Zeile 213: | Zeile 213: | ||
==Troubleshooting== | ==Troubleshooting== | ||
===Red status messages=== | ===Red status messages=== | ||
− | There are some red status messages when connecting, but these are completely normal and do not represent a real problem. See:<br>[[VPN_- | + | There are some red status messages when connecting, but these are completely normal and do not represent a real problem. See:<br>[[VPN_-_Erklaerung_zu_Meldungen_(Log)|VPN Declaration of Messages (Log)]] |
===Error messages=== | ===Error messages=== |
Version vom 6. Juli 2024, 23:25 Uhr
VPN (Virtual Private Network) is needed if you want to use services from outside the University of Paderborn that are only accessible within the university network. VPN guarantees secure access to the University network through other networks (dial-in via other providers, external company or university networks).
You need VPN if you[Bearbeiten | Quelltext bearbeiten]
- want to access licensed databases of the University Library,
- want to access a Network drive/ group storage
- use the green sockets within the university (these are only available via VPN for security reasons)
- use a license server of the university,
- want to access secured pages of the university,
- would like to work with the CMS TYPO3 from home.
You do not need VPN if you[Bearbeiten | Quelltext bearbeiten]
- want to read your e-mails on webmail,
- want to send e-mails via the ZIM mail server (see Mail).
- want to use BigBlueButton or other services for conferences.
What needs to be done?[Bearbeiten | Quelltext bearbeiten]
- Install personal network certificate
- Install OpenVPN.
- Start OpenVPN
- Download configuration file:
Note: You can click on "Download" here and download your configuration file. This is not a screenshot ;-)
- Import configuration file
- Establish a VPN connection
Step-by-step instructions[Bearbeiten | Quelltext bearbeiten]
Install network certificate[Bearbeiten | Quelltext bearbeiten]
In order to use OpenVPN, a personal network certificate must be installed on your PC.
Are you already using the Eduroam WiFi network on this PC?
- Then you already have a personal network certificate. Skip this step.
Are you not using the Eduroam WiFi network on this PC yet?
Then click here for help with certificate installation.
Access using a browser, e.g. Firefox or Edge, go to the service portal and log in with your user name and password from your university account.
- Go to Benutzerverwaltung and then Netzwerkeinstellungen.
- Click Neues Zertifikat erstellen.
- Give the certificate a unique name (e.g.: cell phone)
- For Windows 11, select Version 2 as the file format.
- For older versions such as Windows 10 please use version 1.
- Then click on Neues Zertifikat zusenden.
- A new network certificate has been created for you.
- First copy the Import Password to the clipboard.
- Now click on Download Network Certificate.
After saving it on the computer, the network certificate must be installed under the account that is to be used with Eduroam. Open the certificate with a double click. The certificate import wizard then starts automatically.
- Click on Continue.
- Paste the import password that we just copied.
- Leave the default settings intact.
- Note: It is not allowed to tick "Activate high security for the private key". The Windows WLAN client currently does not support this function and therefore no connection to eduroam would be possible.
- Then click Next
- In the following window, if necessary, click on Next and finally on Finish.
- If a security warning appears, click Yes.
- Now click on "OK".
Note: Now open the same certificate again and install it a second time. This allows us to work around an error in the Windows certificate manager. Do not create a new certificate for this!
Note: Only one network certificate from the University of Paderborn may be installed. Multiple certificates can cause problems. More about this here.
Download OpenVPN[Bearbeiten | Quelltext bearbeiten]
Now download the OpenVPN program from the manufacturer's website.
https://openvpn.net/community-downloads/
- ATTENTION: DO NOT install the BETA version!
Install OpenVPN[Bearbeiten | Quelltext bearbeiten]
Now let's install the program.
After successful installation, the new “OpenVPN GUI” icon will appear on the desktop.
Step 8: The OpenVPN client is started using this symbol.
Download configuration file[Bearbeiten | Quelltext bearbeiten]
Download the configuration file, select the VPN you want to connect to in the box below and click on Download.
Normally "Uni-VPN (Standard)" should be the right choice, but if you have problems with the connection, try "Uni-VPN-TCP" instead.
Note: You can click "Download" here and download your configuration file. This is not a screenshot ;-)
Direct all internet traffic through the tunnel?
- Accessing online resources may require that you route all network traffic through the tunnel.
- You do not need this option to simply access the network drives.
Start OpenVPN[Bearbeiten | Quelltext bearbeiten]
If OpenVPN is not already started (see tray icon), start it using the "OpenVPN GUI" icon on your desktop.
- The OpenVPN client is started via this symbol.
- An icon with a small lock will now appear at the bottom of the taskbar.
- Do not confuse it with the Windows network icon.
Load configuration[Bearbeiten | Quelltext bearbeiten]
Open the configuration file with a double click. Alternatively, you can also do the following:
- Right-click on the OpenVPN icon at the bottom right of the task bar.
- Then click Import File.
- Now open the file "OpenVPN-UPB-NG_*.ovpn" - We have just downloaded it.
Establish connection[Bearbeiten | Quelltext bearbeiten]
Now we set up a VPN connection.
You can see the status of the VPN by the color of the symbol:
No VPN connection active | |
VPN connection is being established | |
VPN connection active |
As soon as a green status is displayed, you are connected to the internal university network.
Disconnect[Bearbeiten | Quelltext bearbeiten]
Disconnect the VPN connection when you no longer need it.
- Click on the OpenVPN icon.
- Click Disconnect.
Check VPN[Bearbeiten | Quelltext bearbeiten]
You can check the functionality of the VPN by visiting:
Your IP will be displayed there and it will show whether you are in the university network.
Troubleshooting[Bearbeiten | Quelltext bearbeiten]
Red status messages[Bearbeiten | Quelltext bearbeiten]
There are some red status messages when connecting, but these are completely normal and do not represent a real problem. See:
VPN Declaration of Messages (Log)
Error messages[Bearbeiten | Quelltext bearbeiten]
Cannot load certificate
Error message:
Cannot load certificate "SUBJ:@uni-paderborn.de" from Microsoft Certificate Store
This can have two reasons:
- You do not have a certificate installed
- Install a network certificate (see above)
- You have installed too many network certificates
- Press "Win" + "R" to bring up the "Run" dialog.
- Type the following:
certmgr.msc
- Then click OK.
- Go to the My Certificates folder and then Certificates folder.
- There should only be one certificate with the identifier "username@uni-paderborn.de" in this folder.
- Further certificates with the identifier "username@uni-paderborn.de" should be deleted.
- If there are several, you can identify the active one by the serial number.
- Double click on the certificate, details, serial number.
- You can find the active certificates with the corresponding serial number in the service portal.
Private Key in legacy Store
On some systems, the personal user certificate must be installed twice. If you find the following error message in the log:
"WARNING: cryptoapicert: private key is in a legacy store. Restricting TLS version to 1.1"
Install your personal network certificate a second time. The error message should then disappear.
Group VPN ports are blocked - TLS Handshake failed after a timeout (60 sec)
Group VPN connections are established over specific UDP ports. Normally these port sharings are problem-free because they do not overlap with other protocols. However, if your Internet access is of a restrictive nature and only allows certain ports, a connection problem may arise. This affects some university institutions or company networks. Home networks generally do not have this.
Solution:
- change your location or network
- Release the required port or talk to the IT department whether this is possible
- You can find the port used for your group network within the config file.
- If it is the hpc-pc2 network, contact the PC2 for alternative SSH access
Configuration file[Bearbeiten | Quelltext bearbeiten]
Add configuration file manually
As an alternative to the "Import file" function, you can also import the configuration file "OpenVPN-UPB-NG_*.ovpn" directly into the folder
C:/Users/<username>/OpenVPN/config/
place.
You can also delete old configuration files there.
This directory may only be created when OpenVPN is started for the first time.
Files in this folder are only available to the current user account.
Note: Drive C: represents the drive with the Windows installation.
Alternatively, configuration files can also be stored in the program folder
C:\Program Files\OpenVPN\config
Here they are available to all users of the computer.