VPN, Networking Diagram
For IT Pros: This page contains advanced information about the campus Virtual Private Networking (VPN) system, which allows authenticated access to University of Illinois computing resources from any location.
Note: Advanced content
This page describes the behind-the-scenes routing that takes place when your computer makes a VPN-secured connection to the campus VPN server. It's intended for advanced users, for troubleshooters, and for system administrators.
You don't need to know any of the information on this page in order to successfully connect to the VPN server; it's here for those who need a look "under the hood," so to speak.
When a user first connects to UIUCnet Wireless or Walkup, the user's computer (pictured in blue above) connects to the uiuc-quickc-net network. A computer in this network is assigned an IP address in one of the IP ranges listed here.
Once the user authenticates and makes the encrypted connection to the VPN server, the VPN server handles unencrypted communication with the rest of the network and represents the original computer's identity as a part of the VPN-assigned network address range.
If your systems' users need access from off-campus locations you can permit authorized VPN users to access your systems by configuring the firewall(s) between your systems and the Internet as follows:
- Campus firewalls
Systems can be placed in any campus firewall group, including Fully Closed, and VPN users will be provided access through the campus firewalls. The VPN IP space is defined as on-campus IP space, and the campus perimeter blocks won't apply to VPN users.
- Departmental firewalls: IP ranges
If you wish to let VPN users access campus systems that are protected by a departmental firewall, configure your firewall to permit access from computers in the IP Range listed here.
(If you control printer access by IP address, make sure to update your printers as well.)
- Off-campus firewalls: Ports
If you manage a network that's located outside campus IP space, computers on that network will need specific ports opened in order to be able to maintain a connection with the VPN server and claim an on-campus identity. For more information about the ports involved, see Firewall Ports Used for VPN Connections.
Note that from the blue computer to the VPN server and back, all transmissions are encrypted. From the VPN server out to the rest of the campus or the world, communications are NOT encrypted. The goal of the VPN server is not to make transmissions end-to-end secure; the goal is to provide a secure connection from the computer off-campus back to campus, so that traffic traversing the Internet on it's way to campus is secure. This permits off-campus users to access resources on the campus network without revealing sensitive data such as login names and passwords to anyone close enough to "overhear" it.
The VPN server carries the transmissions securely into the wired part of the campus network. From that point on, however, the users' communications are subject to the same protections and vulnerabilities as any wired computer on the campus network. For more information, see Security and VPN.