User Tools

Site Tools


vpn

This is an old revision of the document!


Remote access using VPN

Sterrewacht

There is a new OpenVPN server that allows you to connect your personal computer/device to the internet as if it were part of the Observatory computer network. The server is a standalone server with the sole purpose of providing VPN connections, and to which you can connect using an OpenVPN client.

For OpenVPN you will need a special .ovpn file to get access to our VPN service. Please request one via helpdesk@strw.leidenuniv.nl

There are OpenVPN clients for the major operating systems:

Sterrewacht

DNS problem work-around

Recently, some people working from home have been reporting problems when trying to connect to Sterrewacht (or even all Leiden Universtity) computers, especially people renting apartments with DUWO. There is likely a problem with the DNS (domain name server) of the local internet provider. To bypass this problem, Sterrewacht users can activate the STRW VPN. For this to work, users with an existing VPN client (.ovpn) file need to make a small change. From the OpenVPN program or app, select to edit the configuration file. In the editor that appears, replace the text vpn.strw.leidenuniv.nl with 132.229.224.4, then save the changes. From that point onwards, when connecting to the STRW VPN, the internet connection uses the STRW DNS instead of the local provider's DNS. Note that all internet traffic from that point onwards goes via the Sterrewacht networks, unless you set up split VPN as described below.

Split VPN connections

The provided VPN client file redirects all internet traffic over the Observatory VPN. There are however situations in which it is unnecessary or even discouraged to tunnel a connection via our VPN. Imagine, for instance, how inefficient it is to tunnel a videoconference through a VPN tunnel.

In these cases, you can tweak your .ovpn config file to bypass VPN at your will. Here is an example.

Example: Only Leiden University IPs via VPN

Add the following lines somewhere in your .ovpn client file provided by us

# Only UL IPs via VPN
# With the exception of the Sterrewacht VPN IP address 
pull-filter ignore "redirect-gateway"
route 132.229.0.0 255.255.0.0 vpn_gateway
route 132.229.224.4 255.255.255.255 net_gateway

Lorentz Institute

:!: NEW Since end October 2021, beside your IL username and password, you will have to insert also your TOTP to initiate a connection
If you have requested your .ovpn file before 29/10/2021, please add somewhere in this file the line
static-challenge “One-time password” 0

The Lorentz Institute offers its staff members an OpenVPN service for remote connections to the IL intranet. Apart from preserving users privacy, the IL OpenVPN lets you access services that would otherwise be unavailable when working remotely. A use-case would be to access scientific journals contents using the Institute subscription.

Request your IL OpenVPN access via support@lorentz.leidenuniv.nl and you will receive your personal 1) .ovpn file.

Launch your .ovpn with your favorite OpenVPN client 2) to initiate a connection. There are OpenVPN clients the following major platforms:

Unfortunately at the moment we are not aware of any smart-phone that support 2FA-protected VPN connections.

Split VPN connections

The provided VPN client file redirects all internet traffic over the Lorentz Institute VPN. There are however situations in which it is unnecessary or even discouraged to tunnel a connection via our VPN. Imagine, for instance, how inefficient it is to tunnel a videoconference through a VPN tunnel.

In these cases, you can tweak your .ovpn config file to bypass VPN at your will. Here follow some examples.

Example 1: Only Leiden University IPs via VPN

Add the following lines somewhere in your .ovpn client file provided by us

# Only UL IPs via VPN
# With the exception of the very IL VPN IP address 
pull-filter ignore "redirect-gateway"
route 132.229.0.0 255.255.0.0 vpn_gateway
route 132.229.227.248 255.255.255.255 net_gateway

Example 2: VPN-bypass IPs in range

Add the lines in the following code snippet somewhere in your .ovpn file if you want to

  • Tunnel through the VPN only those connections to the IL/STRW servers that have IP in the range 132.229.214.0/24
  • Let all other connections unaffected by the VPN (that is also those to the most common videoconf systems)
pull-filter ignore "redirect-gateway"
route 132.229.214.0 255.255.255.0 vpn_gateway

Example 3: VPN-bypass multiple IPs

Add the lines in the following code snippet somewhere in your .ovpn file if you want to

  • Tunnel through the VPN the connections to the IL/STRW servers that have IP in the range 132.229.214.0/24
  • Tunnel through the VPN the connections to the IL web server 132.229.227.253
  • Let all other connections unaffected by the VPN (that is also those to the most common videoconf systems)
pull-filter ignore "redirect-gateway"
route 132.229.214.0 255.255.255.0 vpn_gateway
route 132.229.227.253 255.255.255.255 vpn_gateway

Example 4: Exclude IP from VPN tunnel

Add the lines in the following code snippet somewhere in your .ovpn file if you want to

  • Tunnel through the VPN all connections but those to the IL web server 132.229.227.253
route 132.229.227.253 255.255.255.255 net_gateway

LION Physics

For the PHYSICS domain there is a separate Windows Based VPN server, that provides the same functionality as the OpenVPN example above, but is better geared to the Windows enviroment.

Before you can setup a VPN connection you need to contact helpdesk@physics.leidenuniv.nl to obtain a Secret Key and have your PHYSICS account enabled for VPN use.

You can connect from:

Once you have a VPN connection you can use:

1)
This file contains confidential information and should be treated/protected like a password.
2)
Make sure that you are using a client compatible with OpenVPN v2.4+
vpn.1638536784.txt.gz · Last modified: 2021/12/03 13:06 by deul