Table of Contents


Overview

    The SCS VPN service provides secure "first-hop" Internet communications for Faculty, staff and students with CS-GENERAL credentials. The service uses open-source OpenVPN TLS VPN hosted on SCS servers allowing users on a wide variety of platforms to establish an encrypted tunnel to vpn.cs.uwaterloo.ca over which all their non-local Internet traffic will be routed. The default configuration also replaces clients' existing name server (DNS) configuration with a secure link to University of Waterloo name servers. When off-campus, users can be confident that Internet communications from their laptop, phone, tablet or computer are as secure as from their campus devices.

    Detailed instructions are provided below for the most popular client options. If you cannot find instructions for your device or require a custom solution, be sure to contact the CSCF Help Desk (cscfhelp@uwaterloo.ca).



Please read: Notes on 2-Factor Authentication (2FA)

    The new (2022-11-18) SCS VPN service now requires 2FA for connections. The only change for most users is that they will now receive a push on their UW Duo 2FA device to accept a request from "CS VPN LDAP proxy". Accepting that push will enable your VPN connection for up to two weeks, or until your next reconnection.

    For Duo 2FA users that use passcodes, please generate a passcode for use and then append your (CS-GENERAL) password in the VPN client with a comma i.e.
    <password> --> <password>,<passcode>
    As with the push, this connection is good for two weeks, or until next reconnection.

    Currently, at the end of the two week 2FA authentication period, you will need to negotiate a new connection. This is a known bug in the current implementation of the OpenVPN server and should be resolved in future versions of the service to allow seamless continuation of connections.



Downloads

The configuration file for SCS OpenVPN clients can be downloaded here. The same file gives the default configuration for all supported clients. Contact the CSCF Help Desk (cscfhelp@uwaterloo.ca) for guidance with other configurations.

scs-openvpn-20221125.ovpn

Top

Connecting with Windows

  1. First, download scs-openvpn-20221125.ovpn . Save it to a place where you won't lose it.

  2. Next, download the OpenVPN GUI program.

    OpenVPN Gui
  3. Run the OpenVPN GUI installer. Windows will ask if you want to allow the installer to make changes. Click Yes. You should be greeted by the following window:

    OpenVPN Wizard Landing

    Click Next, and you will be greeted by the next screen, asking for you to accept the terms of agreement. Read through, then click I Agree.

    OpenVPN Wizard License Agreement

    Click Next to install all of the default components:

    OpenVPN Wizard Select Components

    Choose where you want to install the program and click Install. It will now install the OpenVPN GUI application onto your computer.

    OpenVPN Wizard Select Install Location

    During the installation, you will be prompted to install a device called TAP. Allow the installation by clicking Accept in the box that comes up.

    Once the installation is finished, uncheck the README box and click Finish

    OpenVPN Wizard Finish
  4. Run the shortcut for OpenVPN GUI that was put onto your desktop. A window will appear. Press Ok to close it. Click the up arrow on the taskbar and right click the OpenVPN GUI icon, which looks like this:

    OpenVPN Icon

    When you right click you are greeted with a menu like the one below. Select the Import file... to import the .ovpn file that you downloaded at the beginning.

    OpenVPN Import File Taskbar
  5. Navigate to where you saved the .ovpn file. Select it and click Open to load it into OpenVPN.

    OVPN File

    You will be prompted by a window like the one below that shows that the file was imported successfully.

    Successful Import
  6. Right click the OpenVPN icon in the taskbar again. You will notice that there are many more options to choose from. Select Connect to begin connecting to the VPN.

    Connect to VPN
  7. The window that pops up is the OpenVPN GUI. Another, smaller window pops up, asking for your credentials to log in. Enter your CS-GENERAL credentials into their respective fields. Make sure to use your CS-GENERAL login, NOT WatIam/Nexus/Quest login!

    Credential Prompt

    If you entered your credentials properly, the window will close and a Windows System notification will appear in the bottom right, saying that the vpn is now connected. It also shows the IP that you are assigned to by the VPN.

    VPN Connected Assigned to IP

    If you entered your credentials incorrectly, the credentials prompt will appear again, this time with red text at the bottom, like below:

    Credentials Unaccepted
  8. In order to disconnect from the VPN, right click the OpenVPN icon in the taskbar and select Disconnect

    Disconnect

Top

Connecting with Mac OS X

  1. First, download Tunnelblick

    Download Tunnelblick
  2. The system will prompt you with a warning that "Tunnelblick" is an application downloaded from the internet. Click Open in the bottom right corner of the window.

    Run Tunnelblick

    You will then be prompted for your password to allow Tunnelblick to be installed into Applications.

    Install Tunnelblick into Applcations
  3. Another window will appear, welcoming you to Tunnelblick and asking if you have any configuration files. In the bottom right corner, select I have configuration files

    Configuration Files

    Yet another window will come up. Feel free to read through the text, and click Ok to continue.
  4. Next, download scs-openvpn-20221125.ovpn.
  5. Nagivate to where Tunneliblick downloaded and double click it. When Tunnelblick launches, you will be greeted with the following screen:

    Tunnelblick Landing Page
  6. In Tunnelblick, open the VPN Details window. In Finder, navigate to where you downloaded the .ovpn file. Select it, then drag it to the Tunnelblick configurations pane.

    Drag And Drop OVPN

    A green circle with a white plus will appear and a window will pop up once the file is dropped asking if you want to install the configuration for all users or just yourself. Choose one to continue. You will be prompted for your password.

    Install Configuration
  7. Click on the Tunnelblick icon in the top right corner of the screen. A menu will drop down. Press the box named scs-vpn.cs.uwaterlo.ca to start connecting to the VPN.

    Connect to VPN
  8. You will then be prompted for your credentials to connect to the VPN. Enter your CS-GENERAL (NOT WatIam/Nexus/Quest) creds to start connecting.

    Login Required
  9. If you are unable to successfully connect, you should see something like the following appear:

    Failed Authentication

Top

Connecting with Ubuntu 20.04+

  1. Download VPN client configuration file scs-openvpn-20221125.ovpn

  2. Click on the icons in the top right of your screen and then click the Settings option.

    Open Settings

  3. Select Network from the left, then click on the Add (+) button to the right of the VPN section.

    Add VPN
  4. Click on the Import from file... option.

    Import From File
  5. Next, browse to where you downloaded the .ovpn file earlier (should be named scs-openvpn-client.opvn). Select it and click "Open".

    Select Configuration
  6. Make sure that the dropdown box "Type" is set to "Password". Enter your CS-GENERAL credentials into their respective fields. The "CA Certificate" should be automatically filled with the client CA Certificate that is present in the .ovpn file. It will show as scs-openvpn-client.ca.pem). This is your client certificate that lets you connect to the VPN. Once everything is filled in, click "Add". NOTE: If the Add button is grayed out, please follow the instructions in Step 9.

    Configure VPN
  7. You should see your new OpenVPN connection under the VPN section of the network settings. Click on the slider switch to activate the VPN.

    Activate VPN
    If you see an error, double-check that you entered your credentials properly. Remember, you use your CS-GENERAL creds, not WatIam/Nexus/Quest credentials!

  8. You can also connect or disconnect the VPN by clicking on the icons in the top right of your screen as shown below.

    Deactivate VPN

  9. On certain systems (such as Arch Linux), the 'Add' button is grayed out and there are extra configuration options, such as "CA private key". Please note that the Network Manager applet doesn't support embedded certs in the .ovpn config file. So extract all BEGIN... and keys to dedicated .crt files, which you can link using ca /path/to/ca.crt and cert /path/to/id.crt etc . manually extract the ... part and point "CA private key" to the temporary file. In this case the temoorary file needs to be available whenever anything is changed.

Top

Connecting with Ubuntu 16.04-18.04

NOTE: Versions below 16.04 are NOT supported!

  1. First, open a terminal and enter the following command to install the Network Manager Plugin for OpenVPN.
    Type the following into the terminal:
    $ sudo apt-get install network-manager-openvpn
    If that fails, then also install the following:
    $ sudo apt-get install network-manager-openvpn-gnome

    Download network-manager-openvpn
  2. Next, download VPN client configuration file scs-openvpn-20221125.ovpn
  3. Click the network manager icon in the top menu bar and select "Edit connections..."

    Edit Connections
  4. In the Network Connections box, click "Add".

    Network Connections Box
  5. In the dropdown menu, there should be a section named "VPN". Select "Import a saved Configuration" and click create.

    Import a Saved Configuration
  6. Next, browse to where you downloaded the .ovpn file earlier (should be named scs-openvpn-client.opvn). Select it and click "Open".

    Select .ovpn File
  7. Make sure that the dropdown box "Type" is set to "Password". Enter your CS-GENERAL credentials into their respective fields. The "CA Certificate" should be automatically filled with the client CA Certificate that is present in the .ovpn file. It will show as scs-openvpn-client.ca.pem). This is your client certificate that lets you connect to the VPN. Once everything is filled in, click "Save". Then, in the "Network Connections" box, click "Close". NOTE: If the Save button is grayed out, please follow the instructions in Step 9.

    Save New Connection
  8. Go back to the network manager icon in the top menu bar. Hover over "VPN Connections" and click on the newly created VPN Connection. A box will appear in the top right of your screen indicating whether or not you were able to successfully connect to the VPN.

    If you were able to connect, you should see something similar to this:

    Successful Connection

    If you were unable to connect, you should see something similar to this:

    Unsuccessful Connection
    If you see this, double-check that you entered your credentials properly. Remember, you use your CS-GENERAL creds, not WatIam/Nexus/Quest credentials!

  9. On certain systems (such as Arch Linux), the 'Save' button is grayed out and there are extra configuration options, such as "CA private key". Please note that the Network Manager applet doesn't support embedded certs in the .ovpn config file. So extract all BEGIN... and keys to dedicated .crt files, which you can link using ca /path/to/ca.crt and cert /path/to/id.crt etc . manually extract the ... part and point "CA private key" to the temporary file. In this case the temoorary file needs to be available whenever anything is changed.

Top

Connecting with iOS

  1. First, download the OpenVPN Connect app from here.

    iOS OpenVPN Connect App
  2. Select the VPN client configuration file scs-openvpn-20221125.ovpn. Press "Open in OpenVPN". This will open the VPN configuration in the OpenVPN Connect app that you installed earlier.

    OpenVPN Config File - OpenVPN Connect

    Press the green plus button to add the configuration.

    Add Certificate
  3. Press Allow on the system prompt to allow OpenVPN Connect to add a new VPN Configuration - the one that allows you to connect to vpn.cs.uwaterloo.ca. You will need to either use TouchID or your password to allow OpenVPN to create the VPN Configuration.

    Allow VPN Configuration
  4. Enter your CS-GENERAL (NOT WatIam/Nexus/Quest) credentials into their respective fields. The Save switch is turned on by default - turn it off if you do not want OpenVPN Connect to save your credentials.

    OpenVPN Login Screen

    Afterwards, press the switch underneath Disconnected to attempt to connect to the VPN.
  5. If you were able to connect, you should see something similar to this:

    VPN Connected

    If you were unable to connect, you should see something similar to this:

    VPN Unsuccessful

    If you see this, double-check that you entered your credentials properly!

    NOTE: You will see this icon next to the wifi icon for the duration that you are connected to the VPN:
    VPN Icon

Top

Connecting with Android

NOTE: Android versions below 6.0.1 are NOT supported for full DNS redirection. Contact CSCF Help Desk for options.

  1. First, download the OpenVPN for Android App from the Google Play Store. When prompted, press Allow to allow the app to access Photos/Media/Files.

    OpenVPN for Android App
  2. Next, download the VPN client configuration file scs-openvpn-20221125.ovpn.

  3. Open the OpenVPN app you downloaded earlier. You will be greeted with a landing page like the one below:

    OpenVPN for Android Landing

    If the .ovpn file is in your Recents, press it. If it is not, it could be in Internal Storage -> Download. Press the file. This will import it into the app. You will then be greeted with a screen like below. Feel free to name the profile to something that describes what it is, then either press the checkmark in the top right or the orange circle in the bottom right.

    Save Profile
  4. You will then be greeted by the following screen. Press the newly created profile.

    Imported Config

    Once pressed, you will be greeted by a window asking you to allow the app to create a new VPN configuration. Press Ok.

    Connection Request

    You will then be prompted for your credentials. Enter your CS-GENERAL (NOT WatIam/Nexus/Quest) credentials. Select the Save Password box if you do not want to enter your password every time you connect.

    Credential Prompt
  5. If you are able to connect, you should see something similar to this:

    Connection Successful

    If you were unable to connect, you should see something similar to this:

    Connection Failed
  6. To disconnect, you just press the profile. A window will prompt you to either Reconnect, Cancel, or Disconnect
Top