This page contains some questions and answers specifically aimed at our Informatics OpenVPN setup. The Official FAQ and documents linked from it contain more general information which may help resolve problems.
Why is there more than one configuration file?
Our instructions link to two files so that you can connect to either of our two endpoints. We have two endpoints, called IF1 and AT1. One file connects you to IF1 and the other file connects you to AT1.
You can connect only once to each endpoint from a particular address (for instance your home internet); so if two people on the same network need to connect at the same time, they should use different endpoints.
The same goes for accounts: your account can only have one connection to each endpoint at a time. If you connect a second device, the first will be implicitly disconnected. If it then automatically reconnects it will disconnect the second, and so on. This is likely to be very disruptive for you, so if you do want to connect two devices simultaneously, you will need to use different endpoints for each.
What does the Informatics OpenVPN offer that the University's central VPN service doesn't?
Using the Informatics OpenVPN means that you appear inside the Informatics network. This is in contrast with the central University VPN service, which will tunnel you to inside EdLAN but outside Informatics. This distinction may be important when accessing internal Informatics resources, because some of them are not visible outside Informatics.
Why not have your endpoints masquerade as web servers?
This is something which can be useful to work around heavily filtered network connections, where very little other than web traffic is permitted. It would certainly be nice to offer such a service, but there are a couple of reasons why we don't (yet): the first is that current versions of OpenVPN are not quite flexible enough to allow them to manage two different types of connection at the same time; and the second is that tunnelling TCP protocols over a TCP-based transport can lead to performance issues which don't arise when tunnelling over a UDP-based transport, so it's better overall for us to support the latter. However, should later versions of OpenVPN allow us to implement something like this, we'll certainly consider doing so.
Can I connect to an endpoint more than once? When I connect a second tunnel it seems that my first tunnel is dropped.
You can only connect one tunnel at a time to our endpoints. This is actually the default behaviour, and we have left it as-is to protect our endpoints from misbehaving NAT gateways, which might otherwise use up all of an endpoint's client-IP addresses and so deny service to other users. We do have two endpoints, though, and you can bring up one tunnel to each independently.
I'm trying to access things like IEEExplore or the ACM digital library, but they're not letting me in. Why not?
This kind of thing can happen when the remote sites are using your IP address to authenticate. Our "EdLAN" configurations will send most EdLAN traffic through the tunnel, but will leave everything else to go by its normal route. As a result, the remote site sees you as coming from your usual ISP address rather than the University.
In this case the University's VPN service would suit you better, as it is set up so that all traffic goes through the VPN tunnel.
I can't see any menu entries on my Windows box. Help?
Some browsers seem to like to append things to the names of the configuration files as you download them. Check that this hasn't happened. You may have to toggle some folder view options in order to see the full filenames.
I can't get my VPN tunnel to work at all
When you download the configuration files you must be careful that the contents are not changed in the process. In particular, any embedded certificates and keys must match exactly what the endpoint is expecting, otherwise your connection will be denied.
Why can't I get to any of the University's RFC1918 subnets?
We deliberately don't add any routes for these to our base configurations. They are defined as being for use within sites only. We have no way of knowing whether they are in use at your home site, or whether we would break your use of some other functionality by adding these. Therefore we don't. If you do need these routes to be in place, and you have determined that you can do so safely, then simply edit the configuration file(s) and add appropriate "route" statements alongside the existing ones.
I'm getting DNS and address warnings from Tunnelblick
If these are of the form:
Tunnelblick: Warning: DNS server address AAA.BBB.CCC.DDD is not a public DNS server known to Tunnelblick and is not being routed through the VPN
or
Tunnelblick: This computer's apparent public IP address (AAA.BBB.CCC.DDD) was unchanged after the connection was made
then it's safe to ignore them if you're using one of our configurations.
Tunnelblick emits these warnings because it can't tell whether it's a deliberate configuration choice (as it is in our case) or an error which might compromise a user's privacy.
It is possible to tell Tunnelblick not to show these warnings, but we don't generally recommend doing so. It's a global setting, and it would mean that you wouldn't then be warned about potential issues when using non-Informatics configurations.