Translated using DeepL

Machine-translated page for increased accessibility for English questioners.

Faculty VPN

Motivation

For security reasons, we provide some faculty services only for machines on the MU network, or only on the FI network. You may also find that some electronic resourcesavailable to the university are only accessible from the university's network. Sometimes it can also be useful to have a secure connection to eliminate the risk of eavesdropping or modification of your connection on an untrusted local network. For these cases, you can use a faculty VPN based on OpenVPN.

How to connect

The configuration for connecting can be found in the Faculty Administration:

Download VPN configuration

Log in with faculty credentials.

Remember that once connected, you are subject to the FI MU computer network usage policy.

Windows

Use the OpenVPN client. When connecting, you must allow the program access to both the internal and external network in the security center alert.

Linux

We recommend using NetworkManager for configuration. You will need the openvpn package installed and VPN support in NetworkManager via the network-manager-openvpn-gnome package or similar depending on your desktop environment.

Import the downloaded VPN configuration via Network Manager. In the dialog, fill in at least the login name, enter your faculty login (otherwise your local account name would be used). If you have problems under KDE, see the FAQ.

For experienced users, it may be useful to connect manually with the command openvpn VPN_FI_MU.ovpn (superuser rights are required). Please note, however, that in this case the DNS servers will probably not be set up automatically, so your DNS queries will not be protected by the VPN.

Android

Use the OpenVPN for Android client. Please note that the OpenVPN Connect app cannot be used for this purpose. After downloading the configuration, import it via the arrow icon in the top right corner of the app. Then click on the name of the newly created profile and connect.

macOS

Use the Tunnelblick client.

iOS

Use the OpenVPN Connect app. Then copy the downloaded VPN connection configuration to the OpenVPN Connect app via share.

Verify functionality

Once connected, you will get internal addresses from the ranges 172.27.0.0/20and 2001:718:801:207::/64.

The external addresses will be 147.251.58.69 and 2001:718:801:23a::45. You can verify this by using, for example, our website https://wifi.fi.muni.cz/ or the external service https://www.whatismyip.com/.

FAQ

  • My login is not working
    Unlike the university VPN, faculty logins are used, i.e. faculty login and faculty password. Can you use them to log in to another FI service?
  • I am using a Linux distribution (Debian/Ubuntu/...) and my DNS is not working
    Your method of connection to the VPN probably does not set up the DNS sent by the VPN server (e.g. when using openvpn directly) and at the same time your ISP does not allow you to use its DNS servers from outside its network (e.g. at UPC/Vodafone). It also means, of course, that your DNS queries travel outside the VPN. You can try adjusting your ovpn configuration as per the instructions.
  • Sending mail from the client stopped working for me
    In the FI network, or rather the MU network, you must use either a faculty ( relay.fi.muni.cz) or university ( relay.muni.cz) SMTP server in the mail client to prevent the spread of junk mail.
  • Split tunneling does not work for some services on FI/MU
    The configuration for split tunnelingmust list all FI or MU networks. This list may change over the years, so your configuration may no longer be up-to-date. Try using a full VPN and if accessing the service from it works, update the split tunneling configuration by downloading a new version.
  • The VPN always disconnects me after a day or displays a disturbing reconnection message
    You probably don't have a password saved in the client. There is a TLS key reset every 24 hours that requires reauthentication. So the solution is to either save the password in your client, or you can add (or edit the existing) line reneg-sec N to your VPN configuration file, where N is a long enough time in seconds for TLS key recovery to occur.
  • My connection is not working under KDE
    Unfortunately, KDE does not use thestandard implementation for working with VPN files, but a custom one. The solution is to import the configuration directly via the nmcli tool under your account (not under root): nmcli connection import type openvpn file /path/to/file.ovpnThen the login and password can be added in the GUI.
  • VPN is not applicable for (video) calls
    This is a known problem due to the fact that video calls in browsers use WebRTC, which uses ICE(which sees all network interfaces on the system) and STUN to try to find the best way to communicate with the other party. This therefore allows explicit selection of a (non-VPN) interface, which bypasses the routing table that the VPN just relies on and modifies it to ensure that it pulls all the machine traffic on itself. If you would like to make sure that you are not affected by this problem, you must disable WebRTC in your browser.

Something missing here? Write to us.

Alternatives

Because a VPN fundamentally changes your Internet connection, you may also want to consider alternative ways to appear to our faculty or university or other external services as if you were accessing from the FI network.

University VPNs can also be used, although they may not give you access to some services (available only from the FI network).

Or see also the Wikipedia password.