EduVPN

From CT Wiki
Jump to: navigation, search

eduVPN protects you on unsecure networks, for example, against nearby prying eyes while on the train. The service also offers secure access to protected services when accessing from outside your institution's network.

At Nikhef we offer two 'variants' of eduVPN:

Secure Internet 
helps you to surf safely on the general internet. This service is a courtesy of SURF and Nikhef, and allows you to 'escape' from restrictive environments (hotels networks, cafes) that only allow web browsing, and at the same time protects your network traffic via encryption.
Institute Access 
connect you safely to all internal, local, Nikhef services directly. You can login to Stoomboot, view internal web pages, and mount your home directory via CIFS from anywhere in the world. It is like being connected to our local wireless and wired network with your laptop ("DHCPnet"). However: it only takes your traffic to Nikhef, and you cannot use Institute Access to access non-Nikhef resources, as the name already suggests.

eduVPN is available for Windows, Linux, MacOS, Android, and iOS devices.

Contents

Getting eduVPN

On your laptop, download the eduVPN client or use your existing OpenVPN or Tunnelblick installation. SURF has provided an excellent guide and tutorial for installing eduVPN.

If you cannot use the special eduVPN client or would prefer your existing OpenVPN installation, you can download personalised "ovpn" configurations directly:

Note: you can use Secure Internet and Institute Access simultaneously if you want both access to Nikhef resources and safely 'escape' a public or hotel wifi.

Secure Internet

Secure Internet is a private tunnel to a trusted end-point from which you can connect to the rest of the public internet. Your traffic will be carried in private to one of the participating national research and educational networks (NRENs), and they will 'inject' your traffic back into the internet. You can make it appear as if you are in any of these countries, not only the Netherlands but also Germany, Australia, Denmark, Uganda, &c. The eduVPN client program will give you the complete list.

If you use only Secure Internet, you will access Nikhef services as if you were 'outside', i.e. as if from home.

Privacy considerations

While your traffic will be encrypted up to the end-point of the tunnel (so up to the NREN), from that point onward it depends on you and the protocol you chose. For privacy, always use "https" and other secure protocols like "imaps" and "smtps") to send sensitive data like passwords. Your traffic cannot be intercepted until you get to the NREN endpoint, but the endpoint itself can see where you are going although they won't inspect your traffic. But all normal rules and acceptable use apply, and you are not anonymous. In that sense it is a bit like eduroam: the network is secure, but you are responsible for what you do and you can be found.

Institute Access

Nikhef Institute Access provides a direct tunnel into our local network, as if you connected to our local WiFi or like having your laptop plugged into the wall. You can login directly to things like the Stoomboot interactive nodes, you can mount your home directory (or roaming profile) via CIFS ("samba" or "windows shares"), and you can view intranet web pages.

The Institute Access configuration will set your computer to only send Nikhef traffic over this tunnel - all other traffic will not be affected. If you send non-Nikhef traffic over this VPN tunnel, we will drop it: this means that you cannot get to the 'rest of the internet' via Institute Access. However, you can connect to both Institute Access and Secure Internet in parallel, to keep you safe.

Privacy considerations

Your traffic will be encrypted up to the end-point of the tunnel at SURFnet, and SURFnet will send that traffic directly to Nikhef via a dedicated private link. Within Nikhef, the traffic is no longer super-encrypted, but is 'just like any local link'.

Why don't we allow general traffic on Institute Access? Simple: we want to preserve your privacy, and really don't want to see your personal browsing behaviour. Traffic send through Nikhef is all subject to our Acceptable Use Policy, and we carry responsibility for what we would send on towards the public internet. To do that, we perform incident response and keep logs on network connections. If you were to use Institute Access for personal browsing, we could inadvertently capture your other traffic, and we don't want to. SURFnet, as our NREN, offers Secure Internet that does offer you 'generic' access, and - although you are and remain subject to our Nikhef Acceptable Use Policy - your personal traffic will be part of 'just a whole bunch of student and dorm traffic'. And we at Nikhef don't get to see it, so our security team feels better as well.

Installation hints

Linux

The Network Manager import of the VPN configuration will (erroneously) try to redirect all your traffic even over the Institute Access link, although the configuration file you get from eduVPN does not state that. To get the proper behaviour, make sure to set the checkbox in the IPv4 settings to Use this connection only for resources on its network. Like this:

check the box in the Network Manager dialog when importing the ovpn file

To import the ovpn file in the first place, use the Network Manager nmcli command:

nmcli conn import type openvpn file eduVPN_institute.ovpn

Windows

The Windows eduVPN client (but not the generic OpenVPN Community client) at the moment is unable to connect to Institute Access and Secure Internet simultaneously. Until this is fixed, we recommend you (also) download the generic client and download an OVPN file for either Secure Internet and/or for Institute Access. Adding secondary TAP devices (the virtual network adapters that OpenVPN uses) that you may need to setup in order to the generic client to work (you only get one by default) is simple as well:

  • Open a command prompt ("cmd") with administrative rights and change to the TAP install folder.
C:\> cd "C:\Program Files\TAP-Windows\bin"
  • create an additional "TAP" virtual network device
C:\Program Files\TAP-Windows\bin\> addtap.bat
  • and you can use it from OpenVPN. Check that one with
C:\Program Files\OpenVPN\bin> openvpn --show-adapters
Available TAP-WIN32 adapters [name, GUID]:
'TAPV9a' {BBE3146C-ACDB-4D83-A895-920706C333CB}
'TAPV9b' {328A3D7E-ED84-49DD-99C4-C2F9B103BA9B}

If you want, you can rename the adapters from the "View Network Connections" control panel screen (type it explicitly, the new Network Centre in Windows 10 hides that one)

Views
Personal tools