VPN service enables AMRES end users to access network resources and services within AMRES network in a protected and safe way. The user can use VPN if the institution where he/she studies or works enables use of this service. More details about VPN from the point of view of end users can be found in VPN service in end users section.
How VPN Service Works
AMRES VPN service is implemented by using OpenVPN software which creates a VPN SSL tunnel from users’ device to AMRES VPN server. End users are authenticated while VPN tunnel is established. User credentials are sent encrypted, via the Internet to AMRES VPN server. Authentication request is sent to AMRES VPN RADIUS server, which then proxies the request to RADIUS server of users’ home institution based on the realm part in user name. The home institution’s server performs authentication of AMRES end users and sends the reply back to AMRES VPN RADIUS server. If the user has been successfully authenticated, IP address is assigned to end users’ device from the IP range allocated for the users’ home institution. From that moment, all traffic towards AMRES’ address space is sent encrypted through SSL tunnel. The rest of the traffic is transported through the Internet provider’s network.
Every institution which is using AMRES VPN service is assigned one C class of IP addresses from the range 10.8.0.0/16. Address that belongs to the aforementioned IP range of the institution is assigned to end users when connecting to AMRES VPN. AMRES institutions may filter traffic towards assigned IP addresses as needed.
Institution’s private IP range can be divided into sub-ranges for employees and students, so that IP addresses from appropriate range are assigned. In that case RADIUS server of the institution has to be configured in such way that after successful authentication, the attribute eduPersonAffiliation with a value of "student" or "employee", depending on end user’s role, is sent in the reply.
How to Enable Use of VPN Service?
Every AMRES institution that is already participating in eduroam as an Identity Provider can also use AMRES VPN service. In that case, technical implementation includes only configuring the current RADIUS server used for eduroam.
Configuration changes that need to be applied are defined in the document "Setting of RADIUS server for AMRES VPN service" (Serbian version only). In order to start using this service, institution’s technical contact has to inform AMRES that an institution wants to use AMRES VPN service by sending an email to firstname.lastname@example.org with subject “AMRES VPN service” and a brief explanation of configuration changes that have been made.
After successfully registering for VPN service and RADIUS server configuration, institution administrators have to inform their end users about availability of VPN service, assist them with installation of VPN software and help them if problems arise when connecting to AMRES VPN service.