From Cncz
Revision as of 16:47, 30 July 2016 by Wim (talk | contribs) (VPN (Virtual Private Network) [verbinding][connection])
Jump to: navigation, search

VPN (Virtual Private Network) connection

C&CZ manages a VPN server, which makes it possible for all users to gain secure access to the network with their Science username and password. The computer at home (or anywhere on the Internet) becomes part of the campus network. In this way users can get access to services that are normally only accessible from computers on campus. The most common of such services are connecting to disk shares or to special servers.

For the use of the University library one does not need VPN, because the library has a proxy website, that can be used from anywhere on the Internet after logging in with your RU-account and RU-password.

As of November 2015, there is a new VPN, based on IPsec. We intend to have all users moved over to the new VPN before May 1, 2016 and then terminate the old VPN based on PPTP.

The instructions below to install the VPN will be expanded by C&CZ and probably also by employees/students.

  • General: VPN-server/gateway: vpnsec.science.ru.nl

Per device or Operating system:

  • Ubuntu 16.04: If you are currently using vpnsec.science.ru.nl, please do not upgrade to Ubuntu 16.04. There is a known bug people are trying to fix, see msg4923789.
    There is now a work around, requiring some manual configuration. See: [1].
  • Windows7/8/8.1/10: Just add a *new* VPN with server vpnsec.science.ru.nl, that's all. No special configuration needed.
  • Android: Install the strongSwan app with "IKEv2 EAP (Username/Password)".

The iOS and OS X profiles have been updated per 2016-02-24, you might need to reinstall the updated VpnSec profile.

  • iOS (iPhone/iPad): Download and install vpnsec.mobileconfig to your iPhone/iPad. Tested on iPad with iOS 9, according to documentation iOS 8 should work too, but is yet untested.
  • OS X 10.11 El Capitan and higher: Download and install vpnsec-macosx.mobileconfig to your Apple computer.
    Adapt the Authentication Settings... in System PreferencesNetworkVpnSec to match your Science account and password.
  • OS X 10.7 Lion and higher: install strongSwan with "IKEv2 EAP (Username/Password)". The strongSwan App has a known problem. The current solution is, however, not very easy. We are investigaing a doable solution.
  • Linux: VPNsec Linux installation and configuration

SSH SOCKS-Proxy to access journals (linux)

There is a convenient alternative to VPN or the UB proxy website described above to access online journals from anywhere. With SSH one can start a so called SOCKS Proxy-server, which can be used by web-browsers.

  • Login to your Science account with ssh:
 ssh -D 8942 lilo.science.ru.nl       # (or any other login-server)
 (Enter password if required)

If your Science username (e.g. "peter") is different on your local username use:

 ssh -D 8942 -l peter lilo.science.ru.nl

The -D flag starts "dynamic" application-level portforwarding. The port number (here 8942) can be any number above 1024 and below 65536. If a port is already in use by another process try a different number.

  • Tell the web browser to use the server. In Firefox:
 * Edit - Preferences - Advanced - Settings
 * Select "Manual proxy configuration"
 * SOCKS Host: localhost      Port: 8942
 * Select SOCKS v5
 * OK

Chromium and Google Chrome can be called from the command line with the proxyserver option:

 chromium-browser --proxyserver="socks5://localhost:8942"

If you now go to a journal website i.e., J. Chem. Phys., you should see "Your access is provided by: Universiteitsbibliotheek" and you should have the same access as from within the Radboud University domain.

Run ssh in the background

With these flags:

 ssh -f -N -D port 

ssh will run in the background (-f) and only setup the proxy server but not actually logon (-N).


The "netstat" command may be used to troubleshoot problems:

 netstat -at

will show all active and non-active tcp sockets. In the above example you should see something like:

 MYPC:/home/peter $ netstat -at
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State      
 tcp        0      0 localhost:smtp          *:*                     LISTEN      
 tcp        0      0 localhost:8942          *:*                     LISTEN      
 tcp        0      0 *:ssh                   *:*                     LISTEN      
 tcp        0      0 localhost:ipp           *:*                     LISTEN      
 tcp        0      0 peter.home:36953        postvak.science.r:imaps ESTABLISHED
 tcp        0      0 peter.home:36808        lilo3.science.ru.nl:ssh ESTABLISHED
 tcp        0      0 localhost:smtp          *:*                     LISTEN      
 tcp        0      0 localhost:8942          *:*                     LISTEN

Old VPN based on PPTP

Examples of installation and configuration of the old VPN:

Note: users of F-secure need to change the Firewall configuration to lift blocking of GRE.

Note: If the VPN connection drops immediately when you start to use it , it may be that the MTU value for the ethernet card is set too high, see for example optimizing MTU.