Virtual private network (VPN)

Installing VPN

For the manuals about installing VPN on all off:

  • Windows
  • Mac
  • Linux Ubuntu GUI

please go to the ICT services page.

These manuals are now available without VPN but still only with your TUE account
(which you need anyway to use the VPN connection).

And the Linux manual is included there as well.

For more details about Linux, you may want to read the sections below.

Using the VPN connection

A working VPN connection does not necessarily imply that you can find systems on the campus easily from a system outside the campus.

Especially, if you try to connect

  • from a system outside the campus that is not in the campus domain,
    usually but not exclusively a Linux system
  • to a Windows system inside the campus

you may be surprised that you cannot connect to a short name such as:

mywindowspc

which may be a well known hostname on the campus network.
But since you are not on the campus network, that short name is no longer well known.

In that case, you can try:

mywindowspc.campus.tue.nl

instead.

If you are using the Linux network manager, you can also add the search domain:

campus.tue.nl

to the search domains:

Network Connections / VPN / your_tue_vpn /
Edit / IPv4Settings / Additional search domains

Installing VPN on Linux

For VPN on Linux, various methods are available, and details depend on the Linux distribution and desktop environment used.

Prerequisites

Before you can set up a VPN connection, you need

  • a working network connection (fixed or Wi-Fi)
  • suitable VPN client software installed

Enabling and disabling VPN on the command line

At least on Ubuntu and Fedora, installing the package named openconnect provides the openconnect command that can be used to connect to the TU/e VPN server vpn2.tue.nl. It must run with root permissions.

The very basic command to start vpn is:

  sudo openconnect https://vpn2.tue.nl

This will:

  • Check the server certificate, even without any certificate option
    and even if you would include --no-cert-check .
    The required root certificate should be present on Linux systems,
    available for openssl which is used by openconnect .
    It is no longer needed to include a --servercert option for the certificate check.
  • Ask a reply for:
    GROUP: [1: Tunnel all traffic|2: Tunnel TU/e traffic|3: Corporate Systems]:
  • Ask for your TU/e (Windows) account name and password
  • start a VPN connection
  • wait in the foreground
  • finish the VPN-connection if you type ^C

and, typing ^C will:

  • clean up most of the network route entries
  • not clean up nameserver entries in /etc/resolv.conf

To avoid the GROUP question and to start in the background, you may prefer to start:

  sudo openconnect \
    --authgroup '2: Tunnel TU/e traffic' \
    --background --pid-file /var/run/tuevpn.pid \
    https://vpn2.tue.nl

This will ask you for your TU/e (Windows) account name and password.

It would be easier if you could just type

  vpn2 start
  vpn2 stop

to start and stop the VPN connection. That is what you can do with this script: vpn2.

To use it:

  1. download the script
  2. make it executable: chmod 755 vpn2
  3. inspect its contents (in case it has been tampered with)
  4. to create a VPN connection:
    vpn2 start
    
  5. to break the existing VPN connection:
    vpn2 stop
    

Or read the script and execute the relevant commands yourself.

This creates a networking interface called tun0 rather than vpn. Other than that, the effect appears to be the same as through the method described below for the graphical desktop environment.

Enabling and disabling VPN in the graphical desktop environment

It is hard for us to give specific instructions, due to the wide variety of Linux distributions and graphical desktop environments.

If you prefer screenshots, we have this guide for Ubuntu 14.04 and its default graphical desktop environment.

A more general guide follows now. Always be aware that details may vary on your Linux system.

Starting VPN includes the following steps:

  • Have a regular network running, either wired or wireless
    This is needed as a base for VPN and is not discussed here.
  • Add a connection of type VPN
  • Start the VPN connection, which will include the following
    • Login
    • Select Group, that is, the routing details for the separation, if any, between the regular network and the VPN.

The dialogues to add and start VPN (and other network) connections

On your Linux system, you may find separate dialogues to add and start network connections, or a dialogue that include both tasks.

Instead of a big table of Linux distributions, desktop session types and network property editors, followed by many pages of screenshots for their appearance, here is a short list of pointers from which you should find the necessary dialogues:

  • the network menu at one of:
    • the network icon which usually appears permanently on your desktop session
    • on gnome as part of the System Status Area menu
    • on xfce in the notification area:
      • the notification area must be added as a panel item
      • the Network Manager applet must be running:
        • start once manually as nm-applet
        • enable it in Settings → Session and Startup → Application Autostart
          (or start xfce4-session-settings)
  • the network dialogue which is available as one of the System Settings, from one of:
    • the gnome or unity GUI
    • the commandline, one of:
      • gnome-control-center
      • unity-control-center
  • nm-connection-editor.
    This is the bare configuration editor, without options to start or stop (disconnect) the VPN or other network-connections.
  • the desktop session search option, search for network

In case you cannot find an option to "Add" a connection, some designers have decided to represent this as a "+" button, in a corner of the dialogue.

Obviously, the days of the upper-left File menu are over.

Add a connection of type VPN

You may find several VPN subtypes on your system.
We could only make subtype openconnect working.

Add a connection of type VPN - openconnect

The openconnect option may require a network manager plugin:

  • Debian, Ubuntu etc.: network-manager-openconnect-gnome
  • RedHat, Fedora etc:. NetworkManager-openconnect

Here are the settings for the connection VPN openconnect:

  • Connection name: TUE
    The default name such as "VPN 1" is not very expressive,
    so please change this to a name that you can recognize.
  • General
    • Gateway: vpn2.tue.nl
    • CA Certificate, one of:
      • DigiCert_Assured_ID_Root_CA
        On Ubuntu at: /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem
      • None, if your system does not have this certificate.
        You can accept the certificate later
  • IPv4
    • IPv4 (presence depending on openconnect version): ON
    • Addresses: Automatic (DHCP)
  • IPv6
    • IPv6 (presence depending on openconnect version): OFF

Start the VPN connection

The VPN is not connected yet. It can be started in several ways:

  • from the network menu:
    • select the VPN connection, with name TUE in our example
    • Click on the name area, this is also the button to connect.
      It may be confusing to see "Disconnect" buttons for all active connections,
      while no "Connect" buttons exist for inactive connections.
  • from the network dialogue:
    • Click the network icon
    • Select the VPN connection
    • Switch it on.
  • from the command line:
    • First, search the VPN connection NAME or UUID from the list, which appears after starting one of:
        nmcli -p con list
        nmcli c show
    • Start the VPN connection by its NAME or UUID:
      • nmcli con up id   name
      • nmcli con up uuid uuid

A dialog "Connect to VPN" should appear.

In this dialog:

  • at VPN host:
    • select vpn2.tue.nl, from a menu with only one choice
    • click the "plug" button next to it, else nothing happens
  • at GROUP choose one of:
    • Tunnel all traffic
      if you need to use external tue-related services such as www.sciencedirect.com
    • Tunnel TU/e traffic
      if you need to use services on the campus network such as https://mytue.tue.nl/mytue
    • Corporate Systems
      if you need them, but it will be hard to use them from other systems than Windows
    This will affect the routing tables as shown by netstat -r -n
  • Enter Username and Password
  • Click Login

A virtual network-interface vpn0 should appear in the output of netstat -r -n.


Contact us | Webmaster

Questions? Mail to helpdesk.win@tue.nl