How CU VPN Works
Understand how Cornell's VPN service connects you to the university's networks and services.
- CU VPN authenticates your identity and affiliation with Cornell using your NetID and password.
- Cornell-related traffic is sent through an encrypted "tunnel" to campus.
- Non-Cornell traffic follows your normal network path and does not enter the Cornell network.
- Campus resources "see" your VPN-connected system as a computer on campus with an IP address in the range 220.127.116.11 to 18.104.22.168.
- Non-campus resources see the IP address of whatever ISP you are using. As a result, use of CU VPN will not help when trying to log in to non-Cornell services that check IP addresses to allow access, such as some databases linked from Cornell Library.
Why don't computers outside see my computer as part of the Cornell network when I'm connected to CU VPN?
While you're connected through CU VPN, only traffic to and from Cornell resources is routed through CU VPN. Systems, sites, and servers outside Cornell will continue to see your ISP's address, even when you're connected through CU VPN. So if you're in a hotel room and connected to CU VPN while you check your Cornell email and place an order with an online retailer, you will appear to have a Cornell IP address when you check your mail and at the same time appear to have the hotel ISP's IP address to the people you are placing your order with.
This is a configuration called, variously, split tunneling or split horizon. In this mode, traffic destined for Cornell's networks is sent through the CU VPN tunnel. Traffic destined anywhere else is sent through your default Internet connection. Computers outside Cornell see you as part of that ISP network for this reason.
The rationale behind split tunneling is that it's inefficient to route all your Internet traffic through CU VPN, receive it at Cornell, then send the results back to you. Not only would that create bandwidth concerns, it would bring privacy concerns as well.