VPN on laptop or home pc (EduVPN)

From CT Wiki
Jump to navigation Jump to search

eduVPN protects you on unsecure networks, for example, against nearby prying eyes while on the train. The service also offers secure access to protected services when accessing from outside your institution's network.

At Nikhef we offer two 'variants' of eduVPN:

Secure Internet
helps you to surf safely on the general internet. This service is a courtesy of SURF and Nikhef, and allows you to 'escape' from restrictive environments (hotels networks, cafes) that only allow web browsing, and at the same time protects your network traffic via encryption.
Institute Access
connect you safely to all internal, local, Nikhef services directly. You can login to Stoomboot, view internal web pages, and mount your home directory via CIFS from anywhere in the world. It is like being connected to our local wireless and wired network with your laptop ("DHCPnet"). However: it only takes your traffic to Nikhef, and you cannot use Institute Access to access non-Nikhef resources, as the name already suggests. The list of accessible network is on the eduVPN IA web site.

eduVPN is available for Windows, Linux, MacOS, Android, and iOS devices.

Secure Internet

Secure Internet is a private tunnel to a trusted end-point from which you can connect to the rest of the public internet. Your traffic will be carried in private to one of the participating national research and educational networks (NRENs), and they will 'inject' your traffic back into the internet. You can make it appear as if you are in any of these countries, not only the Netherlands but also Germany, Australia, Denmark, Uganda, &c. The eduVPN client program will give you the complete list.

If you use only Secure Internet, you will access Nikhef services as if you were 'outside', i.e. as if from home.

Privacy considerations

While your traffic will be encrypted up to the end-point of the tunnel (so up to the NREN), from that point onward it depends on you and the protocol you chose. For privacy, always use "https" and other secure protocols like "imaps" and "smtps") to send sensitive data like passwords. Your traffic cannot be intercepted until you get to the NREN endpoint, but the endpoint itself can see where you are going although they won't inspect your traffic. But all normal rules and acceptable use apply, and you are not anonymous. In that sense it is a bit like eduroam: the network is secure, but you are responsible for what you do and you can be found.

Institute Access

Nikhef Institute Access provides a direct tunnel into our local network, as if you connected to our local WiFi or like having your laptop plugged into the wall. You can login directly to things like the Stoomboot interactive nodes, you can mount your home directory (or roaming profile) via CIFS ("samba" or "windows shares"), and you can view intranet web pages.

The Institute Access configuration will set your computer to only send Nikhef traffic over this tunnel - all other traffic will not be affected. If you send non-Nikhef traffic over this VPN tunnel, we will drop it: this means that you cannot get to the 'rest of the internet' via Institute Access. However, you can connect to both Institute Access and Secure Internet in parallel, to keep you safe.

Privacy considerations

Your traffic will be encrypted up to the end-point of the tunnel at SURFnet, and SURFnet will send that traffic directly to Nikhef via a dedicated private link. Within Nikhef, the traffic is no longer super-encrypted, but is 'just like any local link'.

Why don't we allow general traffic on Institute Access? Simple: we want to preserve your privacy, and really don't want to see your personal browsing behaviour. Traffic send through Nikhef is all subject to our Acceptable Use Policy, and we carry responsibility for what we would send on towards the public internet. To do that, we perform incident response and keep logs on network connections. If you were to use Institute Access for personal browsing, we could inadvertently capture your other traffic, and we don't want to. SURFnet, as our NREN, offers Secure Internet that does offer you 'generic' access, and - although you are and remain subject to our Nikhef Acceptable Use Policy - your personal traffic will be part of 'just a whole bunch of student and dorm traffic'. And we at Nikhef don't get to see it, so our security team feels better as well.

Install EduVPN to get institute access from home

If you want to connect to your Nikhef desktop after installing EduVPN, follow these instructions.

Windows 10 installation and instructions

To install EduVPN on Windows 10 follow the steps below.

Instructions Images
Visit the EduVPN website to download the software: https://www.eduvpn.org/apps.html.
Firefox YuAOxwXbdx.jpg
Once the software is downloaded, start the installer and click 'Install'.
EduVPN Windows 02.jpg
In the provider list you need to select the institute to connect to. Search for 'Nikhef' in the list and click on it.
EduVPN.Client Y4csyWshso.jpg
You can use the EduVPN application to surf the internet safely, for example when you are connected to a public WiFi.

However, in this example we want to connect to our computer at Nikhef so we choose the option:

"Institute Access Nikhef".
EduVPN.Client evqgpJBUou.jpg
Your browser will open and you will be asked to grant authorization for the EduVPN application.

Click 'Approve' to continue.
Screenshot 2021-11-19 at 13.22.11.jpg
Back in the EduVPN application, make sure 'Nikhef' is selected and choose 'Institute access' to start the connection with the institute.
EduVPN.Client ai5GWHztZj.jpg
This Is the status pagina. The status icon will be colored orange for a short time and then turn green.

You are connected!
EduVPN.Client WAoNLv5xtr.jpg

macOS installation and instructions

To install EduVPN on your Mac follow the steps below. The instructions are written using macOS 12.0.1 (Monterey).

Instructions Images
Visit the EduVPN website to download the software: https://www.eduvpn.org/apps.html.
Firefox YuAOxwXbdx.jpg
You will then be directed to the App Store on your Mac to download the EduVPN client. Do this and wait for the software to be installed on your Mac.
EduVPN OSX 8.jpg
Start the EduVPN application. Search for 'Nikhef' in the list and click on it.
Screenshot 2021-11-19 at 13.21.40.jpg
You can use the EduVPN application to surf the internet safely, for example when you are connected to a public WiFi.

However, in this example we want to connect to our computer at Nikhef so we choose the option:

"Institute Access Nikhef".
Screenshot 2021-11-19 at 13.21.50.jpg
Your browser will open and you will be asked to grant authorization for the EduVPN application.

Click 'Approve application' to continue.
Screenshot 2021-11-19 at 13.22.11.jpg
Back in the EduVPN application, click on 'Nikhef' to start the connection with the institute.
Screenshot 2021-11-19 at 14.38.44.jpg
macOS will ask if you allow a change to the system's VPN configuration.

To continue click on 'allow' here.
Vpn.jpg
This Is the status pagina. The status icon will be colored orange for a short time and then turn green.

You are connected!
Screenshot 2021-11-19 at 14.38.59.jpg

Linux (Ubuntu/Mint) installation and instructions

To install EduVPN on your Linux machine follow the steps below. These instructions are written using Mint but the application is available for various distros. If you scroll further down you will find more instructions on how to use EduVPN under Linux. This does require more technical knowledge of the OS you are using.

Instructions Images
Visit the EduVPN website to download the software for Linux: https://www.eduvpn.org/apps.html.
Vmware 34Ilv09wwQ.jpg
You will then be directed to the documentation website on: https://python-eduvpn-client.readthedocs.io/en/master/
Vmware 7vzWuEe8iv.jpg
Pick the Linux flavour you are using and follow the instructions written there.
Vmware nxF6pbhqdI.jpg
After this is finished start the EduVPN application. Search for Nikhef and click on Nikhef at Institute access. You can use the EduVPN application to surf the internet safely, for example when you are connected to a public WiFi.

However, if you want to connect to your computer at Nikhef we choose the option:

"Institute Access Nikhef".
Vmware MnCY7E77oE.jpg
Your browser will open and you will be asked to grant authorization for the EduVPN application.

Click 'Approve' to continue.
Vmware 19FYRbUpIV.jpg
You can close the browser en start using EduVPN on your Linux machine.
Vmware I6974J5U9p.jpg

Linux installation without installing apps

It is also possible to use EduVPN under Linux without any applications. To do this, follow the steps below.

nmcli connection import type openvpn file <name of the file>.ovpn

  • Now open your Network manager and there should be an Nikhef EduVPN connection available to connect to.

Linux (Gentoo) installation and instructions

To install EduVPN on your Ubuntu machine follow the steps on this page: https://python-eduvpn-client.readthedocs.io/en/master/

Note, instructions are only available for Debian and Fedora(-like) flavours. For other systems, you may have to dig through the Makefile (since manual-installation instructions are also only for Debian/Fedora(!)). On my Gentoo system, what worked is (for secure internet):

  1. pip install eduvpn-client # As user or root, or use your package manager
  2. eduvpn-cli interactive | grep Nikhef # Nikhef = 39 or 878 - Ctrl-C
  3. eduvpn-cli interactive
  4. > 878 # Choose Nikhef
  5. Do you want to select a secure internet location? y
  6. Server: 13 (Nl) # This is the country you will appear to be browsing from
  7. What do do? 0 # Write .ovpn file to current directory, as ~/eduVPN.ovpn
  8. As root: openvpn /path/to/eduVPN.ovpn
  9. Last output: Initialization Sequence Completed # Good sign!
  10. You can check the restult e.g. here.

I think you should be redirected to your browser during this process (after selecting 878/Nikhef?), but it doesn't happen anymore while I'm writing this. Note that most steps above are needed to create the eduVPN.ovpn once, after that the openvpn command suffices. Note also that openvpn must be running, either in the foreground like in the example above, or in the background using e.g. openvpn /path/to/eduVPN.ovpn &> /dev/null & (but you won't see any output. In the first case, kill with Ctrl-C, in the second case with the kill command. The VPN connection is active until you kill openvpn.