Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
235 lines (162 sloc) 9.78 KB

Introduction

This document describes a number of VPN clients that can be used to connect to the VPN service.

Offical Applications

Official applications are available on most platforms. These are optimized for working with the VPN software. The official applications are made available with two brand names:

  • eduVPN: if you are part of the research and education community and your institution is running the eduVPN service;
  • Let's Connect! everyone else outside this community, or when you run your own server, or someone else runs it for you.

The eduVPN applications only allow you to choose your organization from a curated list. The Let's Connect! applications allow you to specify a domain of the VPN server to connect to.

The benefit of the official applications is that they will make it much easier for the end user to configure the VPN, and will make sure the VPN keeps working in case configuration updates are required for connecting to the VPN. The other applications may require manual configuration downloads through the user portal to be able to keep using the VPN.

Windows

Android

macOS

iOS

  • eduVPN
  • Let's Connect! (not yet available)

On iOS we do not currently have a "full" application. You will also need to download OpenVPN Connect to be able to connect to the VPN. The eduVPN/Let's Connect! application will handle configuration downloads and then offer to import the configuration in the OpenVPN Connect application. We are currently working on improving the situation!

Linux

  • eduVPN
  • Let's Connect! (not yet available)

NOTE: see below for Linux support. The eduVPN/Let's Connect! application will only work properly if NetworkManager works properly with tls-crypt on your system! If not, you can use the manual instructions further down.

Other Applications

In addition to the official applications, you can also use any OpenVPN compatible client on the platform of your choice. Some of the more popular ones will be discussed below.

As long as as the VPN client is based on OpenVPN >= 2.4 or OpenVPN 3 it should be possible to make it work.

Windows

  • OpenVPN Community client
    • Choose "Installer, Windows Vista and later";
    • Make sure you have the installer from the 2.4 release, e.g. openvpn-install-2.4.6-I602.exe;
    • Keep your version updated, there may be (security) releases from time to time!
  1. Install the OpenVPN Community client
  2. (Optionally) read the documentation here;
  3. Start OpenVPN (a Desktop icon is created automatically);
  4. Import the downloaded configuration by right clicking on OpenVPN's tray icon and choosing "Import".

NOTE: OpenVPN will automatically start on Windows start-up, it will not automatically connect!

macOS

Download tunnelblick. Make sure you use OpenVPN 2.4 in tunnelblick! You can modify this in the settings if required. Read the Quick Start Guide.

Android

Install OpenVPN for Android, also available via F-Droid.

The proprietary OpenVPN Connect can also be used. See the OpenVPN Connect FAQ.

iOS

Install OpenVPN Connect. A FAQ is available.

You may want to enable Seamless tunnel (iOS8+) in the OpenVPN Settings. It will try to keep the VPN tunnel active as much as possible. See the FAQ for more details.

Linux

The following table lists Linux distribution support when using NetworkManager's OpenVPN plugin and manual configuration.

On Fedora/Red Hat Enterprise Linux/CentOS you need to install the package NetworkManager-openvpn-gnome. On Red Hat Enterprise Linux/CentOS you MUST first enable the EPEL repository!

On Debian/Ubuntu you need to install the network-manager-openvpn-gnome package.

See the instructions below on how to get the VPN working manually.

Distribution NetworkManager Manual Remarks
Debian 8 no no Uses OpenVPN 2.3
Debian 9 yes* yes network-manager-openvpn >= 1.2.10 required for tls-crypt support. A backport MUST be installed, see below
Debian Testing (buster) yes yes -
Ubuntu 16.04 LTS no no Uses OpenVPN 2.3
Ubuntu 18.04 LTS yes* yes DNS leak
Ubuntu 18.10 yes yes -
CentOS 7 yes yes -
Fedora 28, 29 yes yes -

For Debian 8 and Ubuntu 16.04 LTS, an OpenVPN repository is available with a more up to date version of OpenVPN. This may be sufficient to make the VPN work manually as described below, however, this was NOT tested.

On Debian 9, a backport of network-manager-openvpn exists to make tls-crypt work. In order to install this, add the following line to /etc/apt/sources.list:

deb http://deb.debian.org/debian stretch-backports main contrib non-free

Then install/update the relevant package:

$ sudo apt-get update
$ sudo apt-get -t stretch-backports install network-manager-openvpn-gnome

This will upgrade all required packages as well. You may need to reboot or restart NetworkManager.

Split Tunnel

If you do not want to route all traffic over the VPN, you need to manually specify this in NetworkManager. By default, NetworkManager will try to send all traffic over the VPN, whether or not the servers indicates the VPN should not be used as a default gateway.

When editing the VPN configuration, under the IPv4 and IPv6 tabs you can select "Use this connection only for resources on its network", this way it will honor the pushed routes.

Manual

To start OpenVPN manually, we assume below that you downloaded an OpenVPN configuration file through the user portal, e.g. https://vpn.example.org/vpn-user-portal/.

$ sudo openvpn --config vpn.example.org_internet_20180101.ovpn

NOTE: The DNS servers will NOT be updated by running OpenVPN like this! See instructions below for dealing with this automatically.

Debian 9

Install the OpenVPN package:

$ sudo apt-get install openvpn resolvconf

Copy your configuration file to /etc/openvpn/client. Make sure you give it the extension .conf!

$ sudo cp vpn.example.org_internet_20180101.ovpn \
    /etc/openvpn/client/vpn.example.org_internet_20180101.conf

Modify the configuration file, and add the following lines to it:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now start the OpenVPN service:

$ sudo systemctl start openvpn-client@vpn.example.org_internet_20180101

CentOS 7 / Red Hat Enterprise Linux 7

Install the OpenVPN package, make sure EPEL is enabled:

$ sudo yum -y install openvpn

Copy your configuration file to /etc/openvpn/client. Make sure you give it the extension .conf!

$ sudo cp vpn.example.org_internet_20180101.ovpn \
    /etc/openvpn/client/vpn.example.org_internet_20180101.conf

Copy DNS update scripts to /etc/openvpn and modify the permissions:

$ sudo cp /usr/share/doc/openvpn-*/contrib/pull-resolv-conf/client.* /etc/openvpn/
$ sudo chmod 0755 /etc/openvpn/client.*

Modify the configuration file, and add the following lines to it:

script-security 2
up /etc/openvpn/client.up
down /etc/openvpn/client.down

Now start the OpenVPN service:

$ sudo systemctl start openvpn-client@vpn.example.org_internet_20180101