eduVPN
Remote Access to University Networks
Why Use eduVPN?
eduVPN allows you to connect to the university network from any location, whether you're at home, abroad, or at another university. It functions as a secure tunnel between users and the university network, ensuring a safe and encrypted connection that protects sensitive data from unauthorized access.
eduVPN Installation Instructions
The reccommended way to connect to the eduVPN service is by using the official application.
Manual Connection to eduVPN via a Configuration File
If, for example, your home or work network is divided into multiple subnets, or you need to use multiple VPNs simultaneously, you can take advantage of the Manual Connection to eduVPN using a configuration file. This allows you to connect to eduVPN through programs like Wireguard or OpenVPN.
Additional information and instructions are on the Manual Connection to eduVPN Using a Configuration File page.
eduVPN Connection Rules
By connecting via eduVPN, users gain access to the university network. It is essential to follow the IT usage rules and maintain basic computer security
What are the advantages of connecting via eduVPN?
Anonymity and Privacy
eduVPN ensures the encryption of all internet traffic between your device and the VPN server. At the same time, your IP address is hidden and replaced by the server's IP address. This protects your online activity from your internet provider or any third party and strengthens your anonymity.
Secure Remote Connection
eduVPN allows MU employees and students to securely access university systems, data, or services that are only available from the university network. Such services include access to paid information resources of MU or access to specialized equipment and instruments or university licenses.
Security on Public Networks
eduVPN also protects you when connecting to public Wi-Fi networks, such as those in cafes or airports. It safeguards your data from eavesdropping or attacks, such as credential theft, providing a higher level of security.
eduVPN Profiles
eduVPN is built on the concept of profiles, which allow network-level access control. Each member of MUNI will have access to a certain set of profiles determined by their affiliation with faculties and worksites.
For example, a student of the Faculty of Informatics who is also an employee at the Institute of Computer Science will have at least the profiles Student - FI and Employee - ICS, as well as possibly other custom profiles for different departments and work groups on request.
Connection issues after several months
V základním nastavení vyprší přihlášení k organizaci po 5 měsících. Poté je nutné se přihlásit znovu. Aplikace eduVPN vás před vypršením upozorní. Přihlášení můžete obnovit v aplikaci pomocí možnosti Renew Session.
Pokud pro připojení využíváte manuální konfiguraci v nástrojích WireGuard nebo OpenVPN, je nutné se znovu přihlásit na eduVPN portál a prodloužit si platnost dané konfigurace pomocí tlačítka Extend. Případně si můžete vygenerovat konfiguraci novou
In the default settings, the login to the organization expires after 5 months. After that, you will need to log in again. The eduVPN app will notify you before it expires. You can renew the session in the app by selecting the Renew Session option.
If you use a manual configuration in tools like WireGuard or OpenVPN, you need to log in again on the eduVPN portal and extend the validity of the configuration using the Extend button. Alternatively, you can generate a new configuration.
Communication with other eduVPN clients does not work
Clients are isolated from each other within eduVPN using a firewall. If it is desirable for a client to communicate with another eduVPN client, please contact it@muni.cz with your request.
Newly created profile is not showing up
Newly created profiles are automatically synced to users' options in the eduVPN app or on the eduVPN portal within a few minutes of the profile being created by administrators. In case of the eduVPN app, you can force an immediate update of the offerings by logging out and back into the app.
New profiles are introduced into the active configuration no earlier than the following morning.
If the above troubleshooting solutions did not help, please contact our IT support.
What is eduVPN?
eduVPN is a type of VPN (Virtual Private Network) service developed by GÉANT. The entire solution is built on top of the VPN protocols WireGuard and OpenVPN.
eduVPN allows employees and students to connect to the university network from any location, whether they are at home, abroad, or even at another university. Once successfully connected to eduVPN, the device behaves as if it were physically connected to the university network..
Would you like to learn more about the functioning of virtual private networks (wiki)?
How does VPN work?
VPN (Virtual Private Network) works by havingthe user's device (the client) request the server to create an encrypted connection (tunnel). Once the server verifies the client's public key, both parties (client and server) create special network interfaces connected by this tunnel. All data that passes through the tunnel is encrypted.
This means that potential attackers only have access to encrypted data that they are unable to read. At the destination server, the data is decrypted and sent on to the network. From the outside world's perspective, it looks as if the user's device is directly connected to the network where the VPN server is located.
What is a SPLIT tunnel?
For some profiles, a version with the SPLIT suffix may be available, indicating a SPLIT tunnel. By default, the SPLIT tunnel directs only the data intended for the MUNI network through eduVPN.
This feature is a significant advantage for advanced users with home or work networks divided into multiple subnets or who need to use multiple VPNs simultaneously.
If your profile does not have an available SPLIT version, consider generating your own configuration file according to this guide.
Which credentials to use when logging in?
Users log into eduVPN exclusively through MUNI Unfied Login. To successfully sign in, you must enter your UČO and primary password. Other credentials will not work.
Can enabling eduVPN affect my connection?
When a VPN connection is established, the network identity of the client machine changes. This situation can cause certain complications. For example, downloading (or uploading) data, listening to internet radio, streaming videos, or downloading files from FTP servers may result in the interruption of the connection with the server you are receiving (or sending) data to. After establishing a connection with the eduVPN server, you need to re-establish the connection. The same situation may occur after ending the connection.
What is Reconnect with TCP used for?
eduVPN operates in the background using two protocols – WireGuard and OpenVPN. WireGuard is preferred due to its superior functionality for both end users and eduVPN administrators. Both protocols use port 443, which is generally allowed in networks. The key difference is that WireGuard currently operates exclusively on the UDP transport protocol, whereas OpenVPN is set to use TCP.
In some non-standard networks, only communication via TCP is permitted. In such networks, the connection to MUNI via WireGuard is interrupted, and it is necessary to enable TCP enforcement in the application to switch to OpenVPN. On some platforms, the eduVPN application will handle this automatically once it detects issues with communication with eduVPN servers. On Linux and Windows platforms, this should occur automatically, whereas on mobile platforms, you need to enforce this behavior with the Reconnect with TCP button found in the application.
An example of a network that blocks WireGuard (UDP) traffic is the Czech Railways trains. If you are travelling by train, it is recommended to use OpenVPN.
Which IP adresses are assigned to devices connected to eduVPN?
When connecting via eduVPN, IP addresses are assigned from the following network ranges depending on the profile type:
IPv4
100.65.0.0/16 (students)
100.67.0.0/16 (employees)
100.72.0.0/16 (external users)
IPv6
2001:718:801:900:100::/72 (students)
2001:718:801:900:200::/72 (employees)
2001:718:801:900:300::/72 (external users)
When communicating outside the MUNI network using an IPv4 address, the traffic is translated to IPv4 addresses from the range 147.251.60.0/23. Within the MUNI network, the user communicates using the assigned address.
When communicating using IPv6, the user always communicates using their assigned IPv6 address (even outside the MUNI network).
Can MUNI eduVPN work on IPv6 only networks?
Not currently.
The eduVPN service generally allows you to connect to the eduVPN server using IPv4 or IPv6. This option is implemented by specifying the eduVPN server as a DNS name. The client then tries to resolve this DNS record on connection and connects to the correct IPv4 or IPv6 address based on the information received from the DNS server.
However, while testing how this setup works, we have encountered issues with DNS name resolution on some platforms. The problem was caused by the client first configuring a tunnel for the VPN connection and then trying to resolve the DNS record to the eduVPN server. The translation failed, however, because he was trying to do so through an unconfigured eduVPN tunnel.
We are addressing this behavior with the developers and will try to implement IPv6 connections in the future.
Which platforms are supported to connect via eduVPN?
Connection to eduVPN is possible with the following operating systems:
- Windows,
- Linux,
- macOS,
- Android,
- iOS.