What to Expect
Submitted by dan on Wed, 11/02/2011 - 12:43
When you connect using the VPN client, there are a few circumstances in which things behave differently. This list is an attempt to mention some of those differences as well as some best practices for using the VPN.
- Travel. If you are planning to travel, please be sure to install and test the VPN client before you leave campus. It is much more difficult to troubleshoot a client installation when you are far away on a public network.
- Connect Time. It is recommended that you disconnect your VPN session when you complete your work. While a session can theoretically last for days, it will be disconnected by any connectivity issues between your computer and the VPN endpoint on campus. The VPN protocol does send occasional "keepalive" messages to make sure the network connection is still in place; if it fails to receive these messages for a short period of time, it will disconnect. This means that any significant service disruption in your wireless network, your DSL/cable provider, the internet providers, or the Georgia Tech network will cause your VPN to disconnect. It's best to disconnect in a controlled fashion when you're done with it rather than wait for a random circumstance to do it in the middle of the night.
- Computer Safety. The VPN service is intended to connect computers that are owned by you or by Georgia Tech. Its use requires the installation of software using an account with administrator permissions and also requires the machine to have appropriate anti-virus, anti-spyware, and firewall software in place so that the machine is not a danger to the rest of the campus network community. Please don't attempt to install the client software on computers that you don't administer.
- Computers that Provide Services. Any network services your client offers to other systems will likely become unavailable while the VPN client connection is active. In addition, we explicitly block incoming connections to client machine services, so you will not be able to provide services via the Georgia Tech IP address assigned to your VPN session.
- Licensing and Export. The Cisco VPN Client software is licensed for use with the OIT VPN service and you may install it on both personally-owned and institute-owned equipment. Cisco specifies this software as "unrestricted" in terms of US export compliance, but we have no information on import compliance in countries other than the US.
- Reliable connection. Use of the VPN client requires a reliable network connection. The client keeps in contact with the server through a series of keepalive messages; if too many of these messages are lost, the VPN client will disconnect from the server. In other words, if you have poor connectivity before you connect the VPN, making the VPN connection will not improve your connectivity.
- Wireless connections. Use the VPN client when on a wireless network, especially a public network. The VPN connection obscures all of your traffic with encryption. Even if a eavesdropper breaks the wireless network's security (which is often not hard to do), all of your traffic will remain unintelligible.
Other information of Interest
- Security Model. The security model in place for this VPN is very similar to that used for the Residence networks; in other words, most services available to the Residence Hall residents are available to the VPN and vice versa. Although it may not be implemented in the initial versions, for the safety of the campus network we reserve the right to do a basic scan of client machines and to reject or terminate connections from dangerously compromised client machines.
- Not our location. There is no guarantee that this service will work from every possible location. Unfortunately Georgia Tech can't control network configurations outside its campuses. It is known that certain hotels, airports, wireless hotspots, and internet providers have configured their networks in such a way that outgoing VPN connections are not permitted. For this reason, you should not depend solely on the use of this service while traveling.
- Client software. Installing the client software should not affect the behavior of your machine; making a connection with the client software will definitely change its behavior.
- Moving to campus. Making a connection to campus with the VPN client completely changes the network access for your computer; it is nearly the equivalent of unplugging the computer from your home and plugging it into a network jack on the Georgia Tech campus. Fortunately, disconnecting the connection with the VPN client reverses these changes.
- Active connections. Making or breaking a VPN connection to campus disconnects all active network connections. If you are doing such things as printing to a local network printer or are connected to a local file server, making a VPN connection will terminate those sessions.
- Georgia Tech IP address. When connecting to campus using the VPN, your computer will receive a new (additional) IP address from Georgia Tech. All of its network traffic will be routed through campus and you will no longer have access to your local network devices such as local network printers and local file servers (there is one exception to this, see "Local Network Access"). This means that any existing network connections that you have will be closed (actually, they will just be blocked during the time the VPN connection is active -- if you disconnect quickly enough such that packet flows can resume before the connections time out, the connections will not actually terminate).
- Virtual Machines. Some users report excellent results using VMware or other desktop virtualization product. They provision a virtual client machine and then install the Cisco VPN client software on the VM. Using the client VM to connect with the VPN client, the host system still maintains all its usual network connectivity and behavior while at the same time the client in the VM gets access to the Georgia Tech network. Data can be shared be shared between client and host through the file system or via screen copy/paste.
- Performance. There is a certain overhead and latency introduced by the cryptography that the VPN protocol requires. While it is quite capable of performing at cable/DSL/wireless speeds, this VPN implementation is probably not suitable for high-performance networking (100Mb/sec+) or huge file transfers (1GB+). You will not see good performance and you will probably impact other users in the community. If you have high-speed connectivity between endpoints and you need to use VPN technology, OIT can help you with the selection of dedicated equipment.
- LAWN. There is a pre-authorized "hole" in the GTwireless LAWN gateway which permits you to connect to the VPN without need to log in to the LAWN login page. Logging directly into the VPN instead of LAWN saves a step while also providing firewall and session accountability just like LAWN. It also routes all your traffic through an encrypted tunnel over the wireless portions of the network; this greatly reduces the chance that someone can eavesdrop on the content of your traffic. And yes, the LAWN folks know we're doing this -- they graciously provided the "hole" for us.
- Dynamic DNS. If your computer is also running a dynamic DNS client when you make a VPN connection, it will likely re-register your VPN address with the DDNS service. This is generally undesirable, especially if you have a router which makes other systems on your home network available to the internet, since changing your DDNS address will mis-route connections to those systems, too. We recommend that you (1) temporarily stop your DDNS client when using the VPN, (2) run your DDNS client on a different computer, (3) run your client in a virtual machine, or (4) run your DDNS client on a DDNS-capable DSL/Cable router.