University Requiring Use of VPN

This is not particularly uncommon for universities, as their networks tended to evolve as large and open &quot;flat LANs&quot; traditionally.<p>Almost all campus type VPNs are based on &quot;standard-ish&quot; VPN protocols, and have an open source and widely used client available for them. Note that you might need to delve a little into the configuration file to work out what it is. Common ones are Cisco vpnc, ipsec, etc.<p>At least on Linux, with Network Manager, one of the options when configuring a network interface (including a VPN) is to set the subnets that are reached via it. Most universities will have a &#x2F;8 or &#x2F;16 subnet, within which their internal services sit (assuming the services are on-premises). You can do a split route, so this subnet is reachable via the tunnel, but everything else is routed through your regular WAN connection.<p>Many universities are shifting towards cloud services like 365, where IP&#x2F;VPNs are less necessary, so I guess that this is primarily for on-prem services, where they feel requiring VPN adds a layer of security beyond the (usually not spectacular) login form on the application itself.<p>If you need to use internal DNS to resolve IPs for campus-based resources (as public WAN DNS isn&#x27;t good enough), you might need to go a little further in setting this up (run your own local resolver and use their DNS server, which is through the VPN tunnel, for resolving subdomains of their main domain), or use a VM (for an easy option).

Disconnect the VPN when you don’t need it. I assume you can control the VPN client.<p>All schools and organizations I am familiar with use VPN for remote access. Some provide pre-set laptops to which users don’t have admin permission.<p>This is the standard way of securely connecting to internal resources.

Quite common I believe [1], but typically Universities will not make their own VPN, but use some OTS component, and often those will have an open-source implementation if you would prefer to use that. If you&#x27;re concerned, then only install the VPN on a VM and use that exclusively for accessing those services required.<p>[1] <a href="https:&#x2F;&#x2F;www.sheffield.ac.uk&#x2F;departments&#x2F;it-services&#x2F;campus-only-services" rel="nofollow">https:&#x2F;&#x2F;www.sheffield.ac.uk&#x2F;departments&#x2F;it-services&#x2F;campus-o...</a>

Unless you do not control when the VPN is on&#x2F;off, they&#x27;re no more intrusive than connecting directly to your University&#x27;s wifi. As far as I know, it&#x27;s pretty common since most universities have a lot of legacy infrastructure. A VPN is the easiest way for them to grant you access to certain services.<p>At my university, we could use any client we wanted. The school just provided the VPN endpoint. Minimally invasive.

I work at a university that&#x27;s heading in this direction. Reason being is that our services are constantly being attacked. Putting them behind a firewall helps a lot. You don&#x27;t have to run the VPN when you&#x27;re not doing school related stuff so i don&#x27;t see it as a big problem and IT doesn&#x27;t care what you&#x27;re doing. Also, I&#x27;d wager that their VPN supports split tunneling so university related traffic is the only thing going over VPN.

That seems to be very widespread, at least in the UK, because security (regardless of no. 4 in the fallacies of distributed computing). There may be different setups for staff and students.<p>You can probably at least use a free software client, though that may require extracting some configuration info from whatever proprietary one they distribute. I use openconnect when I have to use the Palo Alto GlobalProtect one, and it appears to be a better option than the proprietary one, judging by the continual problems and update churn I see. openconnect also works with recent network-manager on GNU&#x2F;Linux. You may ignore the pushed configuration and only tunnel traffic for the campus net and use external DNS.<p>[I once had to use the Cisco corporate VPN to evaluate the HPC gear they were trying to sell use, and was told as an HPC system manager that I had to get an MS Windows client to do that; sorry, no. From experience with a local old Cisco VPN elsewhere (use vpnc) I looked around for a solution and landed on openconnect then.]

It&#x27;s a valid concern, though once you know which brand of vpn they are using, there is plenty of 3rd party documentation on what the problem areas are, how to work around them, etc.<p>If you&#x27;re extra paranoid, you could just run the vpn client in a VM.

I was using a VPN to connect to my university 18 years ago (Cisco AnyConnect, iirc)<p>You&#x27;re only &quot;on&quot; the school network when you actually <i>connect</i> the VPN client<p>Don&#x27;t want to be &quot;on&quot; the network? Don&#x27;t VPN<p>It&#x27;s not rocket surgery :)

Check on what level is the vpn implemented. If it is only for the school ip addresses, they will not have your traffic. Otherwise, you can access their services thorugh an vm as someone else proposed.

Most VPN&#x27;s can be configured to only tunnel traffic to certain destinations. Maybe you can configure it to only tunnel traffic to university services?

&gt; My university now requires the use of a school-managed VPN on personal devices to access most student services outside campus.<p>&gt; They do not and have never offered school-supplied laptops like companies usually do for secure connections.<p>One solution here, although you may not like it, is to obtain a second &quot;personal device&quot; and dedicate it to use with the school network. I.e., supply your own &quot;school-supplied laptop&quot; that is only used to access the school, and never used for any personal use.<p>Note -- this does not mean you have to buy a new laptop&#x2F;desktop, a used&#x2F;second-hand system that is a few years behind cutting edge is likely still more than enough for school use, while being significantly less expensive than a brand new system.

VPN may be used as an artificial bottleneck. In large LAN-architecture with many services running you minimize the attack area when potential threat-actors first have to get access via VPN.

My school was like this ten years ago. Pretty par for the course, imo.

This is quite common, infact this has been the original purpose of VPN software all the way through, You don&#x27;t need to route all packets thru the tunnel either, you can usually route to a subset of IPs in most VPN software.

This is pretty common nowadays, for both schools and companies.<p>You can always turn the VPN off when you&#x27;re not connecting to school resources.<p>I get why it feels a little weird, but you are connecting to the university private network. You always have the option to go to campus to access what you need. Really, you should be happy to have the option to use VPN and work from home.

Same. My university required it. I just turned it off when I wasn&#x27;t doing school-related stuff.

For whatever it’s worth, that’s how employers have done it for a decade or more. They’re a bit behind the times but I’m glad to hear it. The “everything is on the Internet” model Google champions is not as pragmatic for others.

There are vpn clients, openvpn, for instance, that allow you to segment your ip space to either go thru, or not go thru the vpn. see vpn-slice