Virtual private network (VPN)

For Windows and Mac, please go to the ICT Services pages:

  • The public page includes some of the VPN manuals for Windows and Mac.
  • The intranet pages include more VPN manuals for Window and Mac.

VPN on Linux

We are gradually discovering how to use VPN on Linux. As usual, a lot of different methods are available, and details depend on the Linux distribution and desktop environment used.

Prerequisites

Before you can set up a VPN connection, you need

  • a working network connection (fixed or Wi-Fi)
  • suitable VPN client software installed

Enabling and disabling VPN on the command line

At least on Ubuntu and Fedora, installing the package named openconnect provides the openconnect command that can be used to connect to the TU/e VPN server vpn2.tue.nl. It must run with root permissions.

Setting up a VPN connection is a matter of running that command with the right permissions:

  sudo openconnect \
    --authgroup '2: Tunnel TU/e traffic' \
    --servercert A1C058FAB9A7650BF26CB50385EEE31E623F5C0F \
    --background --pid-file /var/run/tuevpn.pid \
    vpn2.tue.nl

This will ask you for your TU/e (Windows) account name and password.

It's easier if you can just type vpn2 start to make the VPN connection and vpn2 stop to end it. You can with this script: vpn2.

To use it:

  1. download the script
  2. make it executable
  3. inspect its contents (in case it has been tampered with)
  4. to create a VPN connection:
    vpn2 start
    
  5. to break the existing VPN connection:
    vpn2 stop
    

Or just read the script and execute the relevant commands yourself.

For some reason, it creates a networking interface called tun0 rather than vpn. Other than that, the effect appears to be the same as through the method described below for the graphical desktop environment.

Certificate updates

The certificate and its fingerprint may be replaced.
If the fingerprint does not match anymore, the command will report that the certificate does not match, for example:

Server SSL certificate didn't match: sha1:7fa3c15489661673ed1a3e56f00e1ce28839f0f7

This means that the sha1 fingerprint does not match but with openconnect version 7.06-2 this message is misleading. The sha1-digest 7f... is derived from the certificate sent by the server but replacing the --servercert option with this digest will not help since this digest represents the server public key (the sha1-digest of its DER-form), not the certificate fingerprint.

Enabling and disabling VPN in the graphical desktop environment

It is hard for us to give specific instructions, due to the wide variety of Linux distributions and graphical desktop environments.

If you prefer screenshots, we have this guide for Ubuntu 14.04 and its default graphical desktop environment.

A more general guide follows now. Always be aware that details may vary on your Linux system.

Starting VPN includes the following steps:

  • Have a regular network running, either wired or wireless
    This is needed as a base for VPN and is not discussed here.
  • Add a connection of type VPN
  • Start the VPN connection, which will include the following
    • Login
    • Select Group, that is, the routing details for the separation, if any, between the regular network and the VPN.

The dialogues to add and start VPN (and other network) connections

On your Linux system, you may find separate dialogues to add and start network connections, or a dialogue that include both tasks.

Instead of a big table of Linux distributions, desktop session types and network property editors, followed by many pages of screenshots for their appearance, here is a short list of pointers from which you should find the necessary dialogues:

  • the network menu at one of:
    • the network icon which usually appears permanently on your desktop session
    • on gnome as part of the System Status Area menu
    • on xfce in the notification area:
      • the notification area must be added as a panel item
      • the Network Manager applet must be running:
        • start once manually as nm-applet
        • enable it in Settings → Session and Startup → Application Autostart
          (or start xfce4-session-settings)
  • the network dialogue which is available as one of the System Settings, from one of:
    • the gnome or unity GUI
    • the commandline, one of:
      • gnome-control-center
      • unity-control-center
  • nm-connection-editor.
    This is the bare configuration editor, without options to start or stop (disconnect) the VPN or other network-connections.
  • the desktop session search option, search for network

In case you cannot find an option to "Add" a connection, some designers have decided to represent this as a "+" button, in a corner of the dialogue.

Obviously, the days of the upper-left File menu are over.

Add a connection of type VPN

You may find several VPN subtypes on your system.
We could only make subtype openconnect working.

Add a connection of type VPN - openconnect

The openconnect option may require a network manager plugin:

  • Debian, Ubuntu etc.: network-manager-openconnect
  • RedHat, Fedora etc:. NetworkManager-openconnect
Here are the settings for the connection VPN openconnect:
  • General
    • Gateway: vpn2.tue.nl
    • CA Certificate: None
      You can accept the certificate later
  • IPv4
    • IPv4 (presence depending on openconnect version): ON
    • Addresses: Automatic (DHCP)
  • IPv6
    • IPv6 (presence depending on openconnect version): OFF

Start the VPN connection

The VPN is not connected yet. It can be started in several ways:

  • from the network menu:
    • select the VPN connection, it has a name such as "VPN 1"
    • Click on the name area, this is also the button to connect.
      It may be confusing to see "Disconnect" buttons for all active connections,
      while no "Connect" buttons exist for inactive connections.
  • from the network dialogue:
    • Click the network icon
    • Select the VPN connection
    • Switch it on.
  • from the command line:
    • First, search the VPN connection NAME or UUID from the list, which appears after starting one of:
        nmcli -p con list
        nmcli c show
    • Start the VPN connection by its NAME or UUID:
      • nmcli con up id   name
      • nmcli con up uuid uuid

A dialog "Connect to VPN" should appear.

In this dialog:

  • at VPN host:
    • select vpn2.tue.nl, from a menu with only one choice
    • click the "plug" button next to it, else nothing happens
  • at GROUP choose one of:
    • Tunnel all traffic
      if you need to use external tue-related services such as www.sciencedirect.com
    • Tunnel TU/e traffic
      if you need to use services on the campus network such as https://mytue.tue.nl/mytue
    • Corporate Systems
      if you need them, but it will be hard to use them from other systems than Windows
    This will affect the routing tables as shown by netstat -r -n
  • Enter Username and Password
  • Click Login

A virtual network-interface vpn0 should appear in the output of netstat -r -n

History until july 2015, mostly outdated

A number of services such as some library information sources are reserved for emplyees and students of the TU/e and therefore restricted to the TU/e network, the IP-adresses starting with 131.155.

You can still access those services from outside the TU/e network if you set up a VPN (Virtual Private Networking) connection which is restricted to owners of TUE-accounts.

If you want to setup a VPN connection, you can ask us to help or apply the instructions for the simplest setup for Windows XP or Windows 7 after choosing one of

Your TUE network drives

The last part of the VPN guide above talks about accessing your G:\ and S:\ drives. Instead of typing in the commands, you can download this file (right click on it and choose to save it somewhere accessible). Execute it after you have set up the VPN connection. You need to run this every time you have reconnected the VPN.

In case you prefer to do this by hand (for example, because the G: or S: drives are in use on your local machine), it is also possible to do this using Windows Explorer:

  1. Start Windows Explorer and choose Tools, Map Network Drive...
  2. Choose a drive letter (for example G:) and then enter \\winfiler\username into the text box below, substituting your TUE username.
  3. Click Finish. You will now have a G:\ drive for this session.
  4. In order to map your S:\ drive, repeat the steps above but enter \\winfiler\common in the textbox.

Alternate setup

The setup described above works in 99% of the cases. There is no need to read on if everything you want to do is working. However, there are some technical pecularities that might prevent this setup from working, or being the best choice.

The following are features of this setup, along with reasons why you might want to consider another one:

  • You can use either VPN or your usual internet connection but not both. You can use both at once with "split tunneling", but you will have to setup your own routing tables, which is hard and generally not very useful.
  • You can only check data encryption but not use it because it is disabled on the VPN-server. But do note that lots of network services are already encrypted, and that your password is always encrypted before it is used.
  • You have setup a Point-To-Point-Tunneling Protocol (PPTP) connection, which might be firewalled from your location.

If these features do not cater for your needs, refer to the more elaborate VPN-pages in Dutch or English.


Contact us | Webmaster

Questions? Mail to helpdesk.win@tue.nl