Let’s Connect! 2.0

Last week Let’s Connect! VPN server 2.0 has been released. This new version has been engineered to be more robust. Based on experiences in the field, like how we managed group-membership, we have decided to change a few components. The current Let’s Connect! VPN client apps (Windows, MacOS, Android, iOS) are fully compatible with the new server.

Two factor (2FA) authentication has been moved from the VPN layer to the authentication layer (SAML or LDAP). 2FA will be part of the authentication flow, so whenever a new device wants to get access to the VPN, the second factor must be provided.

Furthermore it is possible to configure an “expiry”, which means the user will need to authenticate and provide their 2FA periodically. The main reason to do this is to no longer depend on the VPN technology itself to provide support for 2FA and to have the ability to use other 2FA mechanisms like third-party 2FA
services and FIDO2 (WebAuthn) in the future.

Let’s Connect! VPN 2.0 supports user-groups. Basically you can configure a VLAN/IP range and a specific VPN session time per user group. For example, a group for sys admins with network access to consoles of servers and a normal user group with limited access. Users can join multiple groups and a profile will be shown per group in the Let’s Connect! VPN client.

For Let’s Connect! VPN 1.x server we were using VOOT and LDAP for group membership. The VOOT protocol allowed us to dynamically query which groups a user belongs to. So the Let’s Connect! VPN server had direct awareness if a user was added or removed to a certain group. Unfortunately we found out VOOT didn’t gain enough traction in the international NREN community. To convey authorization information for access to VPN profiles, we decided to use LDAP / SAML attributes. For example the “memberOf”, “eduPersonEntitlement” or “eduPersonAffiliation” attributes. This means Let’s Connect! VPN server only retrieves group membership information after IdP login. Since we moved 2FA to the browser, the 2FA trigger is a re-login too and will refresh group membership information.

For more details about the 2.0 changes please see this email.

iOS app available

The Let’s Connect! VPN apps for Windows, MacOS and Android have been available for quite a while. It took us more time to release an iOS app. The difficulty was we could not use OpenVPN 2.x GPL software because of Apple policies. Fortunately, Private Internet Access has created an OpenVPN compatible ‘clone’ which we have audited and implemented in the iOS app. The iOS app is available in the Apple Store.

It is now a full app, which means that it is not required to use the
OpenVPN app anymore.

Let’s Connect! and WireGuard

We like to announce that the Let’s Connect! project is working together with WireGuard.

We are always looking for new ways to improve Let’s Connect! and give our users a better experience on the internet. In this light we added WireGuard support in the Let’s Connect! server software to our roadmap. This enables Let’s Connect! to create WireGuard based clients in the future.

Windows pre-release

Today we are happy to announce the availability of our Let’s Connect! for Windows application. Although it is still a pre-release version, it is fully functional and ready to be used. After some more usage and testing we aim to release the finished app shortly.

You can download the latest version here. If any issues arise, please notify us on eduvpn@surfnet.nl or create an issue here.

ISOC.nl Innovation Award 2018

Let’s Connect! has won the ISOC.nl Innovation Award 2018. The Jury said:

“A very necessary technical innovation with potentially a
huge social impact. For secure connections, but also for free internet,
we are really dependent on good VPN technology, especially now that net
neutrality is under international pressure. A deserved winner of the
Internet Innovation Award 2018!”

Jury ISOC Innovation Award