== Why we have a VPN I recently read [[Die, VPN! We're all "telecommuters" now http://arstechnica.com/business/consumerization-of-it/2011/10/die-vpn-were-all-telecommuters-nowand-it-must-adjust.ars]] (via Hacker News), which prompted me to think about why [[we http://cs.toronto.edu/]] have a VPN server for external access and why we're likely to keep it for the foreseeable future. What it boils down to is two factors. The major reason why we have a VPN because of limitations. We have a VPN because of insecure internal software that we can't expose to the Internet, because of a presumed lack of security of some of the machines on our network, and because we simply don't have enough public IPs to directly expose all of our machines on the Internet even if we wanted to. So, for example, in order to get access to our Samba server your IP address must be inside our firewall, and that's it. There's very little that we can do about these limitations (although I suppose the still theoretical advent of IPv6 will deal with the last issue). The minor reason is because any number of things do not have a better or at least more convenient authentication scheme than 'you have a University of Toronto IP address'. This includes both internal and external resources (such as access restricted journals that the UofT subscribes to). Even when there are additional magic ways of getting access to these things, having a UofT IP address remains the most convenient way for our users and our VPN means that they can have one regardless of where they actually are. (These two conveniences combined are why I set up an IPSec tunnel for my home machine so that it has an internal IP address.) === Sidebar: a little technicality I was careful to say 'for external access' up there, because we also use our VPN as part of our internal wireless infrastructure. We're required to authenticate all wireless access, and we also want as much wireless traffic as possible to be encrypted. The easiest way to do this is to get wireless users to immediately bring up a VPN connection, which creates both authentication and full encryption of wireless traffic. I think that this doesn't really count as a pro-VPN reason because it's effectively an implementation detail (and one that we could move away from with better wireless technology).