In a university, people want to use our IPs even for external traffic

February 3, 2023

Suppose that your organization has a VPN server that people use to access internal resources that you don't expose to the Internet. One of the traditional decisions you had to make when you were setting up such a VPN server was whether you would funnel all traffic over the VPN, no matter where it was to, or whether you'd funnel only internal traffic and let external traffic go over people's regular Internet connections. In many environments the answer is that the VPN server is only really for internal traffic; it's either discouraged or impossible to use it for external traffic.

Universities are not one of those places. In universities, quite often you'll find that people actively need to use your VPN server for all of their traffic, or otherwise things will break in subtle ways. One culprit is the world of academic publishing, or more exactly online electronic access to academic publications. These days, many of these online publications are provided to you directly by the publisher's website. This website decides if you are allowed to access things by seeing if your institution has purchased access, and it often figures out your institution by looking at your IP address. As a result, if a researcher is working from home but wants to read things, their traffic had better be coming from your IP address space.

(There are other access authentication schemes possible, but this one is easy for everyone to set up and understand, and it doesn't reveal very much to publishers. Universities rarely change their IP address space, and in the before times you could assume that most researchers were working from on-campus most of the time.)

In an ideal world, academic publishers (and other people restricting access to things to your institution) could tell you what IP addresses they would be using, so you could add them to your VPN configuration as a special exemption (ie, as part of the IP address space that should be sent through the VPN). In the real world, there are clouds, frontend services, and many other things that mean the answer is large, indeterminate, and possibly changing at arbitrary times, sometimes out of the website operator's direct control. Also, the visible web site that you see may be composited (in the browser) from multiple sources, with some sub-resources quietly hosted in some cloud. For sensible reasons, the website engineering team does not want to have to tell the customer relations team every time they want to change the setup and then possibly wait for a while as customers get onboard (or don't).

Our VPNs default to sending all of people's traffic through us. At one point we considered narrowing this down (for reasons); feedback from people around here soon educated us that this was not feasible, at least not while keeping our VPN really useful to them. When you're a university, people want your IPs, and for good reasons.

Written on 03 February 2023.
« A gotcha when making partial copies of Prometheus's database with rsync
The practical appeal of a mesh-capable VPN solution »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Feb 3 23:21:38 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.