VPN - Frequently Asked Questions

Content

sprungmarken_marker_14136

FAQ to the VPN-access of the KIT

If the FAQ doesn’t help solving your problem, please see our troubleshooting page.

Which VPN-Clients can I use to establish a VPN connection to the KIT?

The SCC offers OpenVPN as VPN-service. Not supported are: PPTP, L2TP and native or Cisco IPSec.

OpenVPN General

I can’t log  into OpenVPN. Username/password aren’t accepted (error message “AUTH: Received control message: AUTH_FAILED”)

Please make sure that you log in with your KIT account. Students and employees  are automatically activated for VPN. If you don’t know your KIT account or your KIT password, please contact the SCC Service Desk.

In case you are an external employee and you have a guest- and partner account, please get in touch with your IT representative (IT-Beauftragter, ITB) and have your account activated for VPN.

If you need VPN access to an institute network, your KIT account has to be activated by the IT representative from the institute. You need the configuration file kit-vpn2vlan.ovpn. Your username is then: kit-account@realm. The realm you can find out by the IT representative.  

Please make sure that you are using the correct configuration file. For VPN2VLAN (access to the institute network – username kit-account@vlan-name) and the access to SAP (username kit-account@sap or kit-account@sap-von-aussen) you need the file kit-vpn2vlan.ovpn. You can find this in the instructions for your operating system. Further configuration files, for example for split VPN can be found on the page with the special configurations.

If you are sure everything is correct, but it’s still not working: You have to set a new password on https://my.scc.kit.edu . Probably your password isn’t synchronized in all systems. This can happen, when you have changed your password not via my.scc.kit.edu, but, for example in windows via Ctrl+Alt+Del.

The login fails with the error message "AUTH: Received control message: AUTH_FAILED, Data channel cipher negotiation failed (no shared cipher)."

Your Open-VPN-Client version is too old. Since December 11th 2020 only OpenVPN-Client version 2.4.0 or higher are supported. Version 2.4.0 was released in December 2016. Recommendations for action for each operatin system can be found on your website "Abkündigung älterer OpenVPN-Client-Versionen" (only in german).

My Internet Provider is Vodafone/Unitymedia/KabelBW/KabelDeutschland and the VPN connection does not work. The tunnel is established, but it seems like there is no traffic going through.

This requires that you download and use a configuration that is suitable for you from the special configurations page.
Before doing this, go to http://wieistmeineip.scc.kit.edu/index.html.en_US  and check whether you have IPv6.

If you have IPv6,  download the configuration file #3 (IPv6, UDP). If you don’t have IPv6 or the IPv6 configuration file doesn’t bring any improvement, download the configuration file #6 (IPv4, UDP, LowerMTU)

I have a hybrid connection from Deutsche Telekom and the VPN-connection does not work. The tunnel is established, but it seems like there is no traffic going through the tunnel.

Download on the page with the special configurations the configuration file #6 (IPv4, Lower MTU) and use this.

The VPN connection is established, but the VPN connection doesn’t work. With VPN I have no access to KIT Intranet and also not to the internet. Everything or a lot of things are not loading or are loading very slowly.

This is most likely due to PMTUD issues with your provider. This requires that you download a configuration file which is right for you from the special configurations page.

Before doing that, go to the page http://wieistmeineip.scc.kit.edu/index.html.en_US and check, which Internet Service Provider (ISP) you are using and if you have IPv6.

KABELBW, KABELDEUTSCHLAND, VODAFONE, VODANET or LIBERTYGLOBAL: In case you are having IPv6, download the configuration file #3 (IPv6, UDP). If you don’t have IPv6 or the IPv6 configuration file doesn’t bring any improvement, download the configuration file #6 (IPv4, UDP, LowerMTU). In order not to disturb the connection to the rest of the internet (not KIT) you can also choose the split configuration.

DTAG: Probably you are using a hybrid connection from Deutsche Telekom. Download the configuration file #6 (IPv4, UDP, Lower MTU).
Other ISP: Try the configuration file #3 (IPv6, UDP) and #6 (IPv4, UDP, Lower MTU)

The OpenVPN-connection is not established, so there is a timeout when establishing the connection


The connection is either blocked by a local firewall on the computer (switch it off as a test) or you are in a network where udp port 1194 is blocked. You can bypass this by replacing port 1194 with port 443 in the OpenVPN configuration. You can download the configuration file with udp port 443 on the page with the special configurations. If configuration #1 with port 443 doesn’t work either, download the IPv4 TCP-configuration with port 443 (#5).

When establishing the connection there is the error message “TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”.

Your internet connection is not available or you are in a network where OpenVPN with standard port udp 1194 is blocked. In this case you can download an alternative configuration under special configurations. The best is to try the configuration #5 IPv4-Connect TCP (l3, tcp) port 443. A possible solution how to bypass the Open-VPN ban in Egypt: https://www.addictivetips.com/vpn/bypass-egypt-openvpn-ban/ .

I get the error message “Unrecoginzed option or missing parameter(s)”.

The version of your OpenVPN-client is too old for the required security parameters. You need a version >= 2.3.3. Windows, Mac OS X: download the current version of the OpenVPN-Client. Under linux you should consider a distribution-upgrade or install a more recent version from here: OpenVPN Software Repositories

I have disabled IPv6 on my computer and cannot establish a VPN connection.

In order to be able to establish a VPN-connection to KIT, IPv6 must be activated on your system (regardless whether your internet provider offers IPv6 or not). At least it must not be deactivated globally. Futhermore it must be activated on the tun/tap interface via which the VPN connection is running. For details, see the corresponding error messages in the sections on the individual operating systems.

I can’t establish the VPN connection for the access to SAP.

For the VPN-access to SAP you need the configuration file kit-vpn2vlan.ovpn. You can find this at the beginning of the instruction for your operating system. The username for the log in is kit-account@sap or kit-account@sap-von-aussen. As password enter your KIT-password, the comma character and the current token code.

OpenVPN Windows

I get the error message “There are no TAP-Windows adapters on this system”.

Normally, the TAP Adapter will be installed with OpenVPN directly. You can re-install OpenVPN. Alternatively you can install the TAP adapter manually. For this, type “cmd” in the Windows search field and right-click on the top entry in the “Command Prompt” list and select “execute as administrator” in the context menu. In the window that opens, please type (or copy) the following command (batch-file) to create a TAP interface: C:\Program Files\TAP-Windows\bin\addtap.bat

I get the error message “All TAP-Windows adapters on this system are currently in use.”

Re-activate the TAP adapter. A detailed instruction can be found here: https://vpn.ac/knowledgebase/64/OpenVPN-Error-All-TAP-Windows-adapters-on-this-system-are-currently-in-use.html

I get the error message “ERROR: netsh command failed: returned error code 1”.

This error message can have several reasons:

IPv6 is deactivated on the tunnel adapter or globally in Windows. Withour IPv6 our OpenVPN setup (IPv6 in the tunnel) doesn’t work. IPv6 must be activated at least on the tunnel adapter. More information on this you can find here (also to re-enable IPv6): https://support.microsoft.com/en-us/help/929852/how-to-disable-ipv6-or-its-components-in-windows

Another reason could be that Microsoft Teredo/6to4 is installed/activated. This can probably also be identified on the page http://wieistmeineip.scc.kit.edu
The service Microsoft Teredo interferes with the configuration of the IPv6-address when establishing a connection. You can easily deactivate the Teredo service by using the commands:
netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state disabled
(Details and example: http://lonesysadmin.net/2011/04/25/how-to-disable-teredo-ipv6-tunneling-in-microsoft-windows/)

In some cases uninstalling and reinstalling will also solve this problem.

At the end of the vpn connection establishing I get the message: “Initialization Sequence Completed With Errors (see http://openvpn.net/faq.html#dhcpclientserv)”. Before that the message “TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down” and “Route: Waiting for UN/TAP interface to come up” appears a few times

The following actions could help:

How can I delete a configuration file from OpenVPN?

A configuration file imported in OpenVPN can be deleted in the following way: for each imported file there exists a folder C:\Users\OpenVPN\config. To delete the configuration file you have to delete the corresponding folder

OpenVPN Mac OS X

With an established VPN connection under Mac OS X a few internal pages can be reached, but there are problems with the access to the fileserver, printing server, license server or to https://team.kit.edu. The name resolution (DNS) doesn’t work correctly.

Make sure that “Allow changes to manually set network settings” is activated – like it is explained in the setup instructions.

OpenVPN Linux

In Linux with Network Manager, the OpenVPN connection seems to be established (IP address is assigned), but the KIT intranet can’t be accessed.

This problem can have several reasons:
The OpenVPN plugin for the Network Manager (network-manager-openvpn) is required in version >= 1.2.10. In Debian there is a patch in version 1.2.6 with which it also works (this version is included in Debian 9). This patch does not seem to be available on Ubuntu, so you need at least Ubuntu 17.10. Alternatively you can use the command line, which is explained in the Linux manual.
If your network manager is new enough: Please check in the Network Manager settings whether the check mark for IPv4 settings  Routes  “Use this connection only for resources on its network” is set. If it is set, remove it. With the standard VPN-connection, in which everything should go via the tunnel, the check mark must not be set, so that the Default Route is set.

In Linux I have problems to start OpenVPN via the Network Manager.

Please read the notes on network manager in the instructions for Linux. You can also start the OpenVPN client on the command line: sudo openvpn –config configuration file (e.g. sudo openvpn –config kit.ovpn)

When starting the OpenVPN client on the command line, it stops with an error message.

If the error message in the penultimate line is: “ERROR: Cannot ioctl TUNSETIFF tap: Operation not permitted (errno=1)”, then the problem is that you did not start your Client with admin rights.
You can e.g. use sudo to start the client as root: sudo openvpn –config kit.ovpn

I get the error message “ip -6 addr add failed: external program exited with error status 2”

IPv6 is deactivated on your system, at least for the tun or tap Interface. You can use the command “sysctl net.ipv6.conf | grep disable_ipv6” to check whether IPv6 is activated.

With an established VPN connection under Linux, several internal pages can be reached, but there are problems with accessing the fileserver, printing server, license server or https://team.kit.edu. The name resolution (DNS) doesn’t work for all names

Please read the instructions in the Linux manual in the section “Usage of the KIT resolver for the DNS resolution”

Other questions to VPN

I can’t print via VPN or reach the service xyz in KIT.

Make sure that the VPN connection is established. To do this, go to the page http://wieistmeineip.scc.kit.edu. If the tunnel was established correctly the displayed IPv4 address should have the format 141.52.x.y or 129.13.x.y and the displayed IPv6 address the format 2a00:1398:300:x::y. If you experience problemes although the VPN connection is established, contact the supervisor of the printing-service or the relevant service. Regarding printing, please also see the page Printing from outside the KIT network.

How do I get to my home drive via VPN?

Make sure that the VPN connection is established. Then enter the appropriate path in Windows Explorer (or at the appropriate place in your operating system):
Employees: Information can be found at KIT data storage (personal directory)
Students: Information can be found at KIT data storage (for students)

When asked for your username and password, please enter your KIT accout with the associated password.

When I am signed in the VPN, I can’t send e-mails via an external e-mail provider.

Within the KIT network (also while using VPN) you can only connect to the KIT mail server on port 25 (smtp) because of security issues. However you can contact other mail servers on port 465 or port 587. Otherwise you can also use split-VPN: Then only the traffic that has the KIT as its destination goes through the tunnel. For that you have to use the corresponding special configuration.

I am a student from another university and would like to set up a VPN-connection to my university.

You can sign in via SSID eduroam if your university participates in eduroam. After that you can establish a connection to your university.

My question isn’t answered here.

Please read our page for troubleshooting.