VPN - Frequently Asked Questions

Content

sprungmarken_marker_14136

FAQ KIT VPN access

If the FAQ doesn’t help solving your problem, please see our troubleshooting page.

Which VPN-Clients can I use to establish a VPN connection to the KIT?

The SCC offers OpenVPN as VPN-service. Not supported are: PPTP, L2TP and native or Cisco IPSec.

OpenVPN General

1.) I can’t log  into OpenVPN. Username/password aren’t accepted (error message “AUTH: Received control message: AUTH_FAILED”)

Please make sure that you log in with your KIT account. Students and employees  are automatically activated for VPN.
If you don’t know your KIT account or your KIT password, please contact the SCC Service Desk.In case you are an external employee and you have a guest- and partner account, please get in touch with your IT representative (IT-Beauftragter, ITB) and have your account activated for VPN.If you need VPN access to an institute network, your KIT account has to be activated by the IT representative from the institute. You need the configuration file kit-vpn2vlan.ovpn. Your username is then: kit-account@realm. The realm you can find out by the IT representative.
Please make sure that you are using the correct configuration file. For VPN2VLAN (access to the institute network – username kit-account@vlan-name) and the access to SAP (username kit-account@sap or kit-account@sap-von-aussen) you need the file kit-vpn2vlan. You can find this in the instructions for your operating system..
If you are sure everything is correct, but it’s still not working: You have to set a new password on https://my.scc.kit.edu . Probably your password isn’t synchronized in all systems. This can happen, when you have changed your password not via my.scc.kit.edu, but, for example in windows via Ctrl+Alt+Del.

2.) The VPN connection is established, but the VPN connection doesn’t work. The tunnel is established, but it seems like there is no traffic going through. With VPN I have no access to KIT Intranet and also not to the internet. Everything or a lot of things are not loading or are loading very slowly.

This is most likely due to PMTUD issues with your provider. This requires that you download a configuration file for MTU problems from the special configurations page - kit-v4-lower-mtu or for VPN2VLAN kit-vpn2vlan-v4-lower-mtu (all configuration files are available in the package for the OpenVPN client Viscosity).

4.) The OpenVPN-connection is not established. There's a timeout when establishing the connection or there's the error message “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”.

If your Internet connection is established, the VPN connection is either blocked by a local firewall on your computer (switch this off as a test) or you are in a network that does not allow the connection to the VPN server to be established. Various connection options are configured in the standard configuration files. However, these cannot be used in Viscosity under macOS and Linux Network Manager. Try the configuration file kit-v4-tcp-443 or kit-vpn2vlan-v4-tcp-443 for VPN2VLAN. A possible solution for bypassing the OpenVPN ban in Egypt: https://www.addictivetips.com/vpn/bypass-egypt-openvpn-ban/ .

5.) I get the error message “Unrecognized option or missing parameter(s)”.

The version of your OpenVPN-client is too old for the required security parameters. Windows, macOS: download the current version of the OpenVPN-Client. Under linux you should consider a distribution-upgrade or install a more recent version from here: OpenVPN Software Repositories

7.) I have disabled IPv6 on my computer and cannot establish a fully functional VPN connection.

In order to be able to establish a VPN-connection to KIT, IPv6 must be activated on your system (regardless whether your internet provider offers IPv6 or not). At least it must not be deactivated globally. Futhermore it must be activated on the tun/tap interface via which the VPN connection is running. For details, see the corresponding error messages in the sections for the specific operating systems.

8.) I can’t establish the VPN connection for the access to SAP.

For the VPN-access to SAP you need the configuration file kit-vpn2vlan.ovpn. The username for the log in is kit-account@sap or kit-account@sap-von-aussen. As password enter your KIT-password, the comma character and the current token code.

OpenVPN Windows

1.) I get the error message “There are no TAP-Windows adapters on this system”.

Normally, the TAP Adapter will be installed with OpenVPN directly. You can re-install OpenVPN. Alternatively you can install the TAP adapter manually. For this, type “cmd” in the Windows search field and right-click on the top entry in the “Command Prompt” list and select “execute as administrator” in the context menu. In the window that opens, please type (or copy) the following command (batch-file) to create a TAP interface: C:\Program Files\TAP-Windows\bin\addtap.bat

2.) I get the error message “All TAP-Windows adapters on this system are currently in use.”

Re-activate the TAP adapter. A detailed instruction can be found here: https://vpn.ac/knowledgebase/64/OpenVPN-Error-All-TAP-Windows-adapters-on-this-system-are-currently-in-use.html

3.) I get the error message “ERROR: route additon failed using service“

If this error occurs after a line "add_route_ipv6 ...", you have generally deactivated IPv6 on the TUN adapter or on your Windows. This means that our OpenVPN setup (IPv6 in the tunnel) does not work. IPv6 must at least be activated on the tunnel interface.
You can find information on this here (also on re-enable IPv6):
https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows

4.) I get the error message “ERROR: netsh command failed: returned error code 1”.

This error message can have several reasons:

IPv6 is deactivated on the tunnel adapter or globally in Windows. Withour IPv6 our OpenVPN setup (IPv6 in the tunnel) doesn’t work. IPv6 must be activated at least on the tunnel adapter. More information on this you can find here (also to re-enable IPv6): https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows

Another reason could be that Microsoft Teredo/6to4 is installed/activated. This can probably also be identified on the page http://wieistmeineip.scc.kit.edu
The service Microsoft Teredo interferes with the configuration of the IPv6-address when establishing a connection. You can easily deactivate the Teredo service by using the commands:
netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state disabled
(Details and example: http://lonesysadmin.net/2011/04/25/how-to-disable-teredo-ipv6-tunneling-in-microsoft-windows/)

In some cases uninstalling and reinstalling will also solve this problem.

5.) At the end of the vpn connection establishing I get the message: “Initialization Sequence Completed With Errors (see http://openvpn.net/faq.html#dhcpclientserv)”. Before that the message “TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down” and “Route: Waiting for UN/TAP interface to come up” appears a few times

The following actions could help:

6.) How can I delete a configuration file from OpenVPN?

A configuration file imported in OpenVPN can be deleted in the following way: for each imported file there exists a folder C:\Users\<Nutzername>\OpenVPN\config. To delete the configuration file you have to delete the corresponding folder

OpenVPN Mac OS X

With an established VPN connection with the VPN client Tunnelblick a few internal pages can be reached, but there are problems with the access to the fileserver. The name resolution (DNS) doesn’t work correctly.

Make sure that “Allow changes to manually set network settings” is activated – like it is explained in the setup instructions für Tunnelblick.

OpenVPN Linux

1.) In Linux with Network Manager, the OpenVPN connection seems to be established (IP address is assigned), but the KIT intranet can’t be accessed.

Please check in the Network Manager settings whether the check mark for IPv4 settings  Routes  “Use this connection only for resources on its network” is set. If it is set, remove it. With the standard VPN-connection, in which everything should go via the tunnel, the check mark must not be set, so that the Default Route is set.

2.) In Linux I have problems to start OpenVPN via the Network Manager.

Please read the notes on network manager in the instructions for Linux. You can also start the OpenVPN client on the command line: sudo openvpn –config configuration file (e.g. sudo openvpn –config kit.ovpn)

3.) When starting the OpenVPN client on the command line, it stops with an error message.

If the error message in the penultimate line is: “ERROR: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)”, then the problem is that you did not start your Client with admin rights.
You can e.g. use sudo to start the client as root: sudo openvpn –config kit.ovpn

4.) I get the error message “ip -6 addr add failed: external program exited with error status 2”

IPv6 is deactivated on your system, at least for the tun or tap Interface. You can use the command “sysctl net.ipv6.conf | grep disable_ipv6” to check whether IPv6 is activated.

5.) With an established VPN connection under Linux, several internal pages can be reached, but there are problems with accessing the fileserver. The name resolution (DNS) doesn’t work for all names

Please read the Linux manual, section “Using KIT resolvers for DNS resolution”.

Other questions to VPN

1.) I can’t print via VPN or reach the service xyz in KIT.

Make sure that the VPN connection is established. To do this, go to the page http://wieistmeineip.scc.kit.edu. If the tunnel was established correctly the displayed IPv4 address should have the format 141.52.x.y or 129.13.x.y and the displayed IPv6 address the format 2a00:1398:300:x::y. If you experience problemes although the VPN connection is established, contact the supervisor of the printing-service or the relevant service. Regarding printing, please also see the page Printing from outside the KIT network.

2.) How do I get to my home drive via VPN?

Make sure that the VPN connection is established. Then enter the appropriate path in Windows Explorer (or at the appropriate place in your operating system):
Employees: Information can be found at KIT data storage (personal directory)
Students: Information can be found at KIT data storage (for students)

When asked for your username and password, please enter your KIT accout with the associated password.

3.) When I am signed in the VPN, I can’t send e-mails via an external e-mail provider.

Within the KIT network (also while using VPN) you can only connect to the KIT mail server on port 25 (smtp) because of security issues. However you can contact other mail servers on port 465 or port 587. Otherwise you can also use split-VPN: Then only the traffic that has the KIT as its destination goes through the tunnel. For that you have to use the configuration kit-split.

4.) I am a student from another university and would like to set up a VPN-connection to my university.

You can sign in via SSID eduroam if your university participates in eduroam. After that you can establish a connection to your university.

My question isn’t answered here.

Please read our page for troubleshooting.