University Requiring Use of VPN

21 points by momothereal ↗ HN
My university now requires the use of a school-managed VPN on personal devices to access most student services outside campus.

It makes me super uncomfortable to have to install something so intrusive on a personal device, since it can capture any internet traffic without my knowledge and outside class hours. Somehow I find this worse than protractor software like Respondus privacy-wise...

According to the school, the only other alternative is to use campus Wifi (even though my uni is still doing all classes remote since Omicron). They do not and have never offered school-supplied laptops like companies usually do for secure connections.

I've never heard of another school doing this before. Have you?

28 comments

[ 5.3 ms ] story [ 70.8 ms ] thread
> My university now requires the use of a school-managed VPN on personal devices to access most student services outside campus.

> They do not and have never offered school-supplied laptops like companies usually do for secure connections.

One solution here, although you may not like it, is to obtain a second "personal device" and dedicate it to use with the school network. I.e., supply your own "school-supplied laptop" that is only used to access the school, and never used for any personal use.

Note -- this does not mean you have to buy a new laptop/desktop, a used/second-hand system that is a few years behind cutting edge is likely still more than enough for school use, while being significantly less expensive than a brand new system.

(comment deleted)
Quite common I believe [1], but typically Universities will not make their own VPN, but use some OTS component, and often those will have an open-source implementation if you would prefer to use that. If you're concerned, then only install the VPN on a VM and use that exclusively for accessing those services required.

[1] https://www.sheffield.ac.uk/departments/it-services/campus-o...

Yes I think I used vpnc for Sheffield a few years ago.

If, like Sheffield, they also require Duo, it is possible to use that without a phone or hardware token by extracting the HOTP secret from a real or fake phone/tablet registration. It's probably also possible to use that automatically with a free VPN client, like for ssh, but I've never bothered to try making it work.

I go to Loughborough University and we have Anyconnect with Duo. I use OpenConnect for the VPN and I wrote a little Rust tool[1] to extract the HOTP secret and use FreeOTP to generate the codes [since Bitwarden seems to only have TOTP, not HOTP :/]

[1]: https://github.com/videogame-hacker/duo-hotp-export

Most VPN's can be configured to only tunnel traffic to certain destinations. Maybe you can configure it to only tunnel traffic to university services?
My school was like this ten years ago. Pretty par for the course, imo.
Check on what level is the vpn implemented. If it is only for the school ip addresses, they will not have your traffic. Otherwise, you can access their services thorugh an vm as someone else proposed.
Disconnect the VPN when you don’t need it. I assume you can control the VPN client.

All schools and organizations I am familiar with use VPN for remote access. Some provide pre-set laptops to which users don’t have admin permission.

This is the standard way of securely connecting to internal resources.

This is not particularly uncommon for universities, as their networks tended to evolve as large and open "flat LANs" traditionally.

Almost all campus type VPNs are based on "standard-ish" VPN protocols, and have an open source and widely used client available for them. Note that you might need to delve a little into the configuration file to work out what it is. Common ones are Cisco vpnc, ipsec, etc.

At least on Linux, with Network Manager, one of the options when configuring a network interface (including a VPN) is to set the subnets that are reached via it. Most universities will have a /8 or /16 subnet, within which their internal services sit (assuming the services are on-premises). You can do a split route, so this subnet is reachable via the tunnel, but everything else is routed through your regular WAN connection.

Many universities are shifting towards cloud services like 365, where IP/VPNs are less necessary, so I guess that this is primarily for on-prem services, where they feel requiring VPN adds a layer of security beyond the (usually not spectacular) login form on the application itself.

If you need to use internal DNS to resolve IPs for campus-based resources (as public WAN DNS isn't good enough), you might need to go a little further in setting this up (run your own local resolver and use their DNS server, which is through the VPN tunnel, for resolving subdomains of their main domain), or use a VM (for an easy option).

> At least on Linux, with Network Manager, one of the options when configuring a network interface (including a VPN) is to set the subnets that are reached via it. Most universities will have a /8 or /16 subnet, within which their internal services sit (assuming the services are on-premises). You can do a split route, so this subnet is reachable via the tunnel, but everything else is routed through your regular WAN connection.

When I was in grad school, the VPN was mostly useful because it granted your access to most academic journals. Routing non university traffic around the VPN would probably break that.

You're right, but most universities also have a SSO-based proxy to let you do this, or alternatively have integration with an access federation.

That means you have to do an SSO (or have a browser session already authenticated through SSO), but you should still have access to journals and resources without using the VPN.

With Covid, I believe any that didn't do this have implemented it, so they weren't overloading their VPN routers with traffic. I've seen a few trying to remind people how to use resources via SSO and access federation, rather than VPN, just to reduce that load.

Same. My university required it. I just turned it off when I wasn't doing school-related stuff.
This is pretty common nowadays, for both schools and companies.

You can always turn the VPN off when you're not connecting to school resources.

I get why it feels a little weird, but you are connecting to the university private network. You always have the option to go to campus to access what you need. Really, you should be happy to have the option to use VPN and work from home.

That seems to be very widespread, at least in the UK, because security (regardless of no. 4 in the fallacies of distributed computing). There may be different setups for staff and students.

You can probably at least use a free software client, though that may require extracting some configuration info from whatever proprietary one they distribute. I use openconnect when I have to use the Palo Alto GlobalProtect one, and it appears to be a better option than the proprietary one, judging by the continual problems and update churn I see. openconnect also works with recent network-manager on GNU/Linux. You may ignore the pushed configuration and only tunnel traffic for the campus net and use external DNS.

[I once had to use the Cisco corporate VPN to evaluate the HPC gear they were trying to sell use, and was told as an HPC system manager that I had to get an MS Windows client to do that; sorry, no. From experience with a local old Cisco VPN elsewhere (use vpnc) I looked around for a solution and landed on openconnect then.]

I was using a VPN to connect to my university 18 years ago (Cisco AnyConnect, iirc)

You're only "on" the school network when you actually connect the VPN client

Don't want to be "on" the network? Don't VPN

It's not rocket surgery :)

VPN may be used as an artificial bottleneck. In large LAN-architecture with many services running you minimize the attack area when potential threat-actors first have to get access via VPN.
Unless you do not control when the VPN is on/off, they're no more intrusive than connecting directly to your University's wifi. As far as I know, it's pretty common since most universities have a lot of legacy infrastructure. A VPN is the easiest way for them to grant you access to certain services.

At my university, we could use any client we wanted. The school just provided the VPN endpoint. Minimally invasive.

There are some VPNs that do a "security scan" and require other nanny-type software to be present and working. And some places make it hard to use a 3rd party client via that security scan, or 2FA support, etc.
Even the ones that "security scan" like Cisco Secure Mobility Client still use just a cookie to authenticate you and standard protocols for the VPN itself. You can usually log into the web portal, snag the cookie, and then place it into something like OpenConnect. The server side just looks for an "okay" from whatever application was used to run the scan. This can be easily fooled by OpenConnect, assuming you know what response it's looking for.
>"easily fooled"

I've done it, and it's not easy, though it does work. To make it work in my environment, I had to use a golang proxy and a fair amount of messing around with certificates to see what all it's looking for. It's more than a cookie...it's a form post with keys/values that vary based on whatever the local vpn people decided.

See https://github.com/Gilks/hostscan-bypass for details.

some campus wifi networks require “security scan” software too.
It's a valid concern, though once you know which brand of vpn they are using, there is plenty of 3rd party documentation on what the problem areas are, how to work around them, etc.

If you're extra paranoid, you could just run the vpn client in a VM.

There are vpn clients, openvpn, for instance, that allow you to segment your ip space to either go thru, or not go thru the vpn. see vpn-slice
For whatever it’s worth, that’s how employers have done it for a decade or more. They’re a bit behind the times but I’m glad to hear it. The “everything is on the Internet” model Google champions is not as pragmatic for others.
I work at a university that's heading in this direction. Reason being is that our services are constantly being attacked. Putting them behind a firewall helps a lot. You don't have to run the VPN when you're not doing school related stuff so i don't see it as a big problem and IT doesn't care what you're doing. Also, I'd wager that their VPN supports split tunneling so university related traffic is the only thing going over VPN.
This is quite common, infact this has been the original purpose of VPN software all the way through, You don't need to route all packets thru the tunnel either, you can usually route to a subset of IPs in most VPN software.