VPN


Requirements

     

  1. A login to the HNI must be available.
  2. The login must be activated for the VPN access from the Network and System Administration of the HNI. (Mail to rb@hni.uni-paderborn.de) or the Network and System Administration).
  3. You need a personal network certificate. (If you use the "eduroam" WLAN, you have already created and installed a valid certificate, which you can also use for VPN access).
  4. The HNI uses OpenVPN for the VPN connection. To do this, OpenVPN client software must be installed.
  5. In order to connect network drives through the VPN, a password for the Windows domain of the HNI must be set. This can be done with a password manager on a terminal server (described in the instructions) or in person at the Network and System Administration.
  6.  


Configuration instructions

Configure HNI-VPN on an external / private computer

 

Step 1: Have the VPN activated by the HNI Network and Systems Administration

Access to the HNI network through the VPN is regulated by an atuhorization group.

Only members of this group can establish a VPN connection.

There are two ways to be included in this group:

  1. by informal Mail to the Network and System Administration
  2. personally, by the Network and System Administration

 

Step 2: Create a network certificate

Attention! The university VPN and the WLAN "eduroam" use the same authentication method. If you already use a certificate for one of the two networks, you do not need a new certificate!

Only, if you do not have an eduroam or VPN certificate:

  • Log on to IMT user management under Manage user data yourself.
  • Click on the WLAN button..
  • If there is the line "Serial number network certificate" and there is a certificate ID in the second column, you already have a valid network certificate that you can use. → Continue with step 3
  • If you do not have a network certificate yet , click on "Create network certificate" in the line "Create new network certificate".
  • After clicking on "Create network certificate" you will be asked to assign a password for the certificate. You should enter a password according to the usual criteria and click on "Send certificate by email now". You should definitly remember the password (or write it down and keep it safe) so that yo can continue to use the certificate for other services or after reinstalling your computer.
  • You will receive an email with a brief description of what a network certificate is. In the attachment to the mail you will find the actual certificate with the    file extansion .p12.

 

Step 3: Install the network certificate

OpenVPN is based on SSL encryption and certificates. So that a private computer can connect to the HNI network via OpenVPN, the previously generated certificate and the root certificate of the certification authority (CA = Certification Authority) must be installed on the private computer.

  • If you already use the eduroam WLAN or the university VPN, then you have already installed the certificates. → continue with the next step.
  • The installation of the certificates for the VPN is identical to the certificate installation for the eduroam WLAN. Therfore, we refer to the instructions of the IMT for setting up Eduroam.

 

Step 4: Install and configure client software

OpenVPN requires its own client software. The HNI uses the same procedure as the IMT. Therfore, we also refer to the IMT installation instructions.

Attention! The HNI uses the same technology as the University of Paderborn, but the network addresses are different! Therfore a different configuration file is required for the HNI-PenVPN than mentioned in the IMT instructions.

 

Step 5: Set password for the HNI domain (only necessary if no domain password has been entered yet)

In principle, a connection to the HNI network can now be established. Most of the time you want to use this connection to connect network drives to access data in the HNI. There are a few things to consider:

Private or external computers usually do not belong to the Windows domain of the HNI. However, authentication in the HNI is designed for this (for a variety of reasons). So that users from external computers can also connect to network drives, their password must be explicitly set in the Windows domain. This is only necessary once (or later if the password is to be changed deliberately).

You can either set the domain password when entering the VPN password when operating the computer, or you can also enter it yourself using the VPN connection you just created. And this is how it works:

  • Prerequisite: Computer is running, a network is connected, the VPN connection is established.
  • Click start → Run, enter mstsc and click OK (mstsc stands for MiroSoft Terminal Server Client and allows you to log on to a remote Microsoft server and run programs there).
  • The Remote Desktop Connection window opens.
  • Enter hni-ts.hni.uni-paderborn.de as the server and click connect.
  • The login screen of the HNI terminal server shows up.
  • Enter UNI-PADERBORN.DE\[IMT-Login name] as login. It is important that "UNI-PADERBORN.DE\" is capitalized before the login name!
  • Enter the normal HNI / IMT password as the password.
  • The desktop from the HNI-terminal server shows up.
  • There is a blue icon for the HNIPasswortManager V2 on the desktop. Double-click on it and enter the password for the Windows domain according to the instructions. I recommend using the same password that is used as the IMT password (to avoid confusion).
  • Start → Log off to leave the terminal server and return to your own desktop.

 

Step 6: Connect network drives with VPN.

Now a VPN connection can be established and the password for the authentication of external computers is entered. The only thing missing is connecting the network drive(s):

  • Prerequisite: Computer is running, a network is connected, the VPN connection is established.
  • Open Windows Explorer (either click Start --> My Computer or double click My Computer on the desktop or press Windows Key-E)
  • In the menu bar under Extras click on Map Network drive.
  • Select a drive letter (for example P: for pro_studi)
  • For folders, enter the share in the form: \\[server name]\[share name].
    A server name as example could be hni-fs1.hni.uni-paderborn.de. Share name could be pro_studi. To stay with the example \\hni-fs1.hni.uni-paderborn.de\pro_studi should then be in the folder field.
  • If it is desired, check the Restore connection when logging in. This allows yout to quickly reestablish the connection when the computer is switched off and / or the VPN connection is disconnected.
  • Important! Now click on Connect under different user name.
  • The windows for Connect as ... opens.
  • Enter username HNIRB\[IMT/HNI-Loginname]. It is important here agein that HNIRB\ is capitalized before the login name.
  • As a password, enter the password that you previously entered on the hni-ts server with mstsc. (If you followed my recommendation, it is the same as the normal IMT passowrd).
  • After successfully entering the Login data, you are back in the Connect Network Drive windows and can click on Finish.

Settings and parameters in short form

Settings in short form

  • Allow login for VPN
    In order to be able to connect to the HNI-VPN, an appropriate authorization must be entered. You can do this in person by the Network and System Administration or via informal mail to the Network and System administrationen.
  • Create a WLAN certificate (for eduroam WLAN)
    If you already have a certificate for eduroam WLAN, you can also use the same certificate for VPN accress. If you do not have a certificate yet, you can create it in the user management of the IMT.
  • Install WLAN certificate
    Is described in the instructions of the IMT.
  • Install OpenVPN client software
    Is described in an IMT manuel. Another configuration file is required for the HNI. The HNI configuration file is available here (right click → save target as ...) for Windows, MacOS-X or Linux or for iOS.
  • Network drives - domain password
    To connect to network drives in the HNI, a password for the Windows domain of the HNI must be set. This password can be entered with the password manager on the terminal server hni-ts.hni.uni-paderborn.de or in person at the computer.
  • Network drives - authentication
    To connect network drives in the HNI, the login must be specified in the following form:
    HNIRB\[login name]  or  HNI.UNI-PADERBORN.DE\[login name]
    It is important that the domain name is capitalized and seperated from the login name with a backslash.
  • Network drives - share names
    When connecting network drives, make sure that the server name is specified as a  Fully Qualfied Domain Name (FQDN). So for example: \\hni-fs1.hni.uni-paderborn.de\pro_studi
    (\\hni-fs1\pro_studi does not work with a VPN connection because an external computer cannot recognize that a server in the HNI is meant.