Previous post

Check out the previous post.

Introduction

APS has two types of account. A APS member account that associates with aps.org and another journal account that associates with journal.aps.org. This confuses a lot of researchers and maybe editors. This time, I guess that it also confused the IT department of APS.

The APS go mobile subscription is always associated with the journal account. This time, APS seems to have stripped all the powers the journal account had possessed for years.

If you are rich, please stop here and just pay APS. You could subscribe to Physical Review Letter/A/B/C/D/E for about 70$ per year each. It is very likely, however, you are paying a bit more in the first year because it lasts till the end of membership. Don’t you worry. You should go back to 70$ annual charge in the following year.

Timeline

August 2019: According to APS

Starting August 1, 2019 APS member subscribers will need to log in using your member credentials instead of your APS Journal Account.

This introduced a bug in APS go mobile subscription but is fixable by end users. Meanwhile APS is still advocating using APS go mobile during COVID-19

Feb 1, 2021: APS killed go mobile subscription. I am no longer able to utilize go mobile subscription on any browser including Safari, Chrome, and Firefox.

Workarounds

Official method

The official method is to use a VPN to connect to the campus. It is, however, clumsy. It may require password, two factor authentication, etc. It may proxy all your internet traffic to the campus which could be inefficient. Traffic could be slow and tracked. You might even face google’s crazily infamous robot detection check mark that constantly asks to verify that you are a human using difficult-to-identify pictures again and again.

Lightweight alternative

Some universities provide public IP to research groups which allows ssh connections into the server at the university. If so, doing ssh -D PORTNUMBER [email protected] would establish a socks proxy that route traffic to the remote serve through port PORTNUMBER. If you enable passwordless authentication such as key based authentication, you do not need to type the password. However, you have to issue this command over and over because it requires an active SSH tunnel. It could be a pain if you are disconnected or resume the work next day.

Lighterweight alternative

There are even lighter weight alternative to the socks proxy through SSH. This only establishes a server that listens for incoming proxy connection with encryption. There are numerous variants of servers that focus on proxy and used by millions of users. Please go and search and install one to your desire. You could password protect your proxy server so only you are able to use the proxy.

Once you set up a server that listens for encrypted proxy connections, you could use a corresponding client and connects to the server and opens a local SOCKS5 proxy.

You could then route the traffic below to the local proxy only through PAC.

ip.me
aps.org
ieee.org
osapublishing.org
sciencemag.org
nature.org
rsc.org
iop.org
iopscience.com
sciencedirect.com
elsevier.com
webofknowledge.com
clarivate.com
akamaiedge.net
go-mpulse.net
sciencedirectassets.com
adobedtm.com
els-cdn.com
plu.mx
googletagservices.com
ams.org
scitation.org
scitation.org
ams.org
springer.com

This means that traffic to *.aps.org but not general website, etc. are routed through proxy. The list above could be expanded to your needs if you find a journal website is not missing.

Server behind a NAT

Though the number of IP address might not be an issue in many universities. You might encounter a case that only ethernet IP such as 192.168/16, 10/8, 172.16/12 are allocated.

In this case, outsider could not initiate a connection to your server without UDP hole punching or STUN.

In this case you need an external server, such as you router at home or a VPS to expose the service to you. You could use reserve-proxy software such as FRP to expose your proxy.

Oracle provides a free VPS. Many old Internet provides such as Xfinity/Comcast provides public IP address to customers. But if you are using new fiber company as the Internet provider such as MetroNet or in developing country, you are likely to be behind a NAT.

Zerotier

If your router has a public IP and you run frp server at home, you proxy traffic routes towards the server in the campus. However, if put the frp server at oracle, your traffic to the campus must be routed to oracle first which adds delay and jitter.

An alternative is to host a Zerotier service. The zerotier server could serves as a middleman to help you establish with direct connection between your home and campus. However, the caveat is that, typically, only UDP connections are supported due to securities limitations of typical router/nat devices.

Even though TCP traffic could be relayed on UDP traffics, to the router/nat, you are sending UDP packets. UDP packets might suffer from QoS congestion control much worse than TCP packets. That is, the priority of UDP packets are typically lower than TCP packets. This means that Zerotier should be used as a last resort.