:

• Ubuntu/Debian: sudo apt-get install network-manager-openconnect-gnome

• Fedora/CentOS: sudo yum install NetworkManager-openconnect

Option 1: The NetworkManager GUI

• NOTE: If you prefer to connect using the command line, see “Using OpenConnect from command line” at the bottom of this page after installing OpenConnect.

Under your network settings, add a VPN connection and specify vpn.rc.fas.harvard.edu as your gateway:

Turn on your VPN connection to bring up the connect dialog:

In the “Username” field, be sure to append “@fasrc” (the VPN realm).
Enter your password and 6 digit verification code:

You should now be connected to the RC VPN.

Option 2: CLI and Build from Source

If you don’t use NetworkManager, need a different version of the software, or otherwise don’t have success with the above, you can try building oath-toolkit and openconnect from source and using them from the command line. The following scriptlets build each under its own prefix in /opt/src and install each under its own prefix in /opt; adjust accordingly if you want to use other locations.

Build oath-toolkit

You will need the distro version of xmlsec, xmlcatalog, etc. On Ubuntu, make sure you have installed (at least) xmlsec1, libxmlsec1, libxmlsec1-dev, and libxml2-utils.
The installation is a very straighforward GNU-toolchain-style build; the following just embellishes it with some automation. Version 2.4.1 is the latest at the time of writing; newer may work better.
SW=/opt
SRC=$SW/src
cd $SRC
umask 022
wget --no-clobber http://download.savannah.gnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz
tar xvf $(basename $) APP=$(basename $ .tar.gz)
cd $APP
./configure --prefix=$SW/$APP
make
sudo make install

Create /opt/oath-toolkit-2.4.1/setup.sh with the following content:

Build openconnect

On Ubuntu, make sure you have installed (at least) vpnc and gettext.
The installation is a very straighforward GNU-toolchain-style build; the following just embellishes it with some automation. Note that we found that version 5.99 does not compile easily on Unbutu 14.04. Version 5.03 is the next-to-latest at the time of writing.
source /opt/oath-toolkit-2.4.1/setup.sh
SW=/opt
SRC=$SW/src
cd $SRC
umask 022
wget --no-clobber ftp://ftp.infradead.org/pub/openconnect/openconnect-5.03.tar.gz
tar xvf $(basename $)
APP=$(basename $ .tar.gz)
cd $APP
./configure --prefix=$SW/$APP --with-vpnc-script=/etc/vpnc/vpnc-script
make
sudo make install

Create /opt/openconnect-5.03 with the following content:

After installing OpenConnect, you can connect to the VPN via the command line using:
sudo openconnect -s /usr/share/vpnc-scripts/vpnc-script vpn.rc.fas.harvard.edu Then provide:

Using OpenConnect from command line with auto token generation

Put your openauth (the 15-character alphanumeric string shown on your personalized OpenAuth download page) secret in a file such as ~/.s and make sure only you can read it (e.g. chmod 600 ~/.s). Run the following, replacing USERNAME appropriately:

source /opt/oath-toolkit-2.4.1/setup.sh
source /opt/openconnect-5.03/setup.sh
openconnect --user USERNAME@fasrc --token-mode=totp --token-secret=base32:$(cat ~/.s) --background vpn.rc.fas.harvard.edu


• NOTE: If you get a Permission Denied error, you need to use sudo: sudo openconnect –user USERNAME@fasrc –token-mode=totp –token-secret=base32:$(cat ~/.s) –background vpn.rc.fas.harvard.edu You will then need to type your computer password (not your RC password) at the [sudo] password for xxxxxx: prompt.

You should then see the connection being negotiated and will be prompted for your RC password:

After that you should be connected to the VPN. Leave the window open. You can terminate the session at any time by going back to the window and pressing Ctrl+C

REQUESTING YOUR TOKEN

Please visit the following link, using your RC account username and password, to setup your account to work with OpenAuth: https://two-factor.rc.fas.harvard.edu

Note: Clicking this link will cause an email to be sent to you. That email will contain a link to the OpenAuth install page with instructions, download links and your personalized token. The download link is valid for 24 hours.

• This site will prompt you for your Harvard FAS Research Computing username and password. If you don’t yet have an account, you can request one here.
• Since the site uses email verification to authenticate you, you must also have a valid email address on record with us.
• All OpenAuth tokens are software-based, and you will choose whether to
  – use a smart phone app (the page will display a QR code for use in Google Authenticator [Android or iOS] or to allow display of the code in Duo Mobile [in addition to your Harvard Key code – these are two separate tokens])
  – or use 1Password on your phone or desktop to generate your verification codes. HUIT provides 1Password to members of Harvard.
  – or the java desktop app to generate your verification codes. (a Java runtime is required for the desktop app to function – Java install help page). For most operating systems you will simply double-click the Jauth.jar file to start the java applet. There are also scripts for Windows (,bat) and Linux (.sh) if needed.

Once you complete the quick steps in the above site, you’ll be all set to use OpenAuth. You may also revisit that site in order to setup your token on an additional device (you’ll still be able to use your original device, too).

Having Trouble after setting up your token?

NOTE: If you need to set up on a new phone or computer, you do not need to revoke your token. Just re-do the steps at the top of this page for Requesting Your Token. You only need to revoke a token if your device is lost or stolen or you token stops working.

REVOKING/RESETTING Please keep in mind that you can revoke your token if you ever lose the device with your token or otherwise insecurely handle your token and need to start over with a new one. This is also useful if your token has time drift or otherwise stops working.
To revoke your token visit two-factor.rc.fas.harvard.edu/oa/revoke

After revoking the token, remove your token from any existing device: If using the java applet, delete that folder from your computer. If using a phone app, remove that token entry from the app. You will then need to re-do the process at the top of the page to install a new token.

TROUBLESHOOTING For additional OpenAuth troubleshooting, including time synchronization, please see here.