Installation and setup of OpenVPN

1. Install OpenVPN client
2. Include the appropriate configuration file for the desired VPN access

If you encounter any problems, please also read our FAQ and troubleshooting page.

Problems? Please consult our FAQ for OpenVPN and Troubleshooting.

Installation instructions

• Windows
• macOS
• Linux
• iOS/iPadOS
• Android

Configuration files

All VPN configuration files can be found on KIT VPN configuration files.

VPN access options

1. Standard VPN access (configuration file kit.ovpn) - suitable for most users
   • Username: <KIT account>
   • Password: <KIT password>
      
2. VPN2VLAN (configuration file kit-vpn2vlan.ovpn)
   • Username:  <KIT account>@<Realm> (<Realm> is the name of the target VLAN)
   • Password: <KIT password>
                       or, if two-factor authentication is enabled for access:
                       <KIT password><comma><token>
3. VPN2VLAN with second factor (configuration file kit-vpn2vlan-2fa.ovpn)
   • Username:  <KIT account>@<Realm> (<Realm> is the name of the target VLAN)
   • Password: <KIT password>
   • 2FA token/one-time password (OTP): <Token>
   • Note: The file is not supported by Linux NetworkManager. Instead, use the comma method (see above).

Standard VPN access at KIT

Configuration file

You need the default configuration file kit.ovpn.

User name

Log in with the KIT account (ab1234 for employees or uxxxx for students).

Employees: Please use your KIT login name, which you can look up in the Self-Service Portal by the SCC. It consists of two characters and four numbers (e.g. ab1234). The log in to the portal is possible with the KIT mail address.

Students: Your login name consists of one u and four characters (e.g. uxxxx).

Using Split VPN tunneling

Configuration file

You need the default configuration file kit-split.ovpn.

As VPN is heavily used at the moment you should consider using the Split Tunneling Configuration. But only if you are in a secure environment, for example if you work from home.

Please download the configuration file kit-split.ovpn from KIT VPN configuration files.

Advantage: Only the traffic with destination KIT is going through the VPN tunnel. So with split VPN your connection to the internet is more performant and you reduce load of the KIT VPN infrastructure.

Disadvantage: You won't be able to reach publishers directly which do not support user authentication because you won't be recognized as KIT user.

Hint for Linux: In case of using split tunneling with network manager in Linux make sure that Use this connection only for resources on its network" is checked in the NetworkManager under IPv4 and IPv6 settings →routes.

VPN2VLAN (access to organization unit subnet)

A separate BCD is required for setup. The desired firewall rules can be activated for the BCD.
VPN2VLAN access can be requested by the IT representative using the NETVS form Application for new BCD/new network with VPN2VLAN access.

If you as a user need VPN access for a specific BCD, please contact your IT responsible. If you have been authorized, you only need to append @realm to your KIT username. If the access is also available with split tunneling (must be requested additionally), the realm is <vlan-name>-split.

Configuration file

For the VPN2VLAN tunnels you have to use the configuration file kit-vpn2vlan.ovpn.

With BCDs for which the second factor is activated you can use the configuration file kit-vpn2vlan-2fa.ovpn, which allows you to enter the token separately.
Hint for Linux: The file is not supported by Linux NetworkManager. Instead, enter the password as <KIT password><comma><token>. Here the password is a combination of your KIT password and your token , separated by a comma.

User name

You need to login with: <kit-account>@vlan-name

VPN access to SAP with Token (*not* ESS)

Configuration file

For the tunnel to SAP you have to use the configuration file for VPN2VLAN kit-vpn2vlan.ovpn.

User name

You need to login: 

• within the KIT: @sap with two-factor authentication
• outside the KIT: @sap-von-aussen with two-factor authentication

The password is a combination of your KIT password and your token, separated by a comma.

Alternatively, you can use the configuration file kit-vpn2vlan-2fa.ovpn, which allows you to enter the token separately.
Hint for Linux: The file is not supported by Linux NetworkManager.

Custom configuration files

Normally, you only need the default configuration file. But for special requirements there are further VPN tunnels. For these you need custom configuration files that you find on KIT VPN configuration files.

Establish a VPN connection from multiple computers simultaneously

To establish multiple connections to the OpenVPN server simultaneously you have to add a unique identifier to the user name to distinguish the clients. The identifier (e.g. the computer name) has to be added after the original user name, seperated by a /, and before any @.

Example: You can simultaneously log in with user/computer1 or user/computer1@vpn-split and user/computer2@vpn-split. You can choose any identifier.

Establish multiple VPN connections on one computer simultaneously

It is possible to have multiple VPN connections active simultaneously on a computer using OpenVPN. On Windows, you need to install a second TAP adapter for this. To do this, you need to run the following command (batch file) as an administrator: C:\"Program Files"\TAP-Windows\bin\addtap.bat . Newer OpenVPN installations provide a shortcut in the Windows Start menu for this. You can find it under "Start" -> "OpenVPN" -> "Add a new TAP-Windows6 virtual network adapter" (internally, this triggers the command C:\Program Files\OpenVPN\bin\tapctl.exe" create --hwid root\tap0901).

Combining two VPN2VLAN connections works without any issues. However, combining the standard KIT VPN connection with a VPN2VLAN connection is unfortunately not possible without problems.