www.nordita.org/vpn
Use VPN to Access Resources on a Private Network
Access to some of the resources and services offered by Stockholm University (to which Nordita administratively belongs) are restricted to users sitting at computers which are directly connected to the internet via the Stockholm University network. This is the case for all computers connected via network cables in offices at Nordita, for instance.
Now what if you sit at your home computer, connected to the internet via your own internet provider, and you want access to these restricted resources? Or you have connected to the wireless network at Nordita, which is run by KTH and does not give access to SU resources.
This is where VPN (''Virtual Private Network'') can help you.
Using the techniques described below, you can establish a VPN Connection (often called a "tunnel") from a computer that is connected to any network, to the Stockholm University network. The effect of this connection is to make it look like ''as if'' your computer was physically connected to the Stockholm University network. All servers with restricted Stockholm University resources will therefore accept you, just as if you had been working from your office!
Read more about VPN at Stockholm University.
The VPN service os only needed if your computer is connected to a non-SU network, like the KTH wireless network at Nordita or your home internet connection. You can easily check if your are on the SU net or not by going to ip.su.se. This page displays the IP number currently assigned to your computer, a sequence of four dot-separated integers. Stockholm University uses several IP number sequences, but the IP numbers used by Nordita, eg. in the fixed connections in Nordita offices, start with:
130.237.164.
followed by a number between 129 and 255, as in 130.237.164.141.
VPN is a well-tested and secure service for connecting your device (computer, table or mobile phone) to resources over the network, but no chain is stronger than its weakest link. And that weakest link might be your device. SU therefore require that for any device on which VPN is installed:
- the operating system (Windows, Mac, Linux) must be updated
- there should be an updated antivirus program installed, where appropriate
Mac and Windows computers installed by Hans will have the SU-licensed antivirus program Sophos installed. Keeping your operating system up to date is, however, your responsibility.
A VPN client like FortiClient or WireGuard can be used to connect to several different private networks. What you need to do now is to tell the client how to connect specifically to the SU network. This configuration could be done manually, but it is much more convenient to download and apply a ready-made configuration file from SU.
- Go to vpn-beta.su.se
- At this point you might be prompted to log in to your SU computer account. Use your SU username and password:
- Read the terms of service carefully and accept:
- Now you can create configuration files for WireGuard on any of your devices, such as a laptop, a tablet or a mobile phone. Each device should have its own configuration file. Let's create one for a laptop. Click the blue [+] button at the bottom of the page:
- You should enter an understandable "Client name" to distinguish between the configurations for your various devices.
- If you happen to know the domain name of your device, if any, you could enter that in the "Client Name" field. If you are on a Linux computer, avoid using blank spaces or non-alphanumeric characters in the client name, since this name will be used later in the command for starting a VPN tunnel. If you don't enter anything in the client name field, the configuration will be named "Unnamed Client". The "Label" field is optional. Press "Create" to confirm:
- A colourful box displays the basic facts about this configuration. If you intend to install WireGuard on several different devices, like your laptop and your mobile phone, you should create different configurations for each device:
- Click "Download Config" to download the file to your device:
- Depending on your operating system you will get some kind of dialogue window to confirm the download and select the target folder. This is what it might look like on a mac:
- and this is what it might look on an Android tablet or mobile, in the left-hand image:
- Check in your filesystem that you did get a file, with a file name like the "Client Name" that you entered, with any spaces replaced by underscores, and with the extension ".conf". On an Android device it might look like in the right-hand image above, and this is what the download folder might look on a mac:
The VPN configuration file you have just downloaded is just a text file. If you open it in an editor it will list the basic configuration parameters that WireGuard needs to create a VPN tunnel for you later. Don't edit the file! You can just check that it has the following general structure (the various values will of course be different in your file):
[Interface]
PrivateKey = 93vt4VWxletQDMB8ZDmJqtmNEm4Xht9AXe23fLg69S2=
Address = 10.123.123.123/32
DNS = 193.456.456.456
[Peer]
PublicKey = P5wnl0XCiitqxJU7HWWLXBXgTaOvjl2hJjdEf6ShJjwA=
Endpoint = 193.123.123.123:51820
AllowedIPs = 0.0.0.0/0
Again: don't change anything in the file!
The SU IT department distinguishes between two types of computer, and recommends different VPN clients for each of them.
SU Workstation (in Swedish "Arbetsplatsdator", often called "SUA"). This is a service where the computer is installed and maintained remotely by the IT department; only a limited number of approved software can be installed; the user does not have administrator rights. At Nordita only most of the administration have SUA computers. The recommended VPN client for SUA computers is FortiClient. Installation instructions are here: Connect to VPN from SU Workstation computers (FortiClient).
All other computers, i.e. locally maintained computers. The rest of these instructions are about installing and configuring the recommended VPN client WireGuard, which is available for Linux, Mac and Windows, as well as for Android and iOS.
The installation of WireGuard is fairly straightforward. On Linux the installation is made from the command line, and for all other operating systems you download and run an installer.
- As you can see, WireGuard for macOS and iOS is installed from the Apple App Store, and for Android from the Google Play Store. For Windows download and run an installer. * The desktop icon of WireGuard looks as follows (here on a Mac):
You can now continue with configuring WireGuard for the SU VPN service for Mac or Windows, or for for iOS and Android.
On Linux Wireguard is installed with a packet manager from the command line. The exact command will depend on your Linux distribution and the packet manager used. For details have a look on
For Ubuntu and other Debian-like distributions you would use apt, or yum for RHEL or CentOS distributions, etc.
- Open a terminal window.
- Type in the installation command for wireguard. Here is the command for apt (or apt-get):
sudo apt-get install wireguard
On proceeding you might find that some supporting applications required by wireguard are missing, like resolvconf for DNS lookup resolution. In that case just install them too:
sudo apt-get install wireguard resolvconf
The actual WireGuard executable is called wg, so you can check your installation with either of the following commands:
which wg
wg -v
wg -V
Unless you are an expert, you would not use wg directly to create VPN tunnels, but instead use a handy script called wg-quick which does most of the technical magic for you. Check that you got this script installed:
which wg-quick
The script makes use of a WireGuard configuration file directory. Check that it has been created for you:
ls -l /etc/wireguard
You can now continue with configuring WireGuard for the SU VPN service.
Now we have to tell WireGuard about our newly created configuration. The details look a little different depending on if you use the desktop client of WireGuard (in Mac, Windows, Linux), or the mobile client (on tablets or mobiles with iOS or Android).
- Start WireGuard.
- You should see a rather empty window with a button "Import tunnel(s) from file". Press that button! The same action can be found if you press the [+] sign in the lower left corner:
- A dialogue window opens so that you can locate the downloaded configuration file, and import the file with the "Import" button. The window will look differently depending on your operating system. This is what it might look like on a mac:
- Depending on your operating system you might be prompted to allow that this configuration file is added to the system. Press whichever confirmation button is presented:
- You should now see a new line in the window to the left with the name of your configuration (or "VPN tunnel"). To the right we again see some basic facts about the settings:
You can now continue with establishing a VPN tunnel to the SU private network.
As mentioned earlier, you will use a script called wg-quick to open and close VPN tunnels. To make running this script even easier you should now move the configuration file you just downloaded to the special WireGuard configuration file directory /etc/wireguard. As an example, if you downloaded the configuration file nordita255lm.conf to your Downloads directory, use the following command to move it to the special config directory.
sudo mv ~/Downloads/nordita255lm.conf /etc/wireguard/nordita255lm.conf
ls -l /etc/wireguard
A tip: You can of course call the file whatever you want. But since this configuration file helps opening a VPN tunnel to the Stockholm University private network, it might make more sense to call the configuration file su.conf, especially if you need to keep VPN files for different target networks.
sudo mv /etc/wireguard/nordita255lm.conf /etc/wireguard/su.conf
You can now continue with establishing a VPN tunnel to the SU private network.
- Start WireGuard.
- You should see a rather empty window with a round blue (+) button in the lower left corner, as in the image to the left:
- When you click the button you first get several choices for entering the configuration, see the right-hand image above. You could for instance select "Import from file or archive".
- A dialogue window opens so that you can locate and select the downloaded configuration file. It will most probably be in the Downloads folder, either on the device or on a separate memory card that your device might have.
- After finding and selecting the configuration file you now see a line in the window with the name of your configuration (or "VPN tunnel"), and a greyed-out toggle button at the end of the line, as in the image to the left:
- Optional: If you created the WireGuard configurations on a computer and now want to import one of them to your mobile device, you could select the option "Scan from QR code", as in the image to the right above. You might need to allow WireGuard to use the camera of your device, and then you direct it to the QR code of the configuration shown on your computer screen. The end result should be the same if you download and import the configuration or if you scan it.
You can now continue with establishing a VPN tunnel to the SU private network.
When you want to establish a connection between your device and the SU network, proceed as follows.
- First make sure that your device has an internet connection (VPN can only run over an already established network connection). This can be a fixed line or wireless connection, from whichever provider you use.
- Optional: You could check with ip.su.se that your device indeed has been assigned an IP number.
- Start the WireGuard client on your computer.
- Select the VPN tunnel you would like to activate in the list to the left. In our example it is the SU tunnel you created earlier.
- Press the button "Activate":
- If everything works as expected you should now see a green status lamp, and some information about traffic going across the tunnel:
- Now try to access a SU service that you would normally not be allowed to access from an outside network. Did it work just as if you had been trying it from your Nordita office?
- Optional: Check again with ip.su.se. Your device should now have been assigned one of the IP addresses
130.237.181.134 or 130.237.181.134, or possibly an IP address starting with 10 (like 10.206.132.223). This means that your'e in!
- Optional: if you are curious you can check the "networks" section in the system configuration of your operating system. You should now see that you have two active connections, the original one and now also the VPN tunnel. This will look differently in different OS:s. Here is what it might look like in the Systems Preferences on a mac:
- To close the VPN tunnel you switch to WireGuard and press the "Deactivate" button.
- Optional: If you again visit ip.su.se you will see that you have recovered the original IP number for your device.
- You can now quit WireGuard.
- First make sure that your device has an internet connection (VPN can only run over an already established network connection). This can be a fixed line or wireless connection, from whichever provider you use.
- Optional: You could check with ip.su.se that your device indeed has been assigned an IP number.
- If you placed the configuration file you downloaded into the WireGuard config file directory, you open a VPN tunnel with the following command:
sudo wg-quick up nordita255lm
- If you instead named your Stockholm University VPN configuration file su.conf you would use this command top open the tunnel:
sudo wg-quick up su
- If you have placed the config file somewhere else than in the directory /etc/wireguard, you just call the same command but with the full path to the file:
sudo wg-quick up ~/Downloads/nordita255lm.conf
- Now try to access a SU service that you would normally not be allowed to access from an outside network. Did it work just as if you had been trying it from your Nordita office?
- Optional: Check again with ip.su.se. Your device should now have been assigned one of the IP addresses
130.237.181.134 or 130.237.181.134, or possibly an IP address starting with 10 (like 10.206.132.223). This means that your'e in!
- Optional: You can check that the tunnel has been activated from the command line with the command wg (actually wg show):
sudo wg
- This will give you the details of the connection configuration, and two lines about the ongoing tunnel traffic:
interface: nordita255lm
public key: 93vt4VWxletQDMB8ZDmJqtmNEm4Xht9AXe23fLg69S2=
private key: (hidden)
listening port: 51820
peer:P5wnl0XCiitqxJU7HWWLXBXgTaOvjl2hJjdEf6ShJjwA=
endpoint: 193.123.123.123:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 17 seconds ago
transfer: 98.86 KiB received, 43.08 KiB sent
- To close the VPN tunnel you issue the following command:
sudo wg-quick down nordita255lm
- Optional: If you again visit ip.su.se you will see that you have recovered the original IP number for your device.
- First make sure that your device has an internet connection (VPN can only run over an already established network connection). This can be a fixed line or wireless connection, from whichever provider you use.
- Optional: You could check with ip.su.se that your device indeed has been assigned an IP number.
- Start the WireGuard client on your computer.
- Locate the VPN tunnel you would like to activate in the list. In our example it is the SU tunnel you created earlier for your mobile device.
- Click on the gray button at the end of the line to toggle it from "off" (gray button) to "on" (blue). This is what it looks in the two different states in Android:
- Now try to access a SU service that you would normally not be allowed to access from an outside network. Did it work just as if you had been trying it from your Nordita office?
- Optional: Check again with ip.su.se. Your device should now have been assigned one of the IP addresses
130.237.181.134 or 130.237.181.134, or possibly an IP address starting with 10 (like 10.206.132.223). This means that your'e in!
- To close the VPN tunnel you switch to WireGuard and press the toggle button again to its "off" (gray) state.
- Optional: If you again visit ip.su.se after closing the VPN tunnel you will see that you have recovered the original IP number for your device.
- You can now quit WireGuard.
