Skip to content

eduVPN

Aim: Instructions for how to connect using the eduVPN service

Introduction

eduVPN is a "virtual private network" service for research and education, originally developed by SURF, that we offer to Nikhef users. eduVPN is available for Windows, Linux, macOS, Android, and iOS devices.

At Nikhef we offer two 'variants' of eduVPN:

  • The Secure Internet variant helps you to surf safely on the general Internet. This service is a courtesy of SURF and Nikhef, and allows you to 'escape' from restrictive environments (such as a hotel network, airport WiFi, internet cafe) that only allow web browsing, and at the same time protects your network traffic via encryption.
  • The Institute Access variant connects you safely to all internal (local) Nikhef services directly. You can, for example, login to Stoomboot, view internal web pages, etc. from anywhere in the world. It is like being connected to Nikhef's local wireless or wired network. However, it only takes your traffic to Nikhef, and you cannot use Institute Access to access non-Nikhef resources.

Instructions

If you want to connect to your Nikhef desktop after installing eduVPN, follow these instructions.

To install eduVPN on your Linux machine follow the steps below. These instructions are written using Mint but the application is available for various distributions. If you scroll further down you will find more instructions on how to use eduVPN under Linux. This does require more technical knowledge of the OS you are using.

Instructions Images
Visit the eduVPN website to download the software for Linux: https://www.eduvpn.org/client-apps/
You will then be directed to the documentation website on: https://python-eduvpn-client.readthedocs.io/en/master/
Pick the Linux flavor you are using and follow the instructions written there.
After this is finished start the eduVPN application. Search for Nikhef and click on Nikhef at Institute access. You can use the eduVPN application to surf the internet safely, for example when you are connected to a public WiFi. However, if you want to connect to your computer at Nikhef we choose the option:

"Institute Access Nikhef".
Your browser will open and you will be asked to grant authorization for the eduVPN application. Click 'Approve' to continue.
You can close the browser and start using eduVPN on your Linux machine.

It is also possible to use eduVPN under Linux without any special applications. The instructions below assume you are using NetworkManager, but expert users can also use the downloaded openvpn configuration files directly.

  • You will first need to download a configuration file, for which the instructions depend on the variant:

  • For Institute Access: https://nikhef.eduvpn.nl/portal/configurations

  • For Secure Internet: https://nl.eduvpn.org/
    choose "Manual Configuration" / "Handmatige configuratie"

  • Then run the following command in a terminal: nmcli connection import type [openvpn | OpenVPN] file .ovpn

  • If you receive this kind of error messsage

    >$ nmcli connection import type OpenVPN file /tmp/nikhef.eduvpn.nl_institute_20230421_EduVPN-IA.ovpn 
    
    Error: failed to find VPN plugin for OpenVPN.
    

it could be that the import type has a different capitalization for openvpn or OpenVPN or some derivation of that.

  • Now open your Network manager and there should be an Nikhef eduVPN connection available to connect to.
Instructions Images
Visit the eduVPN website to download the software: https://www.eduvpn.org/client-apps/
You will then be directed to the App Store on your Mac to download the eduVPN client. Do this and wait for the software to be installed on your Mac.
Start the EduVPN application. Search for 'Nikhef' in the list and click on it.
You can use the eduVPN application to surf the internet safely, for example when you are connected to a public WiFi. However, in this example we want to connect to our computer at Nikhef so we choose the option: "Institute Access Nikhef".
Your browser will open and you will be asked to grant authorization for the eduVPN application. Click 'Approve application' to continue.
Back in the eduVPN application, click on 'Nikhef' to start the connection with the institute.
macOS will ask if you allow a change to the system's VPN configuration. To continue click on 'allow' here.
This is the status page. The status icon will be colored orange for a short time and then turn green. You are connected!
Instructions Images
Visit the eduVPN website to download the software: https://www.eduvpn.org/client-apps/
Once the software is downloaded, start the installer and click 'Install'.
In the provider list you need to select the institute to connect to. Search for 'Nikhef' in the list and click on it.
You can use the EduVPN application to surf the internet safely, for example when you are connected to a public WiFi. However, in this example we want to connect to our computer at Nikhef so we choose the option: "Institute Access Nikhef".
Your browser will open and you will be asked to grant authorization for the eduVPN application. Click 'Approve' to continue.
Back in the eduVPN application, make sure 'Nikhef' is selected and choose 'Institute access' to start the connection with the institute.
This is the status page. The status icon will be colored orange for a short time and then turn green. You are connected!

Description

Secure Internet

Secure Internet is a direct, private tunnel to a trusted location.

Your network traffic will appear to originate from that trusted location. You can check where your connection is coming from by visiting http://myip.nikhef.nl/.

For example, lets say you are traveling. You have the eduVPN application on your phone. From the Secure Internet section, you can choose an eduVPN connection in another country, such as Germany. By selecting Germany, this will result in a direct private tunnel from your phone to that VPN server, i.e. all data will be fully encrypted until it reaches the VPN server. The VPN server will make it appear as if you're locally at that location, so if you browse the internet from your phone, it appears you are physically located in Germany.

If you use only Secure Internet, you will access Nikhef services as if you were 'outside' of the Nikhef network.

Privacy considerations

Your network traffic cannot be intercepted until it gets to the VPN server you have chosen, but the administrators of the VPN server itself can see where you are going, although they will likely not inspect your traffic. All normal rules and acceptable use policies apply, and you are not anonymous.

For privacy, always use "HTTPS" and other secure protocols, like "IMAPS" and "SMTPS", to send sensitive data like passphrases or bank details, even when connecting to the Internet through an eduVPN server.

Institute Access

Nikhef Institute Access provides a direct tunnel into Nikhef's local network, as if you connected to Nikhef's local WiFi. You can login directly to things like the Stoomboot interactive nodes, you can mount your home directory (or roaming profile) via CIFS ("samba" or "windows shares"), and you can view intranet web pages.

The Institute Access configuration will set your computer to only send Nikhef traffic over this tunnel—all other traffic will not be affected. If you send non-Nikhef traffic over this VPN tunnel, we will drop it: this means that you cannot get to the 'rest of the internet' via Institute Access. However, you can connect to both Institute Access and Secure Internet in parallel, to keep you safe.

The eduVPN Institute Access grants you access (exclusively) to these networks:

  • 2001:610:120::/48 - Nikhef services and desktops
  • 2a07:8500:120::/48 - Nikhef services
  • 192.16.185.0/24, 192.16.199.0/24 - Nikhef central services
  • 192.16.194.0/24 - Nikhef central services and Facility networks
  • 192.16.195.0/24 - Nikhef central services
  • 145.107.4.0/22 - Stoomboot interactive, batch, and dCache systems
  • 192.16.186.0/24 - Nikhef web services and the 'lesnet' environment
  • 192.16.192.0/24 - DAQ systems and self-managed desktops
  • 145.116.48.0/20 - Nikhef desktops and workstations, also including special purpose networks
  • 185.153.60.0/22 - Nikhef experimental networks
  • 194.171.96.0/21 - Grid services, dCache, and tunnels
  • 2a07:8504:120::/48 - LHCOPN and LHCone Storage services (dCache)
  • 137.120.0.0/24 - ET Pathfinder at Maastricht University
  • 192.87.155.184/29 - NWO Bureau hosted services
  • 85.90.69.216/29 - NWO Bureau hosted services
  • 145.110.0.0/16 - Nikhef Customer Clouds
  • 2a07:8500:140::/48 - Nikhef Customer Clouds

Some networks are aggregated in the routes that are provided to you. This is intentional keep your routing table compact and more manageable. For this reason also the list above is organized per-network, rather than per functional element.

Privacy considerations

Your traffic will be encrypted up to the end-point of the tunnel at SURF (the Dutch research and education network), and SURF will send that traffic directly to Nikhef via a dedicated private link. Within Nikhef, the traffic is no longer super-encrypted, but is 'just like any local link'.

Why don't we allow general traffic on Institute Access? Simple: we want to preserve your privacy, and really do not want to see your personal browsing behavior. Traffic send through Nikhef is all subject to our Acceptable Use Policy, and we carry responsibility for what we would send on towards the public internet. To do that, we perform incident responses and keep logs on network connections. If you were to use Institute Access for personal browsing, we could inadvertently capture your other traffic, and we don't want to. SURF, as our NREN, offers Secure Internet that does offer you 'generic' access, and—although you are and remain subject to our Nikhef Acceptable Use Policy—your personal traffic will be part of 'just a whole bunch of student and dorm traffic'. And we at Nikhef don't get to see it, so our security team feels better as well.