DEI Virtual Private Network (VPN) services

VPN - Virtual Private Network

Although a few are publicly available, most DEI network services are available only within DEI networks. There are several reasons for that to be so, mostly security-related. Also, bear in mind that WiFi networks are not DEI networks, thus, from the DEI network services point of view, you being connected to local WiFi or being somewhere on the internet is almost the same.

DEI VPN services allow users to overcome these restrictions. Once connected to a DEI VPN server, a dedicated virtual connection exists between the user's workstation and the VPN server, this results in a network environment very similar to be directly connected by a physical cable to a DEI network.

As the name proclaims, VPN services assure privacy on data transferred through them, meaning data is encrypted before being sent. DEI VPN services require user authentication.

DEI VPN servers:

  • deinet.dei.isep.ipp.pt - equivalent to a wired connections to the DEI laboratories network. Available to both students and staff.
  • deinetprofs.dei.isep.ipp.pt - equivalent to a wired connections to the DEI staff network. Available to staff only.


OpenVPN (https://openvpn.net/)

The OpenVPN service may use either UDP or TCP, in either case, communications are secured by SSL/TLS.
There are clients available for OS X (e.g. Tunnelblick), for Microsoft Windows (OpenVPN GUI), and Linux (included in many distributions).

VPN servers' addresses:

  • deinet.dei.isep.ipp.pt
    Front-end access by DNS round-robin of the following real servers:
    • deinet1.dei.isep.ipp.pt.
    • deinet2.dei.isep.ipp.pt.
    • deinet3.dei.isep.ipp.pt.
    • deinet4.dei.isep.ipp.pt.
  • deinetprofs.dei.isep.ipp.pt (for staff only)

Configuration data for DEI OpenVPN servers is available for download in the openvpn-dei-config.zip file. This archive contains configuration files(1) for each server, configuration files should be copied to the OpenVPN client's configurations folder.

Supported IP protocols: IPv4 and IPv6 (with a TAP interface).


(1) about the provided configuration files:
  • Configuration files last update: 30th September 2021.

  • With these configurations, the VPN operates over a TCP connection, to use UDP instead, simply edit the configuration file and replace proto tcp by proto udp. In principle, the use of UDP outperforms the TCP option, yet in practice, because UDP is less reliable it may raise some issues in some cases.

  • With these configurations, VPN clients will use a TAP (Network TAP) virtual interface, providing a layer two connection (Bridging). Some clients may support only TUN (Network TUNnel) virtual interfaces, this means it will be a layer three connection (Routing). To enforce TUN instead of TAP, simply edit the configuration file and replace dev tap by dev tun. Notice that using a TUN interface will break IPv6 support.

  • With these configurations, only traffic addressed to DEI/ISEP networks is sent through the VPN (split tunnelling). If you want to force all traffic to be transferred through the VPN, then you should uncomment the two lines that are highlighted for this purpose in the configuration files.

  • OS X/Tunnelblick users have reported laptop hanging issues with the provided TAP (Network TAP) virtual interface configuration. Replacing dev tap with dev tun in the configuration file is reportedly solving this issue.


SoftEther (https://www.softether.org/)

SoftEther Project at University of Tsukuba, Japan

The SoftEther VPN service is based on multiple TCP connections secured by SSL/TLS.
The installation of a specific VPN client is required.
There's a SoftEther VPN client available for Windows, and also for some other platforms (1).

VPN servers' addresses:

  • deinet.dei.isep.ipp.pt
    Front-end access by DNS round-robin (2) of the following real servers:
    • deinet1.dei.isep.ipp.pt.
    • deinet2.dei.isep.ipp.pt.
    • deinet3.dei.isep.ipp.pt.
    • deinet4.dei.isep.ipp.pt.
  • deinetprofs.dei.isep.ipp.pt (for staff only)

Beyond the VPN server address, other configuration data required to set up your VPN connection are:

  • The service port number: 443 (HTTPS)
  • Virtual Hub Name: DEFAULT
  • Check server certificate.
  • Auth Type: RADIUS or NT Domain Authentication
  • Number of TCP connections (Advanced Settings): 8

As an alternative to manually set up the VPN connection, you can download the softether-dei-config.zip file which contains ready to be imported by the SoftEther client configuration files for each VPN server.

Supported IP protocols: IPv4 and IPv6.



(1) As checked on March 2016: the Windows version works pretty well, the OS X version is experimental, and the Linux version has no GUI.
(2) Some clients may have issues when using the deinet.dei.isep.ipp.pt name, if so, the name of one of the real servers should be used instead.


SSTP (Secure Socket Tunneling Protocol)

Developed by Microsoft, it uses a single TCP connection secured by SSL/TLS.
Current Microsoft Windows operating systems support SSTP VPN connections without the need for additional software.
Because both Microsoft Windows operating systems and the DEI VPN servers also support PPTP VPN connections, to be sure SSTP is used, you must enforce that on the client-side configuration by explicitly selecting SSTP instead of AUTO. In AUTO, mode often PPTP will be used, and it's far less safe than SSTP.

VPN servers' addresses:

  • deinet.dei.isep.ipp.pt
    Front-end access by DNS round-robin of the following real servers:
    • deinet1.dei.isep.ipp.pt.
    • deinet2.dei.isep.ipp.pt.
    • deinet3.dei.isep.ipp.pt.
    • deinet4.dei.isep.ipp.pt.
  • deinetprofs.dei.isep.ipp.pt (for staff only)

Supported IP protocols: IPv4



PPTP (Point-to-Point Tunneling Protocol)

WARNING: by current security standards PPTP is regarded as unsafe.
As an alternative for native Microsoft Windows clients, SSTP should be used.

Microsoft Windows operating systems include a native client for the PPTP VPN service. Yet, recent Microsoft Windows operating systems also support SSTP, and that's a better option (far more secure).
There are clients for other operating systems, however, vendors are progressively discontinuing its support due to security flaws.

VPN servers' addresses:

  • deinet.dei.isep.ipp.pt
    Front-end access by DNS round-robin of the following real servers:
    • deinet1.dei.isep.ipp.pt.
    • deinet2.dei.isep.ipp.pt.
    • deinet3.dei.isep.ipp.pt.
    • deinet4.dei.isep.ipp.pt.
  • deinetprofs.dei.isep.ipp.pt (for staff only)

DEI PPTP VPN servers are configured to accept client connections only if minimal security requirements are met:

  • Protected password authentication - MSCHAPV2
  • Private key encryption with 128-bits key length (MPPE/RC4)

PPTP is based on a TCP control connection and a GRE packets based tunnel. GRE packets don't use port numbers or other identifiers, and that might present an issue for some domestic routers connecting local private networks to the internet. In some of such routers it may be required to enable on it the PPTP Passthrough option (or similar), and thus allow GRE traffic.

Supported IP protocols: IPv4