Why Use VPN?
The Remote Access VPN (Virtual Private Network) service is designed to allow
CalNetID authenticated users to connect to the UC Berkeley network from
outside of campus, as if they were on campus, and encrypts the information
sent to the network.
When you use a VPN connection, it appears to systems on campus
that you are also on campus - you will have a UCB IP address
instead of the one you have at home (through your Internet Service Provider).
The VPN offers a way for authorized users to 'tunnel' in
to the campus network, to access UCB resources normally not
available from home machines, bypassing any port blocking at the
campus border. Note: traffic is encrypted from your workstation
through the network to the VPN concentrator hardware at UCB,
but at that point the traffic is un-encrypted and sent out over the
campus network. (If you are using software like ssh, your
traffic on the campus network remains encrypted.)
If you use a VPN connection from an *on-campus* location, the
encrypted part of your traffic is still between your workstation
and the VPN concentrator.
You may want to use a VPN connection if:
- you need access to restricted services.
- you use network protocols like NetBIOS to a host or service on campus. (some ports are blocked at the campus border.)
- you mount a Windows disk share from your work computer on your
You don't need to use a VPN connection if you check your
email via IMAP or POP. Downsides to using a VPN include:
- slows down your connection
- uses resources others could be using
- adds an extra step to connect to UCB
General Use VPN Groups
Several VPN groups are available for general use. Each general use
group has different characteristics. Some access restrictions apply to
certain groups based on the tunnel type; please see the Network
Service Eligibility Report for information on your eligibility. (Note: there is no grace period for Remote Access VPN service eligibility when your affiliation with UCB expires.) The following table lists the available groups and
|Group||Tunnel Type (IPv4)||Supported
|4-Campus_VPN_Split_Tunnel_v4_v6||Split Tunnel||IPv4 and IPv6||Experimental
|5-Campus_VPN_Full_Tunnel_v4_v6||Full Tunnel||IPv4 and IPv6||Experimental
The default tunnel group is 1-Campus_VPN. At present, the tunnel type
for the IPv6 protocol (when available via a group) is always full
tunnel independent of the IPv4 tunnel type. The groups that include
IPv6 are considered experimental due to a handful of compatibility
issues the vendor is working on. We encourage you to use the groups
that include IPv6 and report any problems you encounter if you are
interested in experimenting with them. Please understand that we may
not be able to resolve all problems with IPv6 support.
'Split Tunnel' vs. 'Full Tunnel'
When a client establishes a connection to the VPN concentrator, it is
assigned a UCB IP address. A group with a split tunnel means that any traffic
destined for an IP address in the following ranges will travel through the tunnel.
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
172.16.0.0 - 172.31.255.255
10.16.0.0 - 10.255.255.255
Any other internet traffic travels normally over the client's
off-campus connection, with the source IP address assigned by
the client's ISP.
In contrast to the split tunnel, with a group with a full tunnel *all*
internet traffic traverses the VPN, regardless of its destination, and
all source traffic appears to have a UCB IP address.
Some Library-subscribed database applications depend on source IP
address for authentication purposes. Note that if the authentication
component of a database is hosted by a third-party (not UCB), then
a split-tunnel VPN may not be an appropriate access solution.
Another option in these cases is to use the Library's proxy web
server service to provide access to patrons using non-campus IP addresses:
A group with a full tunnel may be a useful option where the
Library Proxy Service runs into limitations (for example, it can
address the need to reach some databases or applications that use
non-web-based protocols for access like Z39.50/Endnote). In these cases,
reaching the desired application (a non-UCB IP address) is dependent
on your IP address originating from UCB, so the full tunnel is helpful.
A full tunnel option provides encryption where application level
encryption (like ssl, ssh) is not possible. Although as described
previously, if you use a VPN connection from an *on-campus* location,
the encrypted part of your traffic is still between your workstation and
the VPN concentrator.
Groups that make use of a full tunnel should be used with care. Traffic to any
destination will appear to originate from a UCB IP address, and so is subject
to the Campus Computer Use Policy:
Depending on the amount of traffic, and its destination,
it may also prove to be slower than the use of the split tunnel.
Each UCB IP address assigned to a VPN client is taken from a pool that
is dependent on the tunnel type according to the following ranges.
IPv4 Split Tunnel: 10.136.0.10 - 10.136.1.253
IPv4 Full Tunnel: 184.108.40.206 - 220.127.116.11
IPv6 Full Tunnel: 2607:f140:800:80::10 - 2607:f140:800:80::2f9
There is a 30 minute idle timeout limit, and a 1 day session timeout limit for all VPN tunnels.
Downloading, Installing and Configuring VPN Client Software
For information on where to download VPN client software and how to
install it, please see the following knowledge base article.
Third Party Clients
IST does not recommend the use of VPN clients other than the
officially distributed versions available via the knowledge base
Anyone who uses an unsupported client must assume full
responsibility for supporting its use.
IST plans and tests future changes to the campus VPN service with
respect to officially distributed clients only. Future changes in the
campus VPN service may cause unsupported clients to stop functioning
properly; therefore, an unsupported client that works today may not
IST may choose not to troubleshoot a campus VPN problem specific to an
unsupported VPN client. IST reserves the right to not make custom
changes to the campus VPN service to accommodate unsupported
clients. You may use an unsupported client with the campus VPN service
provided that you accept these conditions, the client meets minimum
security standards, and the client does not cause operational problems
for other users of the campus VPN service.
For help and further information, check the links from the
knowledge base page listed above. Links to common configuration questions are available from
To report problems with the VPN service, please contact the IST Service Desk.