eduVPN

Get your secured connection

eduVPN protects you on unsecure networks, for example, against nearby prying eyes while on the train. The service also offers secure access to protected services when accessing from outside your institution's network.

About eduVPN

eduVPN enables employees, researchers and students to easily and securely connect to the Internet and gain access to their institution’s protected systems.

 

Many public Wi-Fi networks, for example, on the train, in the library or in restaurants, are unsecure, but your home network is not always well protected either. All the data you enter and receive on your phone, tablet or computer can be intercepted fairly easily. Malevolent people can also divert you to a phishing-website in order to intercept your password. Not a comforting thought! Certainly if you are processing sensitive information.

The eduVPN service resolves this by setting up a so-called Virtual Private Network (VPN), an encrypted connection between your (private) computer or smartphone and the company network of your organisation. It acts as a bridge, offering you direct network access. This will allow you to connect securely to the Internet without the fear of prying eyes close by.

Read the eduVPN privacy statement

Getting started with eduVPN

On this page, you will find all the software and you can read exactly what you need to do in order to use eduVPN.

You can configure eduVPN for two different use cases: to use internet safely on public networks and to get access to your institution’s shielded services and applications, like grading software. Below, we only explain how you configure your device for the first situation. Do you want to use eduVPN for the second situation? Follow the instructions you got from your institution or contact the IT-helpdesk.

1. Downloading and installing the software

2. Creating an account

eduvp scherm Find Your Institute

When you first open the program or app, you search for your own institution name. In the image below, the search was for ‘Radboud’. It is then shown that for Radboud University, two functions are available:

  • Institute Access, to securely connect to the institution’s network to access protected applications.
  • Secure Internet, for safe browsing on public networks

Choose the function for which you want to use eduVPN. You will automatically be transferred to your browser and log in with the details that you have received from your organisation (your institution account) and that you also use to log in to other services. Usually they have the form ‘yourname@yourinstitutionsname.nl

‘.

3. Giving permission

After logging in to your own organisation, you will be taken to the web page below. Click Toestaan so that a secret private key is transferred to the eduVPN client that is on your computer.

eduvpn scherm applicatie toestaan

4. Starting VPN connection

eduvpn scherm secure internet

Once the key is in the eduVPN client, you can start the VPN connection. In the example below, Secure Internet is available and you can connect to the Dutch secure internet server. After you click on Netherlands, the VPN connection is started.

5. VPN-connection active

edupnn scherm connected

The green icon shows that the VPN is active. It also shows how long you can use the VPN before you have to log in again (via your own institution). For security reasons, institutions actually choose to limit the running time of the VPN.

Other platforms

We are currently not developing specific software for other platforms, but you can usually also use eduVPN on such platforms. Download the available OpenVPN client

and install it.

There are two eduVPN versions: Securely surfing the Internet (Secure Internet) & access to the institute network (Institute Access).

  •  and log in using your institution account.
  • For Institute Access, you need to surf to a web address, such as http://<yourinstitution>.eduvpn.nl. Contact your helpdesk for the exact address.

Generate a configuration file via the eduVPN portal. This will enable you to start a connection in OpenVPN.

Please note that the configuration file expires and openVPN does not show this clearly, with the result that openVPN refuses to connect. In some organisations this configuration even expires within one day, so that a new configuration file has to be created and installed every day.

FAQ eduVPN

If you have any questions or are encountering problems, check the list of frequently asked questions and see if you can find the answer. If your question is not covered there, please contact your organisation’s IT helpdesk.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

This is the privacy statement of eduVPN that you agree with when you choose to use eduVPN.

This privacy statement applies to the service eduVPN that is being provided by SURFnet, the National Research and Education Network of the Netherlands. References to ‘we’, ‘our’ and ‘us’ refer to eduVPN, while ‘you’ and ‘your’ refer to the user of eduVPN. The most recent version of this privacy policy can always be found here.

1. Principles and values

We believe (the opportunity to have) privacy in a secure way is fundamental but unfortunately also increasingly scarce. eduVPN strengthens the user’s security by enabling institutions, students, teachers, employees and researchers to connect securely to the internet and their institution network wherever they are. eduVPN has been developed with privacy and security in mind since the very beginning of the project because we think privacy and security are inseparable within eduVPN.

That being said, eduVPN collects, stores and logs information. We use this information with the purpose of providing the service eduVPN, for auditing and analysis in order to maintain, protect and improve eduVPN. Our principles regarding data collection are:

  • We don’t collect personal information or data when it is not necessary.
  • We will never use personal data for other purposes than those for which the personal data were initially collected.
  • We will never sell or market the obtained personal data to third parties.
  • We will never store or view the content of the traffic on the VPN network.
  • We will be transparent about all aspects of processing personal data and logging.

The legal ground of processing personal information is legitimate interest to provide the service eduVPN and to prevent abuse on the SURFnet network. As a user you have the right to inspect all the user data we collect from you. In some cases you also have the right to rectify or delete the data and or restrict the processing of the data. You may always object to the the processing of your user data. Such requests may be sent to the email address below. SURFnet will give a response to the request within four weeks.

In order to be transparent, this Privacy Statement is quite comprehensive and thus a quite long read. Therefore we also included a shorter summary that is more easily readable.

Don’t hesitate to contact us via eduvpn@surfnet.nl

 if you have any questions or concerns.

2. Short summary

From a user’s perspective, eduVPN consists of a user portal (web server) where configuration files can be downloaded and a VPN server that can be used to establish a connection with eduVPN. These components log and store the following information for one month:

2.1 User portal

  • The unique user ID of the user.
  • A list of certificates created by the user.
  • When two factor authentication is used, the OTP secret.
  • If SURFconext Teams is being used, a VOOT token.

2.2 Connection

  • The unique user ID of the user.
  • The time the connection was established.
  • The time the connection was closed.
  • The IP addresses assigned to the user’s VPN client.
  • The amount of data that was transferred by the VPN client.

3. Elaborate version

3.1 The information you provide

When you start using eduVPN and log in for the first time, SURFconext will ask if you agree with the release of personal data. There are two profiles within eduVPN, each requiring different personal data (explained below). You will also be asked to read and accept the SURFnet Terms of Service and this eduVPN Privacy Statement.

Secure Internet

If you choose this profile, all traffic will be going through eduVPN. eduVPN only uses the attribute ‘persistent NameID’ (example: b466f1047193791ga9aop7224a98fd24a1ce4551) from the user. This identifier is randomly generated by SURFconext and pseudonymous. The mapping of the persistentID to the associated user can be made when SURFnet is required to do so pursuant to the law, a judicial decision or abuse.

Within the context of the Dutch Personal Data Protection Act and the European General Data Protection Regulation, SURFnet is the controller and Greenhost

is the processor of personal data within this profile.

Secure Access

If you choose this profile, only traffic to the institution’s network will go through eduVPN. This is the profile you want when you need access to your institution’s netwerk. The persistent NameID can not be used for this profile since users need to be identifiable for authorization. This means that the chosen attribute for this profile can differ between institutions. There is a strong preference from the eduVPN-team that institutions will use attributes that are not directly reducible to users identities, e.g. using student numbers.

Within the context of the Dutch Personal Data Protection Act and the European General Data Protection Regulation, your institution is the controller and SURFnet is the processor of personal data within this profile.

3.2 The information we collect

eduVPN collects more information and data than the aforementioned SURFconext attributes you provide. This is mostly because of error logging so we can troubleshoot more easily when something is not working as intended. We made a list of all the logging components within eduVPN.

Statistics

eduVPN servers provide us with general and anonymous statistics. The following is part of these statistics:

  • Total amount of bytes transferred per session
  • Total number of unique users
  • Highest number of concurrent connections

These statistics are being created daily and will also be available in consolidated form for other periods of time like weekly and monthly. These data are available to the institution’s application managers and the eduVPN team. There is no user data and / or personal data being processed in these statistics and there is no time limit applied.

Logging for application managers

An application manager can request specific logs from within the admin-portal. For the Secure Internet profile logs can only be accessed by the eduVPN team while only the institution’s application managers have access to the logs of the Secure Access profile. The application manager needs the point of time in combination with the issued IP address to request logging. When the combination is available in the logs, the following will be provided:

  • Used profile (i.e. ‘Secure Access’).
  • The UserID (i.e. ‘b466f1047193791ga9aop7224a98fd24a1ce4551’).
  • The name of the configuration file (i.e. ‘Android_1478521025’).
  • The issued IP addresses (VPN) (i.e. ‘145.101.113.74 and 2001:610:188:71::1008’).
  • Timestamp start of connection (i.e. ‘2016-11-07 13:17:19’).
  • Timestamp end of connection (i.e. ‘2016-11-07 13:23:40’).

These data are being stored for one month.

Server logging OpenVPN

eduVPN uses OpenVPN software for the underlying VPN server. All logging of OpenVPN has been disabled so nothing will be logged at this level.

Access log

The web server’s access log logs all requests from clients. This log is turned off but can be temporary enabled when there is need of additional logging when troubleshooting problems that can not be fixed in other ways. When access log is enabled, the following data is being stored for one month:

  • The (real) IP address from the visitor.
  • The username as determined by HTTP authentication.
  • The time of the request.
  • The request line of the client (i.e. ‘GET / HTTP/1.0).
  • The status code that the server sends to the client (i.e. 200, 404 etc.).
  • The size of the server’s answer to the client (in bytes).
  • The requested page / URL.

Error logging

Under normal circumstances, there will be no errors. But of course not everything is normal and things can go wrong in for example the user’s browser of the web server. The web server sends this diagnostic information and detected errors to the error log. This is the first place where we will look when there is something wrong with the web server. This logging is turned on, stored for one month and consists of the following information:

  • The timestamp of the error.
  • The category of the error (low – severe).
  • The IP address from the client.
  • The error code or the message with the error.

Example:

[Wed Nov 16 07:45:23.681239 2016] [:error] [pid 18283] [client 10.42.101.100:59892] No known parameters passed to the logout handler. Query string was “(null)”. To initiate a logout, you need to pass a “ReturnTo” parameter with a url to the web page the user should be redirected to after a successful logout.

Logging between nodes

The internal logging from communication between different eduVPN components is being tracked in a log file. Think of: “User creates a new certificate through the user-portal”. The logging is being stored for one month and consists of the following:

  • Timestamp of the action.
  • The request (i.e. GET /api.php/).
  • The UserID.
  • The request line from the client.
  • The status code.

Example:

[14/Nov/2016:10:51:27 +0000] “GET /api.php/is_disabled_user?user_id=b117d1efaadc006f243fefb722b28430754ka2dq HTTP/1.1” 200 35

php-fpm logging

php-fpm is a process manager for PHP and is being used to initiate and stop PHP scripts in the server. php-fpm only logs errors and contains no user data. This logging is turned on, is stored for one month and looks as follows:

[20-Oct-2016 14:00:45] NOTICE: fpm is running, pid 7692
[20-Oct-2016 14:00:45] NOTICE: ready to handle connections
[20-Oct-2016 14:00:45] NOTICE: systemd monitor interval set to 10000ms
[21-Oct-2016 16:23:19] NOTICE: Terminating …
[21-Oct-2016 16:23:19] NOTICE: exiting, bye-bye!

1. To use eduVPN, download and install the app for your device below!

2. To connect to UB’s vpn-server, manually add eduvpn.ub.ac.id on the Institute Filed.

3. Login with your UB account, and click Apporve

4. Select a profile, and click the connect butten

Note:

On the “Account” page you can block access to the VPN in case you lose a device, or no longer use the VPN.

If you do not want to, or cannot use the official eduVPN apps, you can also manually obtain a VPN configuration and import it in your existing VPN application.