The Remote Access VPN (Virtual Private Network) service is designed to allow CalNetID authenticated users to connect to the UC Berkeley network from outside of campus, as if they were on campus, and encrypts the information sent to the network.
Several VPN groups are available for general use. Each general use group has different characteristics. Some access restrictions apply to certain groups based on the tunnel type; please contact Campus Shared Services for information on your eligibility. (Note: there is no grace period for Remote Access VPN service eligibility when your affiliation with UCB expires.) The following table lists the available groups and their properties.
|Group||Tunnel Type (IPv4)||Supported Protocols||Support Level|
|4-Campus_VPN_Split_Tunnel_v4_v6||Split Tunnel||IPv4 and IPv6||Experimental|
|5-Campus_VPN_Full_Tunnel_v4_v6||Full Tunnel||IPv4 and IPv6||Experimental|
The default tunnel group is 1-Campus_VPN. At present, the tunnel type for the IPv6 protocol (when available via a group) is always full tunnel independent of the IPv4 tunnel type. The groups that include IPv6 are considered experimental due to a handful of compatibility issues the vendor is working on. We encourage you to use the groups that include IPv6 and report any problems you encounter if you are interested in experimenting with them. Please understand that we may not be able to resolve all problems with IPv6 support.
When a client establishes a connection to the VPN concentrator, it is assigned a UCB IP address. A group with a split tunnel means that any traffic destined for an IP address in the following ranges will travel through the tunnel.
188.8.131.52 - 184.108.40.206 220.127.116.11 - 18.104.22.168 22.214.171.124 - 126.96.36.199 172.16.0.0 - 172.31.255.255 10.16.0.0 - 10.255.255.255
Any other internet traffic travels normally over the client's off-campus connection, with the source IP address assigned by the client's ISP.
In contrast to the split tunnel, with a group with a full tunnel *all* internet traffic traverses the VPN, regardless of its destination, and all source traffic appears to have a UCB IP address.
Some Library-subscribed database applications depend on source IP address for authentication purposes. Note that if the authentication component of a database is hosted by a third-party (not UCB), then a split-tunnel VPN may not be an appropriate access solution. Another option in these cases is to use the Library's proxy web server service to provide access to patrons using non-campus IP addresses: http://www.lib.berkeley.edu/Help/connecting_off_campus.html.
A group with a full tunnel may be a useful option where the Library Proxy Service runs into limitations (for example, it can address the need to reach some databases or applications that use non-web-based protocols for access like Z39.50/Endnote). In these cases, reaching the desired application (a non-UCB IP address) is dependent on your IP address originating from UCB, so the full tunnel is helpful. A full tunnel option provides encryption where application level encryption (like ssl, ssh) is not possible. Although as described previously, if you use a VPN connection from an *on-campus* location, the encrypted part of your traffic is still between your workstation and the VPN concentrator.
Groups that make use of a full tunnel should be used with care. Traffic to any destination will appear to originate from a UCB IP address, and so is subject to the Campus Computer Use Policy: http://technology.berkeley.edu/policy/. Depending on the amount of traffic, and its destination, it may also prove to be slower than the use of the split tunnel.
Each UCB IP address assigned to a VPN client is taken from a pool that is dependent on the tunnel type according to the following ranges.
IPv4 Split Tunnel: 10.136.0.10 - 10.136.1.253 IPv4 Full Tunnel: 188.8.131.52 - 184.108.40.206 IPv6 Full Tunnel: 2607:f140:800:80::10 - 2607:f140:800:80::2f9
There is a 30 minute idle timeout limit, and a 1 day session timeout limit for all VPN tunnels.
For information on where to download VPN client software and how to install it, please see the following knowledge base article.https://kb.berkeley.edu/page.php?id=23065
IST does not recommend the use of VPN clients other than the officially distributed versions available via the knowledge base article https://kb.berkeley.edu/page.php?id=23065, Anyone who uses an unsupported client must assume full responsibility for supporting its use.
IST plans and tests future changes to the campus VPN service with respect to officially distributed clients only. Future changes in the campus VPN service may cause unsupported clients to stop functioning properly; therefore, an unsupported client that works today may not work tomorrow.
IST may choose not to troubleshoot a campus VPN problem specific to an unsupported VPN client. IST reserves the right to not make custom changes to the campus VPN service to accommodate unsupported clients. You may use an unsupported client with the campus VPN service provided that you accept these conditions, the client meets minimum security standards, and the client does not cause operational problems for other users of the campus VPN service.
For help and further information, check the links from the knowledge base page listed above. Links to common configuration questions are available from those pages.
To report problems with the VPN service, please contact the IST Service Desk.