eduVPN
Remote Connection to the University Network
Why Use eduVPN?
eduVPN allows you to connect to the university network from anywhere, whether they are at home, abroad or even at another university. It acts as a secure tunnel between users and the university network, providing a secure and encrypted connection to protect sensitive data from unauthorized access.
eduVPN Installation Guides
The recommended way to connect to eduVPN is using the official application.
Manual Connection to eduVPN Using a Configuration FIle
if you have your home or work network divided into multiple subnets, or need to use multiple VPNs at the same time, you can take advantage of Manually connecting to eduVPN using a configuration file. This allows you to connect to eduVPN via Wireguard or OpenVPN.
More information and instructions are available on the dedicated Manual Connection to eduVPN Using a Configuration File page.
Rules for Connecting Via eduVPN
By connecting via eduVPN, the user gains access to the university network. It is therefore necessary to follow the University rules for the use of IT and to observe basic computer security.
What are the Advantages of Connecting via eduVPN?
Anonymity and Privacy
eduVPN encrypts all internet traffic between your device and the VPN server. At the same time, your IP address is hidden and replaced with the IP address of the server. This protects your online activity from, for example, your ISP or other third parties and strengthens your anonymity.
Secure Remote Connection
eduVPN allows MU students and employees to securely access university systems, data or services that are only accessible from the university network. Such services include, access to MU's paid information resources or access to specialized devices or licenses.
Safety on Public Networks
eduVPN also protects you when connecting to public Wi-Fi networks, for example in cafes or airports. It protects your data from eavesdropping or attacks such as login theft, providing a higher level of security.
eduVPN Profiles
eduVPN is built on the concept of profiles that allow access control at the network level. Each MUNI member will have a set of profiles, which is determined by their faculty and department affiliation.
For example, a student of the Faculty of Informatics who is also an employee of the Institute of Computer Science will have at least the profiles Student - FI and Employee - ICS, or other custom (on request) profiles for different departments and work groups.
The connections stopped working after a few months
In the default setting, the subscription to any organisation expires after 5 months. After that you have to log in again. The eduVPN app will notify you before it expires. You can renew your login in the app using the Renew Session option.
If you are using a manual configuration in WireGuard or OpenVPN to connect, you must log back into the eduVPN portal and extend the validity of that configuration using the Extend button. Alternatively, you can generate a new configuration.
Communication with other eduVPN clients does not work
The client is isolated from all other clients within eduVPN by a firewall. If it is desired for the client to be able to communicate with another eduVPN client, please contact it@muni.cz with your request.
Newly created profile does not appear in the profile selection
Newly created profiles are automatically added to users' menus in the eduVPN app or on the eduVPN portal within minutes of profile creation by administrators. In the case of the eduVPN application, immediate menu updates can be forced by logging out and back into the application.
New profiles are introduced into the active configuration in the morning of the following day at the earliest.
If the above troubleshooting did not help, please contact our IT support.
What is eduVPN?
eduVPN is a VPN (Virtual Private Network) service developed by GÉANT. The entire solution is built on top of the WireGuard and OpenVPN VPN protocols.
eduVPN allows students and employees to connect to the university network from any location, whether they are at home, abroad or even at another university. Once successfully connected to eduVPN, the device behaves as if it were physically connected to the university network.
How does VPN work?
A VPN (Virtual Private Network) works by having the user's device (the client) request the server to create an encrypted connection (tunnel). Once the server verifies the client's public key, both parties (client and server) create special network interfaces connected by this tunnel. All data that passes through the tunnel is encrypted.
This means that potential attackers only have access to encrypted data that they are unable to read. At the destination server, the data is decrypted and sent on to the network. From the outside world's perspective, it looks as if the user's device is directly connected to the network where the VPN server is located.
What is a SPLIT tunnel?
For some profiles, a version of the profile with the SPLIT extension may be available, indicating that it is a so-called SPLIT tunnel. The SPLIT tunnel routes only data destined primarily to the MUNI network via eduVPN by default.
This feature is a great advantage for experienced users who have a home or even work network divided into multiple subnets, or need to use multiple different VPNs at the same time.
If your profile does not have an available SPLIT version, consider generating your own configuration file following this guide.
Which user credentials are you when logging in?
Users can access eduVPN only via the MUNI Unified Login. To successfully log in, you must enter your UČO and primary password. Other credentials will not work.
Can turning on eduVPN affect my connection?
After the VPN connection is established, the network identity of the client machine changes. This situation can cause some complications. For example, when downloading (or uploading) data, listening to Internet radio, watching streaming video, or downloading files from FTP servers, the connection to the server from which you are receiving (or to which you are uploading) data may be interrupted. Once the connection to the eduVPN server is re-established, you need to re-establish the connection. The same situation can occur after the connection is terminated.
What is Reconnect with TCP used for?
The eduVPN service works in the background with two protocols – WireGuard and OpenVPN. Wireguard is preferred because of its better features for both end users and eduVPN administrators. Both use port 443, which is usually enabled in networks. The difference is that WireGuard currently runs exclusively on the UDP transport protocol, while OpenVPN is set to TCP.
In some non-standard networks, only TCP communication is allowed. In such networks, the connection to MUNI via WireGuard is broken, so you need to enable TCP enforcement in the application to switch to OpenVPN. On some platforms, the eduVPN app will take care of this itself if it detects problems with broken communication with eduVPN servers. On Linux and Windows platforms this should happen automatically, while on mobile platforms this behavior needs to be forced with the Reconnect with TCP button, which is available in the app.
An example of a network that blocks WireGuard (UDP) traffic is the Czech Railways trains. If you are travelling by train, we recommend using OpenVPN.
Which adresses are assigned to devices connected to eduVPN?
When connecting via eduVPN, IP addresses are assigned from the following network ranges depending on the profile type:
IPv4
100.65.0.0/16 (students)
100.67.0.0/16 (employees)
100.72.0.0/16 (external users)
IPv6
2001:718:801:900:100::/72 (students)
2001:718:801:900:200::/72 (employees)
2001:718:801:900:300::/72 (external users)
When communicating outside the MUNI network using an IPv4 address, traffic is translated to IPv4 addresses in the range 147.251.60.0/23. When communicating within the MUNI network, the user communicates using the address that has been assigned.
When communicating using IPv6, the user always communicates using their assigned IPv6 address (even outside the MUNI network).
Can eduVPN function on IPv6 only networks?
Not currently.
The eduVPN service generally allows you to connect to the eduVPN server using IPv4 or IPv6. This option is implemented by specifying the eduVPN server as a DNS name. The client then tries to resolve this DNS record on connection and connects to the correct IPv4 or IPv6 address based on the information received from the DNS server.
However, while testing how this setup works, we encountered issues with DNS name resolution on some platforms. The problem was caused by the client first configuring a tunnel for the VPN connection and then trying to resolve the DNS record to the eduVPN server. However, the translation failed because he tried to do it through an unconfigured eduVPN tunnel.
We are addressing this behavior with the developers and will try to implement IPv6 connections in the future.
Which platforms are supported to connect via eduVPN?
Connection to eduVPN is possible on the following operation systems:
- Windows,
- Linux,
- macOS,
- Android,
- iOS.