You are here
OpenVPN - How and Why
There are a couple of problems which VPN (Virtual Private Network) systems can help solve. The first is where you're working at a remote site but you need to appear as though you were a local network user in order to access some resources. The second is where there are restrictions on your network access, often for audit-trail reasons. A "VPN tunnel" is, essentially, a way to make your machine appear as though it's attached to the network somewhere other than where it really is. An additional benefit is that the tunnel is encrypted end-to-end, thus protecting the traffic going over it.
The system we have adopted is OpenVPN. "OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls." We have OpenVPN configured in "road-warrior" mode, suitable for users who would like to tunnel to inside Informatics from outside sites.
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.
There are two Informatics OpenVPN endpoint machines, one located in the Forum and one in Appleton Tower, each managing its own address ranges, with a separate client-configuration file for each. We suggest that you download and install both of these, and then select the appropriate endpoint when you bring a tunnel up. (It would be possible to create a unified configuration which would try both endponts and connect to whichever one answered first. In practice this is likely to lead to surprising-to-the-user behaviour, so we haven't provided such a configuration here; but it is easy to adapt these files.)
Note that OpenVPN uses its own transport protocol. OpenVPN clients cannot connect to IPsec endpoints or PPTP endpoints, such as IS's, nor can their clients connect to an OpenVPN endpoint. (We did consider setting up such endpoints, but overall OpenVPN seems a better solution. IPsec is generally regarded as "complicated", while even the authors of poptop, the Linux PPTP implementation, recommend using something else where possible!)