OpenVPN - How and Why

The University VPN

If you simply need a VPN, you should use the University VPN, and you can find out more here:

• ⇒ The University of Edinburgh VPN service.
  
• ⇒ Virtual Private Networks - what is a VPN?

Detailed instructions for Informatics OpenVPN

To get the Informatics OpenVPN up and running, see these detailed instructions:

• ⇒ OpenVPN for Ubuntu.
  
• ⇒ OpenVPN for macOS.
  
• ⇒ OpenVPN for Windows.
  
• ⇒ OpenVPN for iOS.
  
• ⇒ OpenVPN for Android.
  
• ⇒ OpenVPN for Linux and *BSD.
  
• ⇒ Configuration files for OpenVPN.
  
• ⇒ Authentication for OpenVPN.
  
• ⇒ OpenVPN FAQ.
  
• ⇒ OpenVPN.net

Why use OpenVPN?

There are a couple of problems which a VPN (Virtual Private Network) can help solve. The first is where you're working at a remote site but you need to appear as though you are a local network user in order to access some resources. The second is where there are restrictions on your network access, often for audit-trail reasons. A "VPN tunnel" is, essentially, a way to make your machine appear as though it's attached to the network somewhere other than where it really is. An additional benefit is that the tunnel is encrypted end-to-end, thus protecting the traffic going over it.

The system we have adopted is OpenVPN. We have it configured in "road-warrior" mode, suitable for users who would like to tunnel to inside Informatics from outside sites.

Using the Informatics OpenVPN service means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources.

Notes

There are four Informatics OpenVPN endpoint servers, two located in the Forum and two in Appleton Tower. Each manages its own address ranges and has separate client-configuration files. We suggest that you download and install all of these, and then select the appropriate endpoint when you bring a tunnel up. In particular, you should connect only one device to each endpoint at a time. If you try to connect two devices to one endpoint they will compete against each other, and throughput for both will suffer.

(It would be possible to create a unified configuration which would try both endponts and connect to whichever one answered first. In practice this is likely to lead to surprising-to-the-user behaviour, so we haven't provided such a configuration here; but it is easy to adapt these files.)

Note that OpenVPN uses its own transport protocol. OpenVPN clients cannot connect to IPsec endpoints or PPTP endpoints, such as the University's central VPN service, nor can their clients connect to an OpenVPN endpoint.