skip navigation
University of Illinois | Home | Help Desk | Status | CIO | Site Map |
CITES logo
skip navigation

Split Tunneling

CITES > VPN > about > split tunneling

 

Note: Advanced content

This page provides technical details about networking paths used by clients with VPN connections. It's intended for advanced users and for system administrators.

You don't need to know any of the information on this page in order to successfully connect to the VPN server; it's here for those who need a look "under the hood," so to speak.

Introduction

A split tunneling configuration allows intelligent determination of how to handle data being sent to different locations, whether to UIUC or elsewhere on the Internet. For users of a split-tunneling-compatible VPN configuration, this can provide a performance boost for computing and networking speed.

If a packet is being sent to a non-UIUC location, the split tunnel reduces the work required for your computer and network connection because the packet will be sent straight to its target in its normal state. It won't be encrypted by your computer, sent through the campus firewalls, unencrypted on the VPN server, and sent back out through the campus firewalls before reaching its destination.

However, in instances where the communication target is the UIUC network, the VPN system will still provide the remote users with a secured path into the UIUC campus, as well as the benefits of being assigned an on-campus IP address in order to communicate with systems that block communication with off-campus IP addresses. (For more information about when and why remote wired users need VPN access to the UIUC network, see VPN for Wired Users.)

If you are a Library patron using the VPN from off campus, you may wish to disable split tunneling. Using the special Library profile (with split tunneling disabled) allows off-campus users to belong to an on-campus IP address so that you will retain access rights to special Library resources that are available only to computers with on-campus IP addresses. More information is given on the Library Profile page.

What is split tunneling?

In a VPN context, split tunneling is the term used to describe a multiple-branch networking path. A tunnel is split when some network traffic is sent to the VPN server and other traffic is sent directly to the remote location without passing through the VPN server.

(For the UIUC network, in the cases where split tunneling is implemented: Traffic being sent to an on-campus IP address goes through the VPN server, and traffic being sent to an off-campus location goes directly to its location without needing to detour through campus.)

What decides whether traffic is sent to the VPN server or straight to its destination?

The VPN server tells the client whether split tunneling is implemented for the client's active profile and, if so, what traffic to tunnel. This determination is made based on client type and configuration and the IP number of the traffic's destination.

  • UIUCnet Wireless traffic intended for a non-wireless destination always goes through the VPN server.
  • Traffic from Movian and Netlock clients always goes through the VPN server.
  • For Cisco VPN client users connecting from any third-party ISP, whether your non-UIUC network service is a wired network or a wireless network:
    • Any traffic being sent to a location within the UIUC campus IP range will be sent through the campus VPN server.
    • Any traffic being sent to a location that is not within the UIUC campus IP range will be sent straight to its destination.

How is CITES implementing split tunneling?

For UIUCnet Wireless users:

Split tunneling will not be implemented on the UIUCnet Wireless network. All traffic that leaves the wireless network will pass through the VPN server.

However, for the wireless network, local LAN access can be enabled on the VPN client. This means that VPN client users on the wireless network will still be able to directly talk to other computers on the wireless network without having those communications pass through the VPN server. (Users must enable local LAN access in their connection profile for this to work.)

For Netlock (pre-Mac OS X) and Movian (handheld) VPN client users:

Whether you are connecting from a wired location or a wireless location, split tunneling is not implemented for Netlock and Movian client users. All traffic coming from these clients will go through the VPN server, whether it is intended for an on-campus or off-campus location.

For wired users coming from a third-party ISP using the Cisco VPN client:

If you are a user coming from a third-party ISP and using the Cisco VPN client to connect, split tunneling is available to you. Split tunneling will be used when you connect with the standard off-campus/wired VPN profile (which is distributed alongside the VPN client software).

When users are connected using this configuration, each network connection can be made in one of two ways.

  • Off-campus communication: When your computer is connected to the VPN server with split tunneling enabled, and you connect to a location that is off campus, the VPN client does not interfere in any way with your network connection. To the target computer, you will appear to be communicating from your original location, not the VPN client IP range. You will communicate directly with that machine. As described above, this may provide a performance boost for remote users, since traffic may take a shorter path to the destination and will not be subject to the CPU overhead of encryption on the client computer and decryption on the VPN server.

  • On-campus communication: Connections to a computer within the UIUC network will be routed through the VPN client. This means that to any computer in the UIUC network, you will also appear to originate from an IP address inside the firewalls. Many UIUC systems provide more access and more information to systems within the firewalls than to systems from an outside IP address. (For more information about when and why remote wired users need VPN access to the UIUC network, see VPN for Wired Users.)

  • Disabling split tunneling for access to off-campus Library resources: If a computer is accessing a service that is outside UIUC IP address space but needs to be accessed from a UIUC IP address, the split tunneling profile will not serve your purposes. See the Library Profile page for more information.

How safe is split tunneling?

The safety of split tunneling to an off-campus location is identical to your ordinary, non-VPN network's safety, since it uses your non-VPN network identity and routing in unmodified form.

The safety of split tunneling to an on-campus location is identical to the UIUC network's safety, since you will be operating within the UIUC campus firewalls and filters.

In a corporate environment with tight firewall rules and strong policies on computer security, split tunneling may represent a greater risk to the secured network. However, given the open nature of computing on campus, split tunneling does not significantly increase the risk posed to campus by VPN users. Split tunneling is no less safe for the client computer than connecting to the Internet without the VPN client running.
 

 

  Services by Category   Services by Audience
* Calendaring * New to Campus?
* Classroom Technologies * Students
* Computer Facilities * Faculty & Staff
* Computing Accounts * Instructors
* Educational Technologies * Techsupport Providers
* Email  
* Networking & Remote Access   Other Help
* Passwords * Training
* Security * Computing & Networking 101
* Services For Departments * Contacts
* Software * Glossary
* Telecommunications    
* Complete List of Services    

 

CITES welcomes comments about our services and comments about our web site.
Return to the top of this page.
Last modified August 18, 2006