Virtual Private Network (VPN) - Computing Services Centre

Virtual Private Network (VPN)

Introduction of VPN

Connection Setup Guide

FAQ

What is VPN? 

The Virtual Private Network (VPN) has risen fast to become a major networking technology in just a few years. With a VPN, you can send data, via a shared or public network in a manner that emulates a point-to-point private link, between two networks (routers), between two servers, or between a client and a server. In this article, we will focus only the VPN connection mode between a client and a server. In this mode, the remote PC (installed with a VPN client software) utilizes existing telecommunications infrastructures (e.g., phone lines, broadband services, dedicated Internet link, etc), and a tunneling protocol (incorporated with other authentication and encryption protocols) to securely access resource inside the corporate Intranet through a VPN server which sits at the perimeter of the corporate network.

The following diagram depicts the VPN connection:

VPN connection diagram

Why use VPN? 

By using VPN, enterprises can use the same un-trusted public networks operated by the Internet Service Provider without ever the need of any additional expensive private communication link to securely connect remote users' computers to the corporate network. Moreover, as the remote computer will be authenticated and the data exchanged with the VPN server are encrypted, hence, once a VPN connection has been successfully formed, the remote computer can be trusted by all local computers on the corporate LAN and logically be treated as a local computer.

How VPN works? 

To make use of the VPN, the remote computer (i.e., off-campus computers bearing non-corporate-owned IP addresses assigned by the Internet Service Provider (ISP)) must have the VPN client software installed. When connection to the corporate network is attempted, the VPN client software will first connect to the VPN server using a tunneling protocol (into which other authentication and encryption protocols have also been incorporated). After the remote computer has been successfully authenticated, a secure connection (secret tunnel) between it and the VPN server will then be formed as all subsequent data being exchanged through this tunnel will be encrypted at the sending end and correspondingly decrypted at the receiving end of the tunnel. As such, the network tunnel between them, even though established through the un-trusted Internet, is still considered secure enough that the remote computer can be trusted by local computers on the corporate LAN. In fact, the remote computer will even be allocated with an IP address from corporate's IP address space by the VPN server once successfully authenticated so that other local computers can communicate with it via the VPN server using that IP address. It is this automatic IP address translation between ISP's IP address and corporate's IP address offered by the VPN server which makes the remote PC look like a local computer.

How CityU implements its VPN? 

Cisco VPN servers are installed between the perimeter firewall and the campus network.The VPN server is a dedicated network device that can handle hundreds of VPN connections in client/server mode simultaneously.

What is needed to remote access the campus network through VPN? 

To remote access CityU's Intranet through VPN, the remote PC must have the VPN client software installed. You can simply install the Cisco AnyConnect VPN Client or use the OS built-in L2TP VPN client to connect to the CityU VPN servers. See above "Connection Setup Guide" section for more information.

As the encapsulation and encryption process can add around 20-30 percent additional overhead, therefore, if you access campus services through VPN using a low speed connection, you can expect the service will be delivered slower. Nevertheless, they will still provide reliable file transfer and other basic remote access functions.

csc@cityu.edu.hk