| Department of Computing | Imperial College London |
| Q&A on using the VPN service | |
What is the point of VPN?
Can I connect to the internet?
What type of server is it?
What settings do I need?
How do I get an account?
Can't map my home directory?
Can I connect from Linux?
Fails connecting from a Mac?
Virtual Private Networks are a series of technologies that allows a company to construct a secure private network layered on top of the insecure Internet. Within the DoC context, you might start with a home PC with a non-DoC Internet connection such as that provided by an external ISP, for example - which DoC systems treat as a part of the external world, and therefore deny most services to - and layer a secure encrypted tunnel on top that gives you a new "semi-trusted" DoC IP address. This gives your home machine a higher level of trust - and hence access to more DoC services - than before; however this trust is still limited.
The VPN is provided to access IP-restricted collegiate resources and is intended for academic use. Please do not use the VPN to route peer-to-peer traffic from applications such as WinMX, Gnutella, Bearshare etc. Abuse of this service will have the usual range of dire consequences...
The VPN system we have set up provides a VPN service to external Windows systems; for a Linux/Unix alternative, see Can I connect from Linux? Once using the VPN, most of the Windows services available within the department will be available to you - you will be able to access SMB shares, access web pages which are restricted to DoC IP addresses, and send your outgoing email via the smtp server smtp.doc.ic.ac.uk without it being viewed as a relaying attempt and discarded.
If you don't need VPN then don't use it -- it will be significantly slower than not using it, due to the overheads of encrypting and encapsulating all your network traffic.
Note that students connecting to the VPN are only permitted to connect to Imperial and DoC via the VPN connection. You won't be able to view external web pages while connected.Can I connect to the internet?
Not while using the VPN. The purpose of the DoC VPN is to enable you, from home, to access DoC resources - it does not provide Internet access via the VPN - you need to do that via your normal ISP connection (underneath the VPN). The obvious simple way to do this is to disconnect from the VPN - in other words, make the VPN connection whenever you want to copy something to/from DoC, copy the data, and then disconnect straightaway. Then use the rest of the Internet.
The server is a PPTP server, it actually runs on a linux box, but from the point of view of a client it's a Windows NT VPN server. The hardware is very powerful, and any bottlenecks are in the network bandwidth between IC and the internet.
Inform your OS that the server's name is vpn.doc.ic.ac.uk, that it is a PPTP server, that it wants MS-CHAPv2 authentication, and that it should use strong (128-bit) encryption.
Please Click Here - or, if that doesn't work, please mail us.
If having made a successful VPN connection you then can't map to your files in DoC it could be because you have a firewall on your machine. We often find that software will block this type of connection. If you do have a firewall enabled, you'll need to permit NetBIOS traffic (TCP and UDP ports 135, 137 and 139) through it to the DoC network, while connected to the VPN. It is probably advisable to block NetBIOS on other connections to the internet though, so don't permit it on all interfaces.
Not in a straightforward way. However it is possible to access services via a technique known as ssh port forwarding; the following is an example of using this to send email from a remote location.
You need to send SMTP traffic via an encrypted tunnel. This example uses command-line OpenSSH tools, but the principles should apply to other tools. Basically, ssh can be instructed to bind to a port on your local machine and forward any traffic sent to that port to a destination you specify via the ssh connection.
For example, I could instruct ssh to bind to port 1234 on my local machine when I ssh to a server in DoC, eg shell4.doc.ic.ac.uk. When I do this, I can specify that any traffic sent to port 1234 should be forwarded on to the departmental mail service, ie smtp.doc.ic.ac.uk:25.
The command to do this with OpenSSH is:
Note: 'cpu1' has now been replaced by 'shell1'.
So, once you have issued this command anyone can converse with the departmental SMTP server simply by connecting to port 1234 on your own machine.
Yes. Go into the options for the VPN session and turn off encryption. Mac's idea of MPPE and the rest of the world's don't seem to line up.
| © CSG / 2008 |