VPN

Prerequisites

  1. A login to the HNI must be available.
  2. The login must be activated for VPN access at the HNI computer centre. (Mail to rb@hni.uni-paderborn.de) or in person at the computer centre).
  3. You need a personal network certificate. (If you use the WLAN "eduroam", you have already created and installed a valid certificate, which you can also use for VPN access).
  4. The HNI uses OpenVPN for the VPN connection. OpenVPN client software must be installed for this.
  5. To connect network drives through the VPN, a password must be set for the Windows domain of the HNI. This can be done with a password manager on a terminal server (is described in the instructions) or personally during computer operation.

Configuration guide

Configure HNI VPN on an external / private computer

Step 1: Have the VPN activated for HNI computer operation

Access to the HNI network via the VPN is regulated by an authorisation group. Only members of this group can establish a VPN connection. There are two ways to be included in this group:

  1. by informal e-mail to the computer centre
  2. in person, at the HNI computer centre

 

Step 2: Create a network certificate

Attention! The university VPN and the WLAN "eduroam" use the same authentication procedure. If you already use a certificate for one of the two networks, you do not need a new certificate!

Only if you do not yet have an eduroam or VPN certificate:

  • Log in to the IMT service portal
  • Select the menu item Network settings under User administration
  • Now click on the button Create new certificate.
  • Enter a name for the certificate, e.g. smartphone, notebook, tablet or similar. In the next step, you will be given a password for the certificate. You should make a note of this password or keep it safe so that you can continue to use the certificate later for other services or after reinstalling your computer.
  • You will receive an e-mail with a brief description of what the network certificate is. You will find the actual certificate with the file extension .p12 attached to the e-mail.
  • Please note that a certificate cannot be used on different devices at the same time, nor can two different certificates of the same user be used at the same time. This leads to cancellations when using a VPN connection.

 

Step 3: Install the network certificate

OpenVPN is based on SSL encryption and certificates. For a private computer to be able to connect to the HNI network via OpenVPN, the previously generated certificate and the root certificate of the certification authority(CA) must be installed on the private computer.

  • If you are already using the eduroam WLAN or the university VPN, then you have already installed the certificates. → Continue to the next step.
  • The installation of the certificates for the VPN is identical to the certificate installation for the eduroam WLAN. We therefore refer at this point to the IMT instructions for setting up Eduroam.

 

Step 4: Install and configure the client software

OpenVPN requires its own client software. The HNI uses the same procedure as the IMT. We therefore also refer to the IMT installation instructions here.

Attention! Although the HNI basically uses the same technology as the Paderborn University, the network addresses are different! Therefore, a different configuration file is required for the HNI-OpenVPN than the one mentioned in the IMT instructions.

 

Step 5: Set the password for the HNI domain (only necessary if no domain password has been entered yet).

In principle, a connection to the HNI network can now be established. In most cases, you want to use this connection to connect network drives to access data in the HNI. There are a few things to bear in mind here:

Private or external computers do not usually belong to the Windows domain of the HNI. However, authentication in the HNI is (for many reasons) designed precisely for this purpose. So that users from external computers can also connect to network drives, their password must be explicitly set in the Windows domain. This is only necessary once (or later if the password is to be deliberately changed).

You can either set the domain password when entering the VPN password during computer operation, or you can enter it yourself via the VPN connection you have just created. And this is how it works:

  • Prerequisite: Computer is running, a network is connected, the VPN connection is established.
  • Start → ClickRun, enter mstsc and click OK
    (mstsc stands for MiroSoft Terminal Server Clientand allows you to log on to a remote Microsoft server and run programmes there).
  • The window for the remote desktop connection opens.
  • Enter hni-pwm.hni.uni-paderborn University.de as the server and click on Connect.
  • The login screen of the computer appears.
  • Enter UNI-PADERBORN.DE\[IMT-Loginname]as the login. It is important that "UNI-PADERBORN.DE\" is capitalised before the login name!
  • Enter the normal HNI/IMT password.
  • The desktop of the computer appears.
  • There is a blue symbol for the HNI Password Manager V3 on the desktop. Double-click on it and follow the instructions to enter the password for the Windows domain. I recommend using the same password that is used as the IMT password at this point (to avoid confusion).
  • Start → Log off to exit the terminal server and return to your own desktop.

 

Step 6: Connect network drives through the VPN.

A VPN connection can now be established and the password for authenticating external computers has been entered. All that remains is to connect the network drive(s):

  • Prerequisite: Computer is running, a network is connected, the VPN connection is established.
  • Open Windows Explorer (either click Start --> My Computer or double-click My Computer on the desktop or press Windows-E)
  • Click on Connect network drive in the menu bar under Tools.
  • Select a drive letter (e.g. P: like pro_studi
  • For folders, the share in the form: \\[server name]\[share name].
    server name could be e.g. hni-fs1.hni.uni-paderborn University.de. Share name could be e.g. pro_studi. To stay with the example, the Folder field should then contain \\hni-fs1.hni.uni-paderborn.de\pro_studi.
  • If desired, tick the Restore connection on login box. This allows you to quickly re-establish the connection if the computer was switched off and/or the VPN connection was disconnected.
  • Important! Now click on Establish connection under a different user name.
  • The window for Connect as... opens.
  • Enter HNIRB\[IMT/HNI login name] for user name. Again, it is important that HNIRB\ is capitalised before the login name.
  • As password, enter the password that you previously entered with mstsc on the computer hni-pwm. (If you have followed my recommendation, it is the same as the normal IMT password).
  • Once you have successfully entered the login data, you are back in the Connect network drive window and can click Finish.

Settings and parameters in brief

Settings in brief

  • Activate login for VPN
    In order to be able to connect to the HNI VPN, a corresponding authorisation must be entered. This can be done in person at the computer centre or by sending an informal email to the computer centre.
  • Create a WLAN certificate (for eduroam WLAN)
    If you already have a certificate for the eduroam WLAN, you can also use the same certificate for VPN access. If you do not yet have a certificate, you can create one in the IMT user administration.
  • Install WLAN certificate
    Is described in the IMT instructions.
  • Install OpenVPN client software
    Is described in the IMT instructions. However, a different configuration file is required for the HNI. The HNI configuration file is available here (right-click → Save target as...) for Windows, MacOS-X or Linux or for iOS.
  • Network drives - domain password
    To connect to network drives in the HNI, a password must be set for the Windows domain of the HNI. This password can be entered using the password manager on the computer hni-pwm.hni.uni-paderborn University.de or personally when using the computer.
  • Networkdrives - authentication
    To connect to network drives in the HNI, the login must be entered in the following form:
    HNIRB\[login name] or HNI.UNI-PADERBORN.DE\[login name]
    It is important that the domain name is capitalised and separated by a backslash before the login name.
  • Network drives - share names
    When connecting network drives, make sure that the server name is specified as a Fully Qualified Domain Name(FQDN). So for example \\hni-fs1.hni.uni-paderborn University.de\pro_studi
    (\\hni-fs1\pro_studi does not work with a VPN connection, as an external computer cannot recognise that a server in the HNI is meant).