VPN unter Linux/en: Unterschied zwischen den Versionen

ZIM HilfeWiki - das Wiki
(Added warning for changing openSSL Version)
Zeile 11: Zeile 11:
  
 
<bootstrap_alert color=warning>
 
<bootstrap_alert color=warning>
&#9888; If you receive an error message like <code>Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption</code> or similar when connecting:<br>
+
&#9888; If you receive an error message such as <code>Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption</code> or similar when connecting:<br>
Do '''not''' change your OpenSSL configuration! Instead, create a new certificate in Version 2 (AES-256 container). Details below. Adjusting the OpenSSL configuration can lead to security risks.
+
Do not adjust your OpenSSL configuration! Instead, create a new certificate in version 2 (AES-256 container). Details below. Adjusting the OpenSSL configuration can create security risks.
 
</bootstrap_alert>
 
</bootstrap_alert>
  
VPN (Virtual Private Network) is needed if you want to use your computer from outside the university to access services that are only accessible within the university network. VPN guarantees secure access to the university network through other networks (dial-up via other providers, external company or university networks).
+
You need a VPN (Virtual Private Network) if you want to use services from your computer at home that are only accessible within the university network. VPN ensures secure access to the university network from external networks (dial-up via other providers, external company or university networks).
 
<br><br>
 
<br><br>
  
This guide is based on Ubuntu 22.04.2 LTS. Other distributions may work similarly. We cannot provide a guide for every distribution.
+
These instructions are based on Ubuntu 22.04.2 LTS. Other distributions may work in a similar way. We cannot offer instructions for every distribution.
  
== What needs to be done? ==
+
==Simultaneous connections==
 +
<bootstrap_alert color=info>
 +
<span style='font-size:30px;'>&#128712;</span>
 +
<br>
 +
Do you want to connect your laptop and cell phone to the VPN in addition to your PC? You can set up VPN connections on multiple devices. However, each person can only establish one connection per VPN at the same time.
 +
</bootstrap_alert>
 +
 
 +
<bootstrap_accordion>
 +
<bootstrap_panel heading="What does that mean exactly?" color="info">
 +
'''Uni-VPN'''
 +
* If you use the Uni-VPN, you can only establish one connection at a time.
 +
* You cannot establish a connection to the Uni-VPN on another device at the same time.
 +
* You must disconnect the existing connection first.
 +
 
 +
'''Group VPN'''
 +
* If you use a group VPN, you cannot establish a second VPN connection to this group VPN on another device at the same time.
 +
* You must disconnect the existing connection first.
 +
 
 +
* However, you can connect to the Uni VPN or another group VPN on another device at the same time.
 +
</bootstrap_panel>
 +
</bootstrap_accordion>
 +
 
 +
== What do I need to do? ==
 
* Download personal network certificate.
 
* Download personal network certificate.
 
* Download configuration file:
 
* Download configuration file:
 
<iframe key="infoboard" width="600" height="330" path="vpn-config/index.php?group=uni&os=lin&redirect_gateway=1" />
 
<iframe key="infoboard" width="600" height="330" path="vpn-config/index.php?group=uni&os=lin&redirect_gateway=1" />
* Store network certificate and configuration file in a folder. Don't change the path later.
+
* Save network certificate and configuration file in a fixed folder.
* Rename the certificate.
+
* Rename network certificate.
* Setup VPN
+
* Set up VPN.
  
 
== Step-by-step instructions ==
 
== Step-by-step instructions ==
 
+
=== Create certificate ===
===Create certificate ===
+
You need a network certificate for the VPN connection. If you already have a certificate for Eduroam, you can use that and skip this step.
You need a network certificate for the VPN connection. If you already have a certificate for Eduroam, you can use that too and skip this step.  
 
 
<br>
 
<br>
 
Open the service portal and log in with your university account.
 
Open the service portal and log in with your university account.
Zeile 37: Zeile 58:
 
<br>
 
<br>
  
* Go to '''User Management''' and then '''Network Settings'''.
+
* Go to '''User management''' and then to '''Network settings'''.
 
<br clear=all>
 
<br clear=all>
  
 
[[File:Eduroam-unter-android-4.png|links|mini|ohne|350px]]
 
[[File:Eduroam-unter-android-4.png|links|mini|ohne|350px]]
 
<br>
 
<br>
* Click '''Create New Certificate'''.
+
* Click on '''"Create new certificate"'''.
 
<br clear=all>
 
<br clear=all>
  
[[File:Netzwerkzertifikat-container-v2.png|links|mini|ohne|350px]]
+
[[Datei:Netzwerkzertifikat-container-v2.png|links|mini|ohne|350px]]
 
<br>
 
<br>
* Give the certificate a unique name (Ex: Laptop VPN)
+
* Give the certificate a unique name (e.g. Laptop VPN)
 
* Select '''Version 2''' as the file format.
 
* Select '''Version 2''' as the file format.
* Then click on '''Send new certificate'''.
+
* Then click on '''"Send new certificate"'''.
 
<br clear=all>
 
<br clear=all>
  
[[File:Netzwerkzertifikat-download.png|links|mini|ohne|350px]]
+
[[Datei:Netzwerkzertifikat-download.png|links|mini|ohne|350px]]
 
<br>
 
<br>
 
* A new network certificate has been created for you.
 
* A new network certificate has been created for you.
* First copy the '''Import Password''' to the clipboard.
+
* First copy the '''import password''' to the clipboard.
* Now click on '''Download Network Certificate'''.
+
* Now click on '''"Download network certificate"'''.
 
<br clear=all>
 
<br clear=all>
  
=== Configure VPN on Linux ===
+
=== Configuring VPN under Linux ===
Download the configuration file, select the VPN you want to connect to and click Download.
+
Download the configuration file, select the VPN you want to connect to and click on Download.
Normally "Uni-VPN (Standard)" should be the right choice, but if you have problems with the connection, try "Uni-VPN-TCP" again.
+
Normally, "Uni-VPN (Standard)" should be the right choice, but if you have problems with the connection, try "Uni-VPN-TCP" again.
 
<iframe key="infoboard" width="600" height="330" path="vpn-config/index.php?group=uni&os=lin&redirect_gateway=1" />
 
<iframe key="infoboard" width="600" height="330" path="vpn-config/index.php?group=uni&os=lin&redirect_gateway=1" />
 
<br clear=all>
 
<br clear=all>
Zeile 68: Zeile 89:
  
 
<bootstrap_accordion>
 
<bootstrap_accordion>
<bootstrap_panel heading="Direct all internet traffic through the tunnel?">
+
<bootstrap_panel heading="Route all Internet traffic through the tunnel?">
*Accessing online resources may require that you route all network traffic through the tunnel.
+
* Accessing online resources may require that you route all network traffic through the tunnel.
 
* You do not need this option for pure access to network drives.
 
* You do not need this option for pure access to network drives.
 
</bootstrap_panel>
 
</bootstrap_panel>
Zeile 75: Zeile 96:
  
 
===Create folder===
 
===Create folder===
* Create a folder and put the network certificate and configuration file there.
+
* Create a folder and place the network certificate and configuration file there.
* Choose the storage location carefully - you must not move or rename the folder later.
+
** On distributions that use SELinux (e.g. RedHad, Fedora, CentOS etc.) you need to make sure that the location has the correct labels
 +
** These can be checked with <code>ls -laZ PATH</code> and need a label in the form of <code>unconfined_u:object_r:home_cert_t:s0</code>
 +
** By default the directory <code>~/.cert/</code> should have the correct labels for the network certificate
 +
** Debian/Ubuntu based distributions normally '''do not''' use SELinux and should therefore not be affected by this
 +
* Choose the location carefully - you must not move or rename the folder later.
 
* Rename the network certificate to <code>Network_Certificate.p12</code>
 
* Rename the network certificate to <code>Network_Certificate.p12</code>
  
 
+
[[Datei:Vpn-unter-linux-01.png|links|mini|ohne|350px|Folder for VPN]]
[[File:Vpn-unter-linux-01.png|links|mini|ohne|350px|Folder for VPN]]
 
 
<br>
 
<br>
 
* This is what the contents of the folder should look like.
 
* This is what the contents of the folder should look like.
Zeile 86: Zeile 110:
  
 
===Set up VPN===
 
===Set up VPN===
[[File:Vpn-unter-linux-02.png|links|mini|ohne|350px|Network]]
+
[[Datei:Vpn-unter-linux-02.png|links|mini|ohne|350px|Network]]
 
<br>
 
<br>
* Click on the ''"network icon"''.
+
* Click on the '''"Network symbol"'''.
* Then click on '''Settings'''.
+
* Then click on '''"Settings"'''.
 
<br clear=all>
 
<br clear=all>
  
[[Datei:Vpn-unter-linux-03.png|links|mini|ohne|350px|Add VPN]]
+
[[File:Vpn-unter-linux-03.png|left|mini|without|350px|Add VPN]]
 
<br>
 
<br>
* In the VPN section, click the <code>+</code> to add.
+
* In the VPN area, click on the <code>+</code> to add.
 
<br clear=all>
 
<br clear=all>
  
[[File:Vpn-unter-linux-04.png|links|mini|ohne|350px|Import from file]]
+
[[Datei:Vpn-unter-linux-04.png|links|mini|ohne|350px|Import from file]]
 
<br>
 
<br>
 
* Select '''"Import from file..."'''.
 
* Select '''"Import from file..."'''.
 
<br clear=all>
 
<br clear=all>
  
[[File:Vpn-unter-linux-05.png|links|mini|ohne|350px|configuration file]]
+
[[Datei:Vpn-unter-linux-05.png|links|mini|ohne|350px|Configuration file]]
 
<br>
 
<br>
 
* Open the folder we just created.
 
* Open the folder we just created.
* Select the '''configuration file'''.
+
* Select the '''"Configuration file"'''.
 
* Then click '''"Open"'''.
 
* Then click '''"Open"'''.
 
<br clear=all>
 
<br clear=all>
Zeile 111: Zeile 135:
 
[[Datei:Vpn-unter-linux-06.png|links|mini|ohne|350px|VPN settings]]
 
[[Datei:Vpn-unter-linux-06.png|links|mini|ohne|350px|VPN settings]]
 
<br>
 
<br>
* The VPN settings were taken from the configuration file.
+
* The VPN settings have been imported from the configuration file.
* Enter the ''"import password"''' for the network certificate. (1)
+
* Enter the '''"Import password"''' for the network certificate. (1)
* Then click '''Add'''. (2)
+
* Then click on '''"Add"'''. (2)
 
<br clear=all>
 
<br clear=all>
  
 
[[Datei:Vpn-unter-linux-07.png|links|mini|ohne|350px|Connect VPN]]
 
[[Datei:Vpn-unter-linux-07.png|links|mini|ohne|350px|Connect VPN]]
 
<br>
 
<br>
* With one click on the switch you can connect to the VPN.
+
* You can connect to the VPN by clicking on the switch.
 
<br clear=all>
 
<br clear=all>
  
Zeile 124: Zeile 148:
 
[[Datei:Vpn-unter-linux-08.png|links|mini|ohne|350px|Connect VPN]]
 
[[Datei:Vpn-unter-linux-08.png|links|mini|ohne|350px|Connect VPN]]
 
<br>
 
<br>
* Or connect via the network menu.
+
* Or establish the connection via the network menu.
 
<br clear=all>
 
<br clear=all>
  
 
===Disconnect VPN===
 
===Disconnect VPN===
[[File:Vpn-unter-linux-09.png|links|mini|ohne|350px|Disconnect VPN]]
+
[[Datei:Vpn-unter-linux-09.png|links|mini|ohne|350px|Disconnect VPN]]
 
<br>
 
<br>
* You can disconnect the VPN connection from the network menu.
+
* You can disconnect the VPN connection via the network menu.
 
<br clear=all>
 
<br clear=all>
  
==Check VPN==
+
==Unpack container==
You can check the functionality of the VPN by calling:
+
If there are problems using the certificate in its container format with the export password provided, it may help to unpack the container into certificate and key.
: [https://go.upb.de/ip https://go.upb.de/ip]
+
<br>
Your IP will be displayed there and whether you are on the university network.
+
These problems occur, for example, with the old container format under distributions that use OpenSSL 3 or newer. Here you can either unpack the previous container (in order to reference the key and certificate directly) or request a new certificate with the new container format in the service portal.
 +
<br>
 +
 
 +
The OpenSSL version can be checked as follows:
 +
<pre>$ openssl version</pre>
 +
 
 +
The container can be unpacked as follows:
 +
<pre>
 +
$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_cert.pem -clcerts -nokeys
 +
$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_key.pem -nocerts -nodes
 +
</pre>
  
[[File:OpenVPN verbunden - go_ip.png|mitte|400px|mini|ohne|Example: Existing connection to the university network.]]
+
The two new files are copied to a safe location in the user directory with the network certificate.
<br clear=all>
+
When unpacking the old container format, an additional parameter <code>-legacy</code> is required under OpenSSL 3, otherwise this will be refused.
  
==For advanced users==
+
==Edit configuration==
* At least version '''OpenVPN 2.4''' is required.
+
If you do not select the certificates via the GUI, but use the configuration file via the command line, you must ensure that the files are named appropriately for the configuration file. If you have unpacked the container, you must adjust the configuration file accordingly.<br>
There is also the option to set up the connection via Ubuntu's network manager.
+
'''Unchanged configuration file:'''
 +
<pre>
 +
#### Operating system adjustments for Linux ####################
  
To use the network manager, the previously created network certificate must be unpacked:
+
pkcs12 Network_Certificate.p12
 +
resolv-retry 5
 +
auth-nocache
 +
# or separated:
 +
# cert Network_Certificate_cert.pem
 +
# key Network_Certificate_key.pem
 +
</pre>
  
: <code>$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_OPVPN.crt.pem -clcerts -nokeys </code>
+
'''If you have unpacked the container into certificate and key:'''
: <code>$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_OPVPN.key.pem -nocerts -nodes </code>
+
<pre>
 +
#### Operating system adjustments for Linux ####################
  
The two new files are copied to a safe location in the user directory with the network certificate.  
+
# pkcs12 Network_Certificate.p12
: According to user reports, an additional parameter <code>-legacy</code> may be necessary under OpenSSL 3.0.2.
+
resolv-retry 5
: If this doesn't work, it may be necessary (e.g. with Arch) to install the package "openssl-1.1" and call the top two commands with "openssl-1.1" instead of "openssl".
+
auth-nocache
 +
# or separated:
 +
# cert Network_Certificate_cert.pem
 +
key Network_Certificate_key.pem
 +
</pre>
  
To do this, you must first install the necessary packages using the terminal:
+
==Check VPN==
: <code># sudo apt-get install openvpn network-manager-openvpn network-manager-openvpn-gnome</code>
+
You can check the VPN function by calling:
 +
: [https://go.upb.de/ip https://go.upb.de/ip]
 +
Your IP is displayed there and whether you are on the university network.
  
 +
[[Datei:OpenVPN verbunden - go_ip.png|mitte|400px|mini|ohne|Example: Existing connection to the university network.]]
 +
<br clear=all>
  
 
==See also==
 
==See also==
 
* [[Netzwerk]]
 
* [[Netzwerk]]
 
* [[VPN Problembehandlung]]
 
* [[VPN Problembehandlung]]

Version vom 11. Dezember 2024, 17:00 Uhr

Die deutsche Version finden Sie auf der Seite VPN unter Linux

You need a VPN (Virtual Private Network) if you want to use services from your computer at home that are only accessible within the university network. VPN ensures secure access to the university network from external networks (dial-up via other providers, external company or university networks).

These instructions are based on Ubuntu 22.04.2 LTS. Other distributions may work in a similar way. We cannot offer instructions for every distribution.

Simultaneous connections[Bearbeiten | Quelltext bearbeiten]

Uni-VPN

  • If you use the Uni-VPN, you can only establish one connection at a time.
  • You cannot establish a connection to the Uni-VPN on another device at the same time.
  • You must disconnect the existing connection first.

Group VPN

  • If you use a group VPN, you cannot establish a second VPN connection to this group VPN on another device at the same time.
  • You must disconnect the existing connection first.
  • However, you can connect to the Uni VPN or another group VPN on another device at the same time.

What do I need to do?[Bearbeiten | Quelltext bearbeiten]

  • Download personal network certificate.
  • Download configuration file:

  • Save network certificate and configuration file in a fixed folder.
  • Rename network certificate.
  • Set up VPN.

Step-by-step instructions[Bearbeiten | Quelltext bearbeiten]

Create certificate[Bearbeiten | Quelltext bearbeiten]

You need a network certificate for the VPN connection. If you already have a certificate for Eduroam, you can use that and skip this step.
Open the service portal and log in with your university account.


  • Go to User management and then to Network settings.


Eduroam-unter-android-4.png


  • Click on "Create new certificate".


Netzwerkzertifikat-container-v2.png


  • Give the certificate a unique name (e.g. Laptop VPN)
  • Select Version 2 as the file format.
  • Then click on "Send new certificate".


Netzwerkzertifikat-download.png


  • A new network certificate has been created for you.
  • First copy the import password to the clipboard.
  • Now click on "Download network certificate".


Configuring VPN under Linux[Bearbeiten | Quelltext bearbeiten]

Download the configuration file, select the VPN you want to connect to and click on Download. Normally, "Uni-VPN (Standard)" should be the right choice, but if you have problems with the connection, try "Uni-VPN-TCP" again.
Note: You can click on "Download" here and download your configuration file. This is not a screenshot ;-)

  • Accessing online resources may require that you route all network traffic through the tunnel.
  • You do not need this option for pure access to network drives.

Create folder[Bearbeiten | Quelltext bearbeiten]

  • Create a folder and place the network certificate and configuration file there.
    • On distributions that use SELinux (e.g. RedHad, Fedora, CentOS etc.) you need to make sure that the location has the correct labels
    • These can be checked with ls -laZ PATH and need a label in the form of unconfined_u:object_r:home_cert_t:s0
    • By default the directory ~/.cert/ should have the correct labels for the network certificate
    • Debian/Ubuntu based distributions normally do not use SELinux and should therefore not be affected by this
  • Choose the location carefully - you must not move or rename the folder later.
  • Rename the network certificate to Network_Certificate.p12
Folder for VPN


  • This is what the contents of the folder should look like.


Set up VPN[Bearbeiten | Quelltext bearbeiten]

Network


  • Click on the "Network symbol".
  • Then click on "Settings".


Add VPN


  • In the VPN area, click on the + to add.


Import from file


  • Select "Import from file...".


Configuration file


  • Open the folder we just created.
  • Select the "Configuration file".
  • Then click "Open".


VPN settings


  • The VPN settings have been imported from the configuration file.
  • Enter the "Import password" for the network certificate. (1)
  • Then click on "Add". (2)


Connect VPN


  • You can connect to the VPN by clicking on the switch.


Connect VPN[Bearbeiten | Quelltext bearbeiten]

Connect VPN


  • Or establish the connection via the network menu.


Disconnect VPN[Bearbeiten | Quelltext bearbeiten]

Disconnect VPN


  • You can disconnect the VPN connection via the network menu.


Unpack container[Bearbeiten | Quelltext bearbeiten]

If there are problems using the certificate in its container format with the export password provided, it may help to unpack the container into certificate and key.
These problems occur, for example, with the old container format under distributions that use OpenSSL 3 or newer. Here you can either unpack the previous container (in order to reference the key and certificate directly) or request a new certificate with the new container format in the service portal.

The OpenSSL version can be checked as follows:

$ openssl version

The container can be unpacked as follows:

$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_cert.pem -clcerts -nokeys
$ openssl pkcs12 -in Network_Certificate.p12 -out Network_Certificate_key.pem -nocerts -nodes

The two new files are copied to a safe location in the user directory with the network certificate. When unpacking the old container format, an additional parameter -legacy is required under OpenSSL 3, otherwise this will be refused.

Edit configuration[Bearbeiten | Quelltext bearbeiten]

If you do not select the certificates via the GUI, but use the configuration file via the command line, you must ensure that the files are named appropriately for the configuration file. If you have unpacked the container, you must adjust the configuration file accordingly.
Unchanged configuration file:

#### Operating system adjustments for Linux ####################

pkcs12 Network_Certificate.p12
resolv-retry 5
auth-nocache
# or separated:
# cert Network_Certificate_cert.pem
# key Network_Certificate_key.pem

If you have unpacked the container into certificate and key:

#### Operating system adjustments for Linux ####################

# pkcs12 Network_Certificate.p12
resolv-retry 5
auth-nocache
# or separated:
# cert Network_Certificate_cert.pem
key Network_Certificate_key.pem

Check VPN[Bearbeiten | Quelltext bearbeiten]

You can check the VPN function by calling:

https://go.upb.de/ip

Your IP is displayed there and whether you are on the university network.

Example: Existing connection to the university network.


See also[Bearbeiten | Quelltext bearbeiten]


Bei Fragen oder Problemen wenden Sie sich bitte telefonisch oder per E-Mail an uns:

Tel. IT: +49 (5251) 60-5544 Tel. Medien: +49 (5251) 60-2821 E-Mail: zim@uni-paderborn.de

Das Notebook-Café ist die Benutzerberatung des ZIM - Sie finden uns in Raum I0.401

Wir sind zu folgenden Zeiten erreichbar:


Mo-Do Fr
Vor-Ort-Support 08:30 - 16:00 08:30 - 14:00
Telefonsupport 08:30 - 16:00 08:30 - 14:00


Das ZIM:Servicecenter Medien auf H1 hat aktuell zu folgenden Zeiten geöffnet:

Mo-Do Fr
08:00 - 16:00 08:00 - 14:30
Cookies helfen uns bei der Bereitstellung des ZIM HilfeWikis. Bei der Nutzung vom ZIM HilfeWiki werden die in der Datenschutzerklärung beschriebenen Cookies gespeichert.