Skip to content

Connecting to SCIONLab via VPN


This page needs to be updated. Use with care.


This tutorial will cover the steps required for connecting a SCION installation to SCIONLab. In the end, you will be running one SCION autonomous system connected to the SCIONLab network.

For the purpose of this tutorial, we assume that you do not have static public IP address, or that your machine cannot receive UDP traffic on port 50000 from the Internet. If this is not the case, you should consider the tutorial Connecting to SCION Lab with public IP or Connecting to SCION Lab with public IP behind a NAT.


In order to follow this tutorial, we will assume that you already installed the SCION infrastructure and that you are able to run a local topology.


If you are running one of the SCION Virtual Machine setups, the configuration covered in this tutorial is already implemented in the system image, so you don't need the steps described here.

Step One - installing OpenVPN

In order to circumvent the problem of not having a publicly accessible IP address, we create an OpenVPN tunnel to carry the SCION traffic between the two SCION border routers.

In order to install the openvpn client, you can simply run:

sudo apt install openvpn

Step Two - downloading SCION Lab configuration

In order to download the necessary configuration you must login to SCION Coordination Service. In case you don't yet have an account, follow the registration process.

Since the current version of the Coordination Service only generates VM configuration scripts, we will use them in the following steps to configure the running SCION infrastructure.

After logging in, download a VM configuration by clicking on Create and Download SCIONLab VM Configuration as presented in the image below:

SCIONLab download page

Navigate to the download directory and extract the archive content:

cd ~/Downloads
tar -vxzf scion_lab_<user_email>.tar.gz
cd <user_email>

The extracted content should have the following file structure:

├── client.conf
├── gen
│   ├── dispatcher
│   │   ├── dispatcher.zlog.conf
│   │   └── supervisord.conf
│   └── ISD1
│       └── ...
├── scion.service
├── ...
├── scion-viz.service
└── Vagrantfile

For the purpose of this tutorial we will just need:

  • file client.conf - client OpenVPN configuration
  • directory gen - SCION infrastructure configuration

Step Three - Connecting to OpenVPN server

Adding the OpenVPN configuration is accomplished by copying files to the openvpn directory:

sudo cp client.conf /etc/openvpn
sudo chmod 600 /etc/openvpn/client.conf

Next, we need to automatically launch the OpenVPN service on startup of the system:

systemctl start openvpn@client
systemctl enable openvpn@client

After this, you should verify that new tun interface is added. The command:

ip a

should display the newly added interface, in this case tun0 as in this example:

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet brd scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2337:a0c4:7fa7:78b3/64 scope link flags 800 
       valid_lft forever preferred_lft forever

In this case, the client's OpenVPN IP address is:

Step Four - copying SCION Lab configuration

Before copying the new configuration to your SCION directory, you should delete the old one. If necessary back it up previously.

rm -rf $SC/gen

Copy new configuration and navigate to SCION root directory:

cp -r gen $SC/
cd $SC

Step Five - Restarting SCION Infrastructure

After the OpenVPN connection is established and the new configuration is copied, you need to restart the infrastructure as follows:

./ stop
~/.local/bin/supervisorctl -c supervisor/supervisord.conf shutdown
./ run

Next steps

After running the SCION infrastructure, it is necessary to verify that it is running properly. This is covered in the tutorial Verifying SCION Installation.