Skip Navigation

Wednesday July 23rd, 2014

Getting Started with Virtual Private Network (VPN)

Summary: If you need to connect to UCInet from off campus, Virtual Private Network (VPN) may be the solution for you. VPN allows you to connect to on campus-only resources like the Library and encrypts the information you are sending over the network, protecting your data.

Three Ways to Access the VPN

Peer-to-peer file sharing services and other high-bandwidth applications should not be used while using the VPN service. You may be automatically blocked from using the VPN if your bandwidth exceeds the maximum bandwidth limit.

1. WebVPN - A quick and easy way to access most Library resources off campus.

2. Software VPN - Software to access ALL Library resources and on campus systems

Note: Regarding the Windows 8 RT plaform, at this time there are no Cisco VPN Clients available.

Note: AnyConnect VPN users, on inital start up type in the "connect to window" of the AnyConnect client and press Enter to connect.

3. Mobile Devices: Android 4.x+/iPhone/iPod/iPad Touch VPN

Current VPN Client software versions.

AnyConnect Client Current Version Updated
Windows 8.1/7/Vista AnyConnect 32/64 bit 3.1.04072 February 6, 2014
Mac OS X 10.9 AnyConnect 32/64 bit 3.1.04074 November 5, 2013
Mac OS X 10.6 - 10.8 AnyConnect Intel 32/64 bit 3.1.03103 June 26, 2013
Linux AnyConnect 32/64 bit 3.1.03103 June 26, 2013


Why use the VPN?

Network Traffic Encryption
When you connect to another site using a VPN, your traffic is encrypted so that if anyone intercepts the traffic, they cannot see what you are doing unless they can break the encryption.  Your traffic is encrypted from your computer through the network to the VPN concentrator hardware at UCI.  At that point the traffic is un-encrypted and sent out over the campus network.  If you are using software like ssh, your traffic on the campus network is still encrypted because ssh encrypts its traffic.

Access UCI Resources
When you are using a VPN connection, it will appear to systems on campus that you are also on campus - you will have a UCI IP address instead of the one you have at home (Cox, AT&T, PacBell, etc).  This allows you to connect to resources that you would not be able to from home, and bypass any port blocking at the campus border router. 

Windows File Shares
The VPN offers a way for authorized users to mount Microsoft Windows file shares from off campus. As of November 5th, 2002, a VPN is required to use "shares" from outside of UCInet because of special port blockades.

Who needs the VPN?

You need VPN if:

  • You mount a Windows disk share from your work computer on your home computer.
  • You need to access restricted services.
  • You use network protocols like NetBIOS to a host or service on campus.
  • You are using a public network, (for example, in a hotel, coffee shop, or airport), especially if it is a wireless network.

You don't need VPN if:

  • You check your UCI e-mail via IMAP with SSL/STARTTLS encryption.

Downsides to using VPN if it is not needed.

  • Slows down your connection
  • Uses resources others could be using
  • Adds a step to connect to UCI
Where can I use the VPN?
VPN service can be connected from any off-campus Internet location or UCInet Mobile Access (wireless) network. It will not work from the campus dial-in modems or any host on campus.
What are VPN Tunnels?

UCI has two types of VPN tunnels, a "split" tunnel and a "full" tunnel. 

Split Tunnel
The "split" tunnel only sends traffic destined for UCI over the VPN connection.  All other traffic goes through your normal cable modem/dsl connection.  Use the "split" tunnel for connections to and from UCI only. If you are using online Library resources, use the "full" tunnel.

It allows you to talk directly to the Internet, but when your machine "talks" to UCI network addresses the traffic is put through the established VPN tunnel to the UCI VPN node, where it is decrypted and given a UCInet network address.

This is useful for people who need access to things at UCI which require a UCInet IP address (such as connecting to a system that restricts access to UCI hosts only), or to use services which are blocked for security reasons at the campus firewall (such as NetBIOS ports, used in mounting shared drives and other ports used by Microsoft Windows). Only traffic to/from UCI is sent through the VPN connection, so if you were to access Yahoo, it would go through your regular network connection (cable modem, dsl, etc).

Full Tunnel
The "full" tunnel sends all your internet traffic through the VPN connection, and then out to the internet through UCI's connection.

The "full" tunnel is useful for people who need to access sites off-campus that need a UCI IP address to allow access to a resource. The UCI Library has links to resources such as these. If you wanted to access the Oxford English Dictionary (OED), you can't get to it with a split tunnel because it's off campus and your off-campus packets aren't network address translated to UCI addresses. By using the "full" tunnel, this problem is circumvented. However, note that *all* your traffic is sent through the VPN connection and then out UCI's internet connection.

You should use the "full" tunnel VPN connection with care since heavy use can cause an increase in UCI's internet connection costs, and is likely slower than the split tunnel method.

What are the VPN timeouts and limitations?

Once you bring up your VPN client and initiate a connection, you will remain connected as long as you're actively using it. If the connection is idle for one hour, it will "timeout". If you are not going to use your computer, it is best to take down the connection yourself, to free-up a tunnel for someone else to use. In either case, when you later come back to your computer you will need to re-initiate a connection if you still need to use the VPN.

There is a limit of 2 VPN tunnels which may be simultaneously established under one UCInetID.

The campus VPN provides off-campus users access to university resources not normally available to remote users and is thus a critical resource. The VPN appliance handles connections for all users through the same 100 Mb interface. Users of bandwidth-intensive applications that are not related to the University's academic mission can detrimentally impact other users on the VPN.

For this reason, Gnutella, Kazaa, Bit Torrent, E-Donkey, and other peer to peer (p2p) file sharing programs (as well as internet gaming and other recreational, high-bandwidth applications) are not allowed on the VPN.

What are the VPN IP Addresses?
For those of you who would like to allow or restrict access from VPN users, here are the possible address ranges that VPN users will be using. -