VPN service

1. About

TL;DR

A virtual private network (VPN) is a mechanism for creating a secure connection to extend access to a private network (one that disallows or restricts public access) to users who do not have direct access to it, such as an office network allowing secure access using an insecure communication medium such as the public Internet.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4 Notes
connect.vpn.bfh.info High-available entry-point for all VPN connections
config.vpn.bfh.info Setup URL for VPN configuration

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.vpn.bfh.info 2a07:6b44:115:11::21 10.4.123.21
node2.vpn.bfh.info 2a07:6b44:115:11::22 10.4.123.22
node3.vpn.bfh.info 2a07:6b44:115:11::23 10.4.123.23
node4.vpn.bfh.info 2a07:6b44:115:11::24 10.4.123.24
FQDN IPv6 IPv4
proxy.vpn.bfh.info 2a07:6b44:115:11::10 147.87.28.2
node1.proxy.vpn.bfh.info 2a07:6b44:115:11::11 147.87.28.3
node2.proxy.vpn.bfh.info 2a07:6b44:115:11::12 147.87.28.4
node3.proxy.vpn.bfh.info 2a07:6b44:115:11::13 147.87.28.5
node4.proxy.vpn.bfh.info 2a07:6b44:115:11::14 147.87.28.6
FQDN IPv6 IPv4
web.vpn.bfh.info 2a07:6b40::82 147.87.0.82

2.3 Legacy (Cisco ASA/AnyConnect)

FQDN BFH non-BFH IPv6 IPv4
vpn.bfh.ch
vpnext.bfh.ch
FQDN IPv6 IPv4
vc41.bfh.ch 147.87.19.66
vc42.bfh.ch 147.87.19.67
vc43.bfh.ch 147.87.19.68
vc39.bfh.ch 147.87.19.74

3. Features

3.1 Access

  • all staff and student accounts are automatically granted the permission to use VPN.

  • all other accounts can be manually granted permission if needed (such as guest and ext accounts) by making them a member of the IDM.perm.infrastructure.vpn.access group in LDAP.

  • client uses TLS-CRYPT as shared secret

3.2 Sessions

  • there is no session limit, multiple devices can be connect with one account at the same time.

  • there is session timeout of 3d after which clients are automatically disconnected.

  • there is no bandwith limit, however individual client connections currently top-out at around 1GB/s.

  • VPN connections from BFH internal network is blocked.

3.3 Client addresses

  • each client recieves both a public IPv4 (147.87.80.0/20) and a public IPv6 address (2a07:6b44:209::/48) managed by the VPN server (not via DHCP), detailed subnet to node mappings are defined in the subnet list.

  • there is no subnet propagation, the VPN service is for connecting single clients to the BFH network, not entire subnets (site-to-site).

  • there is no client isolation, VPN clients are part of fabric-clients and can reach each other as well as any network addresses just as LAN and WLAN clients.

  • no DDNS for clients for the moment

3.4 Client routing

  • VPN is a Layer 3 Tunnel (tun) via UDP on the default port 1194.

  • Fallback is TCP port 443.

  • General connection preference is: udp6 -> udp4 -> tcp6 -> tcp4

  • failover indiscriminatly, regardless of connectivity or daemon load.

  • 75% of the backend daemons listen on UDP, 25% on TCP.

  • in general only BFH IPv6 subnets and IPv4 subnets go through VPN, everything else goes through the local internet uplink.

  • exceptions are maintained (TODO bad9) for e.g. book publishers that have allowed BFH subnets for their services, these are also going through VPN.

  • DNS queries for bfh.ch are tunneled through VPN when using a windows client, all other DNS queries do not go through the tunnel but the to the local resolver. => see client matrix

  • users can send all traffic through the tunnel if they choose to.

3.5 Client configuration

  • only openvpn3 clients are supported.

  • the setup URL is https://vpn.bfh.info

  • the connection host is connect.vpn.bfh.info

  • the configuration is only downloaded once during the setup of the client, there is no automatic configuration update (needs to be triggered manually on the client by re-running the setup).

  • users authenticate with their BFH account and password as present in LDAP (with and without @bfh.ch suffix).

  • client uses nobind to have the tun interface move on top the active interface (LAN vs. WLAN)

  • client verifies endpoint client certificate (with embedded root ca certificate)

  • client uses decreased poll timeout to 5s

  • client notifies server on exit

  • data cipher is CHACHA20-POLY1305

  • TODO bad9: remaining ciphers

3.6 Server load-balancing

  • 2 nodes with nft as loadbalancer (active/passive)

  • nft loadbalancer does round-robin on both backends and instances

  • traffic to the loadbalancers (/29) are excluded from the tunnel

3.7 Server connections

  • each backend has multiple daemons to handle many sessions in parallel for maximizing bandwith

  • each daemon has its own subnet (openvpn is setup in subnet topology)

  • management port per daemon on socket (/run/openvpn/management_$id.socket)

4. Operations

  • TODO gbs4: discontinue vpn formular fuer ext accounts

  • TODO bad9: management port aggregation on vpn.bfh.info for sysadmin

  • TODO bad9: nerdlog on vpn.bfh.info

  • TODO: logging all required information, persistent

4.1 Client features

  • TODO bad9: add row for openvpn linux client

Feature Linux macOS Windows Android iOS
Client version (as of 2025-06-03) 24.1+dfsg-1 3.7.1 3.7.2 3.7.1 3.7.1
Config download works? yes yes yes yes yes
IPv6 routes set? yes yes yes yes yes
IPv4 routes set? yes yes yes yes yes
DNS internal view for bfh.ch? yes yes yes yes no
IPv6 precedence over IPv4? yes yes yes yes yes
Fail-over-duration when daemon full? TODO TODO 43s TODO TODO
Access to hotspots VPN? TODO no
Uses system TLS certificates? yes no no TODO no

6. Backlog

Legacy

  • Cisco ASA Abschaltung Ende 2025

  • Redirect vpn.bfh.ch zu vpn.bfh.info

Setup

  • TODO juli: client update empfehlung (MWS)

  • TODO juli: documentation for end-users (FSS)

  • TODO juli: client deployment for end-users (MWS)

  • TODO juli: enduseranleitung und links auf vpn.bfh.info

  • graphivz im servicebeschrieb

  • TODO juli/august: upgrade to trixie

  • TODO juli/august: replace nft loadbalancer with udp aware proxy

  • TODO juli/august: rate-limiting auf proxy

  • TODO august: vpn desastery recovery documentation/exercise

Features

  • MFA

  • Data Channel Offload (DCO) with Linux >= 6.14

  • DDNS via client-connect/client-disconnect hooks auf openvpn-server

  • Authentication with certificates

Known issues

  • configuration inconsistency: OpenVPN Client bug on IPv6-only systems (#351)

  • configuration inconsistency: OpenVPN Server ‘proto: udp6’ is needed to have udp4 too (dualstack)

  • android: “always on” vpn warnings

  • openvpn3-client doesn’t support connection profiles (#15)

  • there’s no possibility to push config changes or an updated config to the client