Wilbert's website at SocSci

has a subtitle

computer/vpn.html 2014-09-23

VPN

There is a firewall that blocks internet traffic from outside of the campus to the campus. This firewall for instance stops you from mounting your home directory from home. Only a few computers on the campus can be reached from outside. The mail server is one of them. For all other computers you need a Virtual Private NetWork (VPN) tunnel. Here I describe how to configure this tunnel.

KDE

If you use the K Desktop Environment:

  • Click the network icon in your task bar. The program that you see now is called knetworkmanager.
  • Click Manage Connections on the bottom right.
  • There must be at least one connection shown in one of these tabs already, otherwise you do not have an internet connection. Click the VPN tab.
  • Click Add
  • Fill in all the values as above. The Group Password is not a joke, type it. Change the Username to your u-number and User Password to your own password.
  • If you now click OK and click the connection, your internet connection will be replaced by a connection via the campus VPN. You are ready now.
  • However, most likely this is not what you want. To improve speed and reliable, and for legal reasons, you only want to use the VPN for connections to the campus network, not for all other internet connections. Therefore go to the first window again, click the newly made VPN connection, click Edit and click the IPv4 address tab.
  • Change everything as above, The IP-address 131.174.117.46 is that of one of the computers that distributes home directories. Add a list of the computers on the campus network that you want to use the VPN for here. Use for instance nslookup to find the ip-addresses of computers that you use.
  • Stop and start the VPN connection to use the new settings.

KDE 4.13

In newer versions of KDE things may look slightly different. In KDE 4.13 (Ubuntu 14.04 Trusty) for instance the connection type is called vpnc. The package network-manager-vpnc must be installed for the connection to work. The following snapshot shows how to use the vpn for all connections to the campus network:

You may also need to explicitly set an extra dns server:

Linux and BSD

You can do everything above from the command line too. Use route -n to see the current routing tables. Use vpnc to make a connection. Use sudo route del 0.0.0.0 to remove the VPN as default and use sudo route add x.x.x.x tun0 to add addresses that have to use the vpn.

Windows

See this website (Dutch only). Note that if you use this method, all you internet traffic will go via the university network and that the university store data 'to trace abuse' ('worden geregistreerd om misbruik te kunnen traceren'). You are bound to the 'Reglement RU-netwerk en SURFnet' for all your internet traffic while you are connected.

FAQ

Does this firewall with VPN improve the security?
Hardly. Any user gets the same access to all computers, as if he were present on the campus. Since there are more than 20 000 users and the password of any of these users will do it does not improve the security a bit.
I do not like using the VPN, what is the alternative?
There are many tricks possible if you find the VPN too slow or unreliable. You can use a computer such as one of the web servers or mail servers that is not blocked by the firewall or you can set up a computer on the campus to initiate the connection. Any computer on the campus can do this. Just plug one in a wall outlet and it can initiate a connection for you. There is no need for ID or password.
Does this firewall with VPN harm the security?
Yes. Many people look for ways around it, adding many vulnerabilities to the network. Besides it requires you to store your username and password on your home computer or laptop, if you want to connect automatically, because it does not support some more intelligent means of authentication, such as the ssh public key authentication that I used before this system was introduced. Since you cannot use a different password for systems where you want better security (such as your e-mail or the financial administration system) the security of these systems is also weakened.