IST: Remote Access VPN Service

· IST Shopping Cart
· Closing Open Mail Relays
· Campus DHCP Service (formerly LIPS)
· AirBears Wireless LAN
· Hidden VLAN & Firewalls

Data Network Home
Contact Information
IST staff directory

Last revised: January 16, 2013
Contact Information

Remote Access VPN Service

Why Use VPN?

The Remote Access VPN (Virtual Private Network) service is designed to allow CalNetID authenticated users to connect to the UC Berkeley network from outside of campus, as if they were on campus, and encrypts the information sent to the network.

When you use a VPN connection, it appears to systems on campus that you are also on campus - you will have a UCB IP address instead of the one you have at home (through your Internet Service Provider). The VPN offers a way for authorized users to 'tunnel' in to the campus network, to access UCB resources normally not available from home machines, bypassing any port blocking at the campus border. Note: traffic is encrypted from your workstation through the network to the VPN concentrator hardware at UCB, but at that point the traffic is un-encrypted and sent out over the campus network. (If you are using software like ssh, your traffic on the campus network remains encrypted.)

If you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator.

You may want to use a VPN connection if:

you need access to restricted services.
you use network protocols like NetBIOS to a host or service on campus. (some ports are blocked at the campus border.)
you mount a Windows disk share from your work computer on your home computer.

You don't need to use a VPN connection if you check your email via IMAP or POP. Downsides to using a VPN include:

slows down your connection
uses resources others could be using
adds an extra step to connect to UCB

General Use VPN Groups

Several VPN groups are available for general use. Each general use group has different characteristics. Some access restrictions apply to certain groups based on the tunnel type; please see the Network Service Eligibility Report for information on your eligibility. (Note: there is no grace period for Remote Access VPN service eligibility when your affiliation with UCB expires.) The following table lists the available groups and their properties.

Group Tunnel Type (IPv4) Supported Protocols Support Level

1-Campus_VPN Split Tunnel IPv4 Supported

2-Campus_VPN_Full_Tunnel Full Tunnel IPv4 Supported

3-Library_VPN Full Tunnel IPv4 Supported

4-Campus_VPN_Split_Tunnel_v4_v6 Split Tunnel IPv4 and IPv6 Experimental

5-Campus_VPN_Full_Tunnel_v4_v6 Full Tunnel IPv4 and IPv6 Experimental

The default tunnel group is 1-Campus_VPN. At present, the tunnel type for the IPv6 protocol (when available via a group) is always full tunnel independent of the IPv4 tunnel type. The groups that include IPv6 are considered experimental due to a handful of compatibility issues the vendor is working on. We encourage you to use the groups that include IPv6 and report any problems you encounter if you are interested in experimenting with them. Please understand that we may not be able to resolve all problems with IPv6 support.

'Split Tunnel' vs. 'Full Tunnel'

When a client establishes a connection to the VPN concentrator, it is assigned a UCB IP address. A group with a split tunnel means that any traffic destined for an IP address in the following ranges will travel through the tunnel.

128.32.0.0 - 128.32.255.255
169.229.0.0 - 169.229.255.255
136.152.0.0 - 136.152.255.255
172.16.0.0 - 172.31.255.255 
10.16.0.0 - 10.255.255.255

Any other internet traffic travels normally over the client's off-campus connection, with the source IP address assigned by the client's ISP.

In contrast to the split tunnel, with a group with a full tunnel *all* internet traffic traverses the VPN, regardless of its destination, and all source traffic appears to have a UCB IP address.

Some Library-subscribed database applications depend on source IP address for authentication purposes. Note that if the authentication component of a database is hosted by a third-party (not UCB), then a split-tunnel VPN may not be an appropriate access solution. Another option in these cases is to use the Library's proxy web server service to provide access to patrons using non-campus IP addresses: http://www.lib.berkeley.edu/Help/connecting_off_campus.html.

A group with a full tunnel may be a useful option where the Library Proxy Service runs into limitations (for example, it can address the need to reach some databases or applications that use non-web-based protocols for access like Z39.50/Endnote). In these cases, reaching the desired application (a non-UCB IP address) is dependent on your IP address originating from UCB, so the full tunnel is helpful. A full tunnel option provides encryption where application level encryption (like ssl, ssh) is not possible. Although as described previously, if you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator.

Groups that make use of a full tunnel should be used with care. Traffic to any destination will appear to originate from a UCB IP address, and so is subject to the Campus Computer Use Policy: http://technology.berkeley.edu/policy/. Depending on the amount of traffic, and its destination, it may also prove to be slower than the use of the split tunnel.

Each UCB IP address assigned to a VPN client is taken from a pool that is dependent on the tunnel type according to the following ranges.

IPv4 Split Tunnel: 10.136.0.10 - 10.136.1.253
IPv4 Full Tunnel: 136.152.208.10 - 136.152.209.253
IPv6 Full Tunnel: 2607:f140:800:80::10 - 2607:f140:800:80::2f9

There is a 30 minute idle timeout limit, and a 1 day session timeout limit for all VPN tunnels.

Downloading, Installing and Configuring VPN Client Software

For information on where to download VPN client software and how to install it, please see the following knowledge base article.

https://kb.berkeley.edu/kb2665

Third Party Clients

IST does not recommend the use of VPN clients other than the officially distributed versions available via the knowledge base article https://kb.berkeley.edu/kb2665. Anyone who uses an unsupported client must assume full responsibility for supporting its use.

IST plans and tests future changes to the campus VPN service with respect to officially distributed clients only. Future changes in the campus VPN service may cause unsupported clients to stop functioning properly; therefore, an unsupported client that works today may not work tomorrow.

IST may choose not to troubleshoot a campus VPN problem specific to an unsupported VPN client. IST reserves the right to not make custom changes to the campus VPN service to accommodate unsupported clients. You may use an unsupported client with the campus VPN service provided that you accept these conditions, the client meets minimum security standards, and the client does not cause operational problems for other users of the campus VPN service.

More Info

For help and further information, check the links from the knowledge base page listed above. Links to common configuration questions are available from those pages.

To report problems with the VPN service, please contact the IST Service Desk.

UCB Home | IST Home | IST Services