This site requires JavaScript to be enabled
An updated version of this article is available

Remote Access Service - Virtual Private Networking (VPN)

219 views

5.0 - Last modified on 2023-03-13 Revised by Sean Schluntz

4.0 - Last modified on 2020-03-31 Revised by Sean Schluntz

3.0 - Last modified on 2019-08-30 Revised by itsm kb_api

2.0 - Last modified on 2019-07-22 Revised by Sean Schluntz

1.0 - Created on 2019-04-10 Authored by Isaac Orr

What is Remote Access Virtual Private Network (VPN)?

The Remote Access VPN (Virtual Private Network) service is designed to allow CalNetID authenticated users to connect to the UC Berkeley network from outside of campus, as if they were on campus, and encrypts the information sent to the network.

General Use VPN Groups

Several VPN groups are available for general use. Each general use group has different characteristics. Some access restrictions apply to certain groups based on the tunnel type; please contact Campus Shared Services for information on your eligibility. (Note: there is no grace period for Remote Access VPN service eligibility when your affiliation with UCB expires.) The following table lists the available groups and their properties.

 

GroupTunnel Type (IPv4)Supported ProtocolsSupport Level
1-Campus_VPNSplit TunnelIPv4Supported
2-Campus_VPN_Full_TunnelFull TunnelIPv4Supported
3-Library_VPNFull TunnelIPv4Supported
4-Campus_VPN_Split_Tunnel_v4_v6Split TunnelIPv4 and IPv6Supported
5-Campus_VPN_Full_Tunnel_v4_v6Full TunnelIPv4 and IPv6Supported

 

The default tunnel group is 1-Campus_VPN. 

'Split Tunnel' vs. 'Full Tunnel'

At present, the tunnel type for the IPv6 protocol (when available via a group) is always full tunnel independent of the IPv4 tunnel type. 

When a client establishes a connection to the VPN concentrator, it is assigned a UCB IP address. A group with a split tunnel means that any traffic destined for an IP address in the following ranges will travel through the tunnel.

128.32.0.0 - 128.32.255.255
169.229.0.0 - 169.229.255.255
136.152.0.0 - 136.152.255.255
172.16.0.0 - 172.31.255.255
10.16.0.0 - 10.255.255.255

Any other internet traffic travels normally over the client's off-campus connection, with the source IP address assigned by the client's ISP.

In contrast to the split tunnel, with a group with a full tunnel *all* internet traffic traverses the VPN, regardless of its destination, and all source traffic appears to have a UCB IP address.

Some Library-subscribed database applications depend on source IP address for authentication purposes. Note that if the authentication component of a database is hosted by a third-party (not UCB), then a split-tunnel VPN may not be an appropriate access solution. Another option in these cases is to use the Library's proxy web server service to provide access to patrons using non-campus IP addresses: http://www.lib.berkeley.edu/Help/connecting_off_campus.html.

A group with a full tunnel may be a useful option where the Library Proxy Service runs into limitations (for example, it can address the need to reach some databases or applications that use non-web-based protocols for access like Z39.50/Endnote). In these cases, reaching the desired application (a non-UCB IP address) is dependent on your IP address originating from UCB, so the full tunnel is helpful. A full tunnel option provides encryption where application level encryption (like ssl, ssh) is not possible. Although as described previously, if you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator.

Groups that make use of a full tunnel should be used with care. Traffic to any destination will appear to originate from a UCB IP address, and so is subject to the Campus Computer Use Policy: https://security.berkeley.edu/computer-use-policy. Depending on the amount of traffic, and its destination, it may also prove to be slower than the use of the split tunnel.

Each UCB IP address assigned to a VPN client is taken from a pool that is dependent on the tunnel type according to the following ranges.

See https://ucb.service-now.com/kb_view.do?sysparm_article=KB0012280 for a listing of address ranges.


There is a 30 minute idle timeout limit, and a 1 day session timeout limit for all VPN tunnels.

 

 

Downloading, Installing and Configuring VPN Client Software

For information on where to download VPN client software and how to install it, please see the following knowledge base article.

https://kb.berkeley.edu/page.php?id=23065

Third Party Clients

IST does not recommend the use of VPN clients other than the officially distributed versions available via the software download page: https://software.berkeley.edu/security-software#CiscoVPN, Anyone who uses an unsupported client must assume full responsibility for supporting its use.

IST plans and tests future changes to the campus VPN service with respect to officially distributed clients only. Future changes in the campus VPN service may cause unsupported clients to stop functioning properly; therefore, an unsupported client that works today may not work tomorrow.

IST may choose not to troubleshoot a campus VPN problem specific to an unsupported VPN client. IST reserves the right to not make custom changes to the campus VPN service to accommodate unsupported clients. You may use an unsupported client with the campus VPN service provided that you accept these conditions, the client meets minimum security standards, and the client does not cause operational problems for other users of the campus VPN service.

Authored by Isaac Orr
Last modified 2019-04-09 23:03:42