WiscVPN - Split Tunneling
This document explains the split tunneling feature of WiscVPN.
In a VPN context, "split tunneling" is the term used to describe a multiple-branch networking path. A tunnel is split when some network traffic is sent to the VPN server and other traffic is sent directly to the remote location without passing through the VPN server.
Split Tunneling Enabled vs. Disabled
With WiscVPN, traffic being sent to an on-campus IP address always goes through the campus VPN server; only traffic bound for an off-campus location is affected by split tunneling:
If split tunneling is disabled, non-UW traffic will detour through the same encrypted campus VPN tunnel as campus-bound traffic.
If split tunneling is enabled, non-UW traffic will go directly to its location without needing to detour through campus, with its path splitting off from that of campus-bound traffic.
Whether a WiscVPN connection uses split tunneling or not is determined by server-side configuration and client-side connection entries.
In the diagram above, the laptops represent your computer, and the webpages on the right represent the servers your machine is accessing. This can include websites, shared drives, and remote desktop connections. The first section shows your network traffic with split tunneling enabled. When you connect to a UW server, your traffic will be encrypted through WiscVPN before it reaches its destination. Regular traffic (e.g. searching Google) will pass directly to the destination server without going through WiscVPN.
The second section shows your network traffic with split tunneling disabled. All your network traffic will be encrypted through WiscVPN.
WiscVPN Connection Entries
Connection entries with split tunneling disabled are:
- IP-pool (WiscVPN-OnCampus)
- IP-static (WiscVPN-OnCampusStatic)
While these entries have split tunneling enabled:
- IP-pool-OffCampus (WiscVPN-OffCampus)
- IP-static-OffCampus (WiscVPN-OffCampusStatic)
Please note that pool=dynamic. Check the "See Also" section for more information on the difference between static and dynamic connections.
For most situations, users who are connecting from on campus are encouraged to use one of the OnCampus connections (split tunneling disabled) unless they encounter problems. Using the OffCampus connections while physically located on campus may result in needing to authenticate twice for some resources (e.g. UWNet), as users must authenticate once on WiscVPN and once more for the specific resource.
If connecting from an off-campus location, it is generally recommended that users connect with one of the OffCampus connections (split tunneling enabled), as this prevents the unnecessary use of the campus network for non-UW traffic. However, a user may have the desire to protect all traffic being sent to and from their machine, particularly if they are working with sensitive data. In this case, best security practices dictate they use one of the OnCampus connection entries in order to ensure all traffic first passes through the encrypted VPN tunnel.