skip to content
 

Basic troubleshooting steps

  • If you are using Windows, make sure you are running the latest version of the OpenVPN software. The latest can be downloaded from https://build.openvpn.net/downloads/releases/latest/openvpn-install-late... . Older versions of the Windows software require you to do an additional startup step to run them as Administrator or they will fail to connect, so it is best to install the most up to date version on Windows.
  • If you've got the most up to date client on Windows and it still doesn't work then try starting OpenVPN by right clicking the OpenVPN GUI program and picking 'run as Administrator'; sometimes that helps. If this solves your problem you can make that happen automatically every time you start OpenVPN by downloading and running this batch file.
  • If you are using a Mac, make sure you are running the version of the OpenVPN software recommended by the Chemistry Computer Officers at https://www.ch.cam.ac.uk/computing/openvpn-osx . Don't upgrade to newer versions until they are recommended on that page, as we find new Mac versions often have problems.
  • If you are using Windows and can start the OpenVPN GUI but get no 'Connect' option then your installation is missing its config files, or they are in the wrong place, or have been given the wrong names. Download the Windows config file and copy it into the 'config' directory within OpenVPN: if you installed to the default location (c:\Program Files (x86)\OpenVPN), that directory will be c:\Program Files (x86)\OpenVPN\config\ . The most recent versions of the software also allow the config file to be installed under C:\Users\<your username>\OpenVPN\config

  • Make sure you are actually connected to the VPN by visiting https://apps.ch.cam.ac.uk/vpn/vpn-test
  • If the VPN software won't accept your password then check you are typing the right one:
    • Admitto password, in which case your username for OpenVPN is your crsid (your Admitto username)
    • ChemNet token, in which case your username for OpenVPN is your crsid followed by @ch.2018.cam.ac.uk
    • You cannot use your UIS password to connect to this service

Unable to access some resources even though the VPN is definitely running

The VPN can be configured in two different modes

  • full tunnel, where all traffic is routed over the VPN. This is very secure, but slows down your network connection.
  • split tunnel, where only traffic whose destination is within the University is routed over the VPN. Everything else goes via your usual network connection.

Split tunnel mode is the most suitable for remote work because you are much less likely to experience problems when using high bandwidth applications such as video conferencing. However there are a few resources that can only be accessed remotely with a full tunnel. Configuration file versions for both full and split tunnels are available from https://downloads.ch.cam.ac.uk/vpn/latest/ . If you need a full tunnel, make sure you are using the appropriate configuration file.

Getting full tunnel despite using split tunnel config file

Some client software will set up a full tunnel even if given a split tunnel configuration file. If you are experiencing this problem please ensure you have the very latest split tunnel configuration file version, which can be found at https://downloads.ch.cam.ac.uk/vpn/latest/ . This fixes the issue for some clients. 

Linux in particular tends to set up a full tunnel no matter what config file you use. If you are using Network Manager to configure the VPN (most people will be) then go to the IPv4 tab and tick 'Use this connection only for resources on its network' box. This will set up the routing correctly for a split tunnel, but won't configure your default DNS to use the Department DNS servers, which is necessary for getting access to anything with a name ending .ch.private.cam.ac.uk . How to set your DNS varies between Linux distributions. The DNS servers to use are 131.111.112.138, 131.111.115.208, 131.111.112.9 . 

Feel free to consult the computer officers if you need more help.

Our detailed test results for split versus full tunnelling for various clients can be found at https://docs.google.com/spreadsheets/d/1VWrN7BA9o3UelssVjjHDRJjK_XW-dja9...

VPN connects but runs very slowly

Some networks and computers do not work well with the Chemistry OpenVPN default settings. A common symptom is that basic network connectivity is OK, but loading large web pages is very slow or doesn't work at all. If you are having performance problems when connected to the Chemistry VPN it can be worth trying some of the suggestions below. Whether they help or make things worse depends a great deal on the network you are connected to, so only try these if you are having real problems. They require altering your OpenVPN config file. Make sure to back up the original file before you change it.

Do not try more than one of these suggestions at once because some combinations are incompatible.

  • Try using TCP rather than UDP to connect. This leads to lower performance overall, but can work around certain kinds of network problem. To do that you need to do one of the following:
    • Download a TCP configuration file from https://downloads.ch.cam.ac.uk/vpn/latest/ and install it into your client
    • If you have a config file you can edit, replace the line "proto udp" in your config file with "proto tcp" 
    • If your client provides a GUI for configuration look for an option saying something like "Use a TCP connection" and turn it on
  • Set the link-mtu setting to a lower number than the default 1500. 1300 is a good place to start. Not all OpenVPN software supports this option so you may find you can't do this. Setting it will lead to complaints from your client about a settings mismatch with the server, but has been observed to help on some networks. Either:
    • Edit your config file and add a line saying "link-mtu 1300" . It can go anywhere in the config file.
    • If your client provides a GUI for configuration look for an option saying something like "Use custom link maximum transmission unit", turn it on, and set the MTU value to 1300.
  • Set the tun-mtu setting to a lower number than the default 1500. 1300 is a good place to start. This will lead to complaints from your client about a settings mismatch with the server, but has been observed to help on some networks. To do that, do one of the following:
    • Edit your config file and add a line saying "tun-mtu 1300" . It can go anywhere in the config file.
    • If your client provides a GUI for configuration look for an option saying something like "Use custom tunnel maximum transmission unit", turn it on, and set the MTU value to 1300.
  • Set the mssfix parameter. This is relatively new and not available in all OpenVPN software. Try one of these:
    • Edit your config file and add a line saying "mssfix 1300"
    • If your client provides a GUI for configuration look for an option saying something like "Restrict tunnel TCP maximum segment size" and turn it on. If you can set a number for the maximum segment size try 1300.

Can't find what you're looking for?

Then you might find our A-Z site index useful. Or, you can search the site using the box at the top of the page, or by clicking here.