Jun 5, 2025

Custom eduVPN settings

TUD migrated from OpenVPN to eduVPN, which is essentially OpenVPN. Currently, the difference is that eduVPN hides most of the configuration options formerly available with OpenVPN.

I used OpenVPN frequently because I was connected to several networks. For such setups, customization was required to override the routing behavior. For certain IPs or subnets, I had to override the routing behavior or reject the remote DNS supplied by the OpenVPN server and substitute my own DNS servers.

Have a look at my former OpenVPN config
tls-client
push-peer-info
pull
remote openvpn.zih.tu-dresden.de
# reject remote DNS server, keep using local DNS
pull-filter ignore "dhcp-option DNS"
# reject option to route all traffic through the VPN
pull-filter ignore "redirect-gateway"
# explicitly route selected subnet traffic through VPN
route 141.76.0.0 255.255.0.0
route 172.16.0.0 255.240.0.0
route 141.30.0.0 255.255.0.0
# exclude a single IP from being routed through the VPN
# route 141.76.16.53 255.255.255.255 net_gateway 
route-nopull
port 1194
dev tun
proto udp
setenv CLIENT_CERT 0
setenv FRIENDLY_NAME "TUD Split-Tunneling UDP 1194"
auth-user-pass
auth-nocache
nobind
#comp-lzo no
tls-version-min 1.2
ca ca.crt
tls-crypt tls.key
remote-cert-tls server
cipher AES-256-GCM
auth SHA384
reneg-sec 43200
verb 3

I wanted to migrate my OpenVPN config to the eduVPN setup. To do this, first go to the TUD VPN Portal and download the Open VPN Split Profile (UDP).

Once you have it, add custom options from the former OpenVPN setup. E.g.:

route-nopull
route 141.76.0.0 255.255.0.0
route 172.16.0.0 255.240.0.0
route 141.30.0.0 255.255.0.0
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "redirect-gateway"

and store credentials as extra files:

tls-crypt tls.key
ca ca.crt
cert client.crt
key client.key

Run OpenVPN with eduVPN settings

  1. Use eduVPN client to generate the daily config (as usual)

  2. Intercept or extract that .ovpn file before it’s used

  3. Extract client keys

  • Copy everything between <key>...</key> to client.key
  • Copy everything between <cert>...</cert> to client.crt
  1. Run openvpn --config my-custom.ovpn with this updated file (or use the UI integration to run the config file)

Only the client.crt and client.key need to be renewed every 15 hours, tls.key and ca.crt stay the same.

Full setup

Go to:

C:\Users\user\OpenVPN\config\TUD

or (better):

%userprofile%\OpenVPN\config\TUD

If the folder TUD does not exist, create it.

Extract static keys from the eduVPN config to files:

BlockFilename
<ca>...</ca>ca.crt
<cert>...</cert>client.crt
<key>...</key>client.key
<tls-crypt>...</tls-crypt>tls.key

Make sure there’s no extra whitespace or BOM in the files.

Use the following updated OpenVPN config and store it as eduvpn-tud-split.ovpn

client
dev tun
proto udp
remote openvpn.vpn.tu-dresden.de 1194
remote openvpn.vpn.tu-dresden.de 53
remote openvpn.vpn.tu-dresden.de 443 tcp
nobind

setenv CLIENT_CERT 0
setenv FRIENDLY_NAME "TUD VPN split"
remote-cert-tls server
tls-version-min 1.3
tls-crypt tls.key
ca ca.crt
cert client.crt
key client.key

# Encryption & auth
data-ciphers AES-256-GCM:CHACHA20-POLY1305
cipher AES-256-GCM
auth SHA384
auth-nocache

# Routing overrides
pull-filter ignore "redirect-gateway"
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "route"
pull-filter ignore "redirect-private"
route-nopull
route 141.76.0.0 255.255.0.0
route 172.16.0.0 255.240.0.0
route 141.30.0.0 255.255.0.0
# route 141.76.16.53 255.255.255.255 net_gateway  # optional exclusion

# Network
tun-mtu 1380
reneg-sec 0
verb 3

Daily Rotation

For each day, download the new config again from the portal:

  • Replace client.crt and client.key with updated blocks
  • Keep the .ovpn file

We can use a bash script for this:

#!/bin/bash

# get current windows user download folder
WIN_USER_HOME=$(/c/Windows/System32/cmd.exe /C "echo %USERPROFILE%" | tr -d '\r' | sed -E 's#^([A-Z]):\\#/\L\1/#; s#\\#/#g')

LATEST_FILE=$(ls -t "$WIN_USER_HOME/Downloads/TUD_VPN_split"*.ovpn 2>/dev/null | head -n 1)
echo "Latest file: $LATEST_FILE"

# Location of daily-downloaded config
WORKDIR="$WIN_USER_HOME/OpenVPN/config/TUD/"
CONFIG_OUT="$WORKDIR/Home--TUD.ovpn"

# Extract certs and keys
awk '/<cert>/,/<\/cert>/' "$LATEST_FILE" > "$WORKDIR/client.crt"
awk '/<key>/,/<\/key>/' "$LATEST_FILE" > "$WORKDIR/client.key"

# Remove tags to avoid OpenVPN issues
sed -i '1d;$d' "$WORKDIR/client.key"
sed -i '1d;$d' "$WORKDIR/client.crt"

echo "✅ client.crt and client.key updated at: $CONFIG_OUT"

Further reading

There is a short TUD FAQ entry on how to use OpenVPN with the eduVPN config setup:

https://faq.tickets.tu-dresden.de/otrs/public.pl?Action=PublicFAQZoom;ItemID=1268