With the growth of working from home and distance learning, the need for secure access to institutional services is increasing across the community. Commercial VPN services providing remote access are expensive and don’t necessarily scale to the thousands or tens of thousands of users required in a university setting. Therefore GÉANT, together with support from RIPE NCC, the NLnet Foundation and the Vietsch Foundation have developed eduVPN.
Words: Tangui Coulouarn, DeiC
eduVPN is about accessing your institute’s network or the Internet using an encrypted connection. eduVPN aims to replace the traditional closed source VPN concentrators by an open-source audited alternative which integrates smoothly with your federated identity environment.
The number of eduVPN instances grew considerably during the COVID-19 pandemic as people were sent home and had to access resources at their university remotely. Many universities were confronted with license, software and hardware limitations of their existing VPN solution. Some bought extra licenses, other turned to eduVPN. New instances of eduVPN used as corporate VPNs were deployed in Cyprus, France, Indonesia, Kenya, Malaysia, New Zealand, Norway, Portugal, Uganda. These added to the existing deployments in Finland, Germany, the Netherlands, Pakistan, Poland, South Africa. As the software is fully open source and freely accessible, the eduVPN team often becomes aware of new deployments only when organisations ask to be added to the applications.
eduVPN Success Stories
Marco Teixeira from the University of Minho in Portugal explains: “Amid the COVID-19 first-wave pandemic, and the increasing necessity of teleworking that derived from the confinement period, the Information and Communications Systems Services Unit of University of Minho, was tasked with the development of a contingency plan in several areas, regarding this new scenario. Remote Access service (VPN) was one of the areas for which there was the need to increase the service capacity to support an exponential growth in remote workforce. After some research, we preselected the eduVPN, a community project supported by GÉANT. This community project has the features that meet our requirements and is based on well-known and tested open source technologies. After a brief assessment we decided to adopt it. The main points in favour are:
- the absence of licensing and financial costs;
- simplicity of use for our end-users especially those with mobile clients;
- has applications for all the major platforms;
- an architecture capable of horizontal scalability that allowed us to repurpose some servers for the project.”
Another example of a new deployment is CNOUS in France. CNOUS manages services for the 2.6 million students in France (for example by allocating grants, managing student restaurants, dormitories). It consists of 27 entities (the national CNOUS and 26 regional CROUS) at different locations in France. As the COVID crisis started, CNOUS heard about eduVPN from RENATER. It got their interest as the VPN solutions in use at CNOUS could not scale up to the potential 15,000 users. In less than two weeks, they put in production a full eduVPN solution covering all 27 organisations. CNOUS also developed a specific web interface which allows the IT department at each CROUS to monitor their own users (number of concurrent connections, list of current users, throughput, etc.). They configured different profiles for eduVPN. The “generic” profile offers an encrypted solution between the client device and the central infrastructure of CNOUS for users authorised by their regional organisation (using SAML). End-users can then have access to the intranet of CNOUS. But they also created specific profiles where a regional organisation can choose to customise which servers an end-user has access to, routing, private and public IP ranges. There are typically several hundred simultaneous connections on the eduVPN server at CNOUS, which is relatively light (4 cVPUs, 8 GB memory). But how does eduVPN scale for larger organisations?
This increase in the number of deployments was particularly significant in countries where the NRENs communicated about eduVPN to their member institutions and created guides to explain how to deploy eduVPN and how the NREN is willing to support institutions deploying the service (support, documentation…). In France for example, with the support of RENATER, universities were able to configure their newly deployed instances of eduVPN so that they could use SAML and become SPs in their federation. RENATER advertised for the service on its website, through Twitter and mailing lists, produced some guides both for operators and end-users in French. As a result, today there are at least 8 universities using eduVPN and others working on it in France while there weren’t any before the COVID19 crisis.
Flexible Delivery Models
In the Netherlands, eduVPN is offered as a managed cloud service. This means the eduVPN servers are maintained by SURF. Melvin Koelewijn (Technical Product Manager SURF) is responsible for the Dutch eduVPN servers. When asked about his experience with eduVPN server scaling aspects he says: “Our largest university handles 750 concurrent users effectively with a 2 CPU cores. Based on this I expect a 16 CPU core VM would be capable of handling up to 5k concurrent users. The eduVPN software also supports multi server scaling and we are now deploying an eduVPN cluster with 4 VMs in order to handle 10k+ concurrent users.”
Most institutions start with a single server, but it is also possible to deploy multiple servers with OpenVPN processes in order to allow for a higher number of concurrent users or distribute over different locations. Typically, a server (with 16 cores and >= 10 Gbit) can allow up to 1,000 clients to connect (depending on Firewall and Connectivity capacity).
To find out more about eduVPN visit: https://www.eduvpn.org