VPN service
1. About
A virtual private network (VPN) is a mechanism for creating a secure connection to extend access to a private network (one that disallows or restricts public access) to users who do not have direct access to it, such as an office network allowing secure access using an insecure communication medium such as the public Internet.
2. Systems
2.1 Frontend
FQDN | IPv6 | IPv4 | Notes |
---|---|---|---|
connect.vpn.bfh.info | High-available entry-point for all VPN connections | ||
config.vpn.bfh.info | Setup URL for VPN configuration |
2.2 Backend
Always use the frontend DNS record
Never use the backend nodes directly:
- backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
- backend has no legacy support or grace periods, changes are implemented instantly
- backend can be rebootet without notice at any time
- backend access will soon be restricted
FQDN | IPv6 | IPv4 |
---|---|---|
node1.vpn.bfh.info | 2a07:6b44:115:11::21 | 10.4.123.21 |
node2.vpn.bfh.info | 2a07:6b44:115:11::22 | 10.4.123.22 |
node3.vpn.bfh.info | 2a07:6b44:115:11::23 | 10.4.123.23 |
node4.vpn.bfh.info | 2a07:6b44:115:11::24 | 10.4.123.24 |
FQDN | IPv6 | IPv4 |
---|---|---|
proxy.vpn.bfh.info | 2a07:6b44:115:11::10 | 147.87.28.2 |
node1.proxy.vpn.bfh.info | 2a07:6b44:115:11::11 | 147.87.28.3 |
node2.proxy.vpn.bfh.info | 2a07:6b44:115:11::12 | 147.87.28.4 |
node3.proxy.vpn.bfh.info | 2a07:6b44:115:11::13 | 147.87.28.5 |
node4.proxy.vpn.bfh.info | 2a07:6b44:115:11::14 | 147.87.28.6 |
FQDN | IPv6 | IPv4 |
---|---|---|
web.vpn.bfh.info | 2a07:6b40::82 | 147.87.0.82 |
3. Features
3.1 Access
all staff and student accounts are automatically granted the permission to use VPN.
all other accounts can be manually granted permission if needed (such as guest and ext accounts) by making them a member of the
IDM.infra.infrastructure.vpn.access
group in LDAP.
3.2 Sessions
there is no session limit, multiple devices can be connect with one account at the same time.
there is session timeout of 3d after which clients are automatically disconnected.
there is no bandwith limit, however individual client connections currently top-out at around 1GB/s.
VPN connections from BFH internal network is blocked.
3.3 Client addresses
each client recieves both a public IPv4 (147.87.80.0/20) and a public IPv6 address (2a07:6b44:209::/48) managed by the VPN server (not via DHCP), detailed subnet to node mappings are defined in the subnet list.
there is no subnet propagation,the VPN service is for connecting single clients to the BFH network, no subnets (site-to-site).
there is no client isolation, VPN clients are part of
fabric-clients
and can reach each other as well as any network addresses just as LAN and WLAN clients.
3.4 Client routing
VPN is a Layer 3 Tunnel (tun) via UDP on the default port 1194.
Fallback is TCP port 443.
50% of the backend daemons listen on UDP, 50% on TCP.
in general only BFH IPv6 subnets and IPv4 subnets go through VPN, everything else goes through the local internet uplink.
exceptions are maintained for e.g. book publishers that have allowed BFH subnets for their services, these are also going through VPN.
DNS queries for bfh.ch are tunneled through VPN when using a windows client, all other DNS queries do not go through the tunnel but the to the local resolver.
users can send all traffic through the tunnel if they choose to.
3.5 Client configuration
only openvpn3 clients are supported.
the setup URL is
https://config.vpn.bfh.info
the connection host is
connect.vpn.bfh.info
the configuration is only downloaded once during the setup of the client, there is no automatic configuration update (needs to be triggered manually on the client by re-running the setup).
users authenticate with their BFH account and password as present in LDAP.
client uses nobind to have the tun interface move on top the active interface (LAN vs. WLAN)
client verifies endpoint client certificate (with embedded root ca certificate)
client uses decreased poll timeout to 5s
client notifies server on exit
data cipher is
CHACHA20-POLY1305
6. Backlog
Setup
config: shared secret for TLS-AUTH
logging?
nft proxy in HA
upgrade to trixie
harmonize linux and windows/macos config files wrt/ ca-certificates
documentation: vpn.bfh.info
documentation for end-users (FSS)
client deployment for end-users (MWS)
management port aggregation via e.g. vpn.bfh.info for sysadmin?
loadbalancer exclusion in config, one 1 or just the whole /29?
vpn always-on, even when inside BFH net?
enduseranleitung
vpn formular
ddns?
fail2ban?
geht auch user@bfh.ch?
link zu clients auf vpn.bfh.info
graphivz
Features
MFA
Data Channel Offload (DCO) with Linux >= 6.14
replace nft loadbalancer with udp aware proxy
authentication via certificates
Known issues
OpenVPN Client bug on IPv6-only systems (#351)
openvpn3-client doesn’t support connection profiesl (#15)
proto: udp6
keeps ipv4 enabled?windows and macos clients do not support using system certificates
there’s no possibility to push config changes to the client
windows client on ipv4 only uplink doesn’t do ipv6 dns requests eventhough ipv6 is available through the tunnel.