"Setting up eduVPN together with SURF was quicker and involved less direct costs than an in-house VPN service."
Working safely from home at Radboud University
To enable secure remote working, Radboud University combines two SURF services: eduVPN for encrypted connections and SURFsecureID for cases where username and password do not provide sufficient security.
Difficult start
The start was dramatic. Just as eduVPN was being commissioned at Radboud University, the corona pandemic broke out. Everyone had to work from home.
"On the one hand, it was a huge stroke of luck that we got to the point where we could go into production. That allowed people to work safely at home," says Ab van Duren. He was the network administrator on the team that implemented eduVPN. "But on the other hand, we had not provided enough bandwidth to serve all those people neatly. Together with SURF, we then rapidly scaled up the capacity of the eduVPN service, from 1-Gbps to 10-Gbps connections."
However, it was not the only complication. "Because of this rapid upscaling, our own network equipment also got a lot busier. As a result, sometimes a packet dropped out in the network traffic. That was quite noticeable with the image calling applications: Zoom and Teams. Fortunately, this did not last long either. We were already replacing equipment in our backbone to scale up to multiple 100 Gbps connections. Once that work was done, our bottleneck problems were solved."
eduVPN: for a secure internet connection
Quick solution
What also helped in the new situation was that the concept of VPN was already well established at Radboud University. "We had our own VPN service, with hardware on our own network. But that was now so old that it needed replacing. So we looked around to see how we could best shape that replacement: by buying stuff ourselves and going through a replacement process, or by working with SURF to establish eduVPN as a service."
The choice fell on the second option. "There were several reasons for that. It would be faster and involve less direct costs." In addition, Radboud University wanted more than just VPN: "It had to be able to be combined with multifactor authentication. So an extra identity check, in addition to username/password. And we didn't have that MFA yet. We would have to build it from scratch. In order to make a quick start, we opted for a SURF service, SURFsecureID. We were already using that for another application anyway, so it was familiar and trusted."
YubiKey
YubiKey
How are things now, a few years later? The combined service is now the responsibility of Marijn Kandelaars, connectivity team leader at Radboud University. He explains that eduVPN now has more than 6,000 unique users. Of those, a maximum of about 850 are active at any one time.
"Those numbers may grow in the coming years," he says, "because there is discussion whether the use of, for example, Microsoft 365 should not go this way. After all, we too are in transition to the cloud. But for now, eduVPN is only mandatory for the services we run ourselves on our network. When it comes to management environments, financial applications and the like, we also deploy SURFsecureID. As an extra factor, those users then have to plug their YubiKey into the laptop. Of course, that is a relatively expensive solution: these USB tokens cost around 25 euros each. There is therefore increasing talk in the corridors about Microsoft Authenticator. That too is an option with SURFsecureID."
Bi-monthly consultations
And how is the collaboration with SURF going these days? Marijn: "We have bi-monthly consultations with Rogier Spoor and Melvin Koelewijn from SURF. They keep us well informed of new developments. For example, about a Linux client or things you can set in your client. If we have questions or requests, they deal with them very thoroughly and seriously. Of course, we also discuss open issues, but these are minimal. In the small year I have been working here, I have never received a complaint about these services. I myself am also a satisfied user."
eduVPN: facilitate secure internet browsing everywhere
eduVPN uses OpenVPN. This open source software has been extensively verified and is considered highly secure. In doing so, eduVPN has applied high privacy and security measures. You can integrate eduVPN into your institution network. This allows you to make services and systems within the institution's network, which are not normally accessible from outside, securely available via the internet.
SURF offers eduVPN to facilitate secure internet access. eduVPN has various advantages and applications. Curious? Then take a look at the eduVPN service page and find out more about exactly how it works.
SURFsecureID: secure your services extra with multi-factor authentication
With SURFsecureID, access to online services is made more secure through multi-factor authentication. The user logs in with a username, password and a second factor: an SMS, USB key, mobile app (tiqr) or Microsoft token. SURFsecureID is extremely suitable for services with sensitive data and preventing account abuse.
In this way, SURF creates a safe, reliable and convenient online environment for all member institutions. Want to know how? Take a look at the SURFsecureID service page.