As a solution for a "Virtual Private Network," IBR employees and students can use OpenVPN (version 2.3 or newer). Unlike PPTP and IPsec, OpenVPN combines great flexibility, relatively simple configuration, and availability for all major platforms.
routed tunnels are provided for both IPv4 and IPv6; bridging is not offered. Clients receive private IPv4 addresses, for which the IBR router uses NAT for external communication. IPv6 is realized through a separate public subnet.
The client configurations provided can access various server ports, enabling a tunnel to be established even from very restrictively isolated networks:
Currently, we provide the following general client configurations for user-based authentication of IBR users, each supporting all three of the aforementioned ports. Those who wish can of course customize their configuration to suit their needs. The provided configurations differ in the scope of the tunneled address space. The examples have been tested with Mac OS "Tunnelblick" and the OpenVPN iOS app. The configurations already include the server certificate chain embedded to ensure the authenticity of the IBR OpenVPN server.
Additionally, all these configurations route IPv4 traffic to the ACM Digital Library (104.18.0.0/16), IEEExplore (140.98.193.0/24), and Elsevier (198.185.19.18) through the tunnel, thereby allowing access to their IP-source-based services authorized for TU Braunschweig. If you are aware of updated address ranges or additional services whose routes should be added here, please contact Frank to update the provided configurations.
Setting up on Linux using the linked profiles above is very straightforward. First, the package openvpn must be installed. Then the VPN connection can be started with the command sudo openvpn IBR-TUonly.ovpn (or with another profile).
Integrating OpenVPN into Gnome via network settings is quite challenging but works after a few adjustments through the NetworkManager CLI's import function.
Required Packages:
networkmanager openvpn networkmanager-openvpnnetwork-manager network-manager-gnome network-manager-openvpn network-manager-openvpn-gnomeAdjust Configuration:
<connection> tags of the remaining connectionImporting the Profile:
nmcli connection import type openvpn file <profile.ovpn>
The route entries of the imported profile are recognized as invalid by the Gnome Settings (since the gateway is missing). Therefore, further changes in the settings cannot be saved and must be made via "nmcli".
Setting the Username:
nmcli connection edit <configname>
set vpn.user-name <username>
save
quit
Done. To debug, you can view the output of OpenVPN with sudo journalctl -f.
It is also possible to provide customized OpenVPN tunnel configurations for employees and projects that allow certificate-based authentication, static client addresses, explicit routing, and other specific adjustments. (@Admin: see openvpn:/etc/openvpn/README.IBR)
Employees can check the current status of active tunnels using ibr-vpn-status.