How CU VPN Works
Understand how Cornell's VPN service connects you to IT resources hosted on campus.
- CU VPN authenticates your identity and affiliation with Cornell using your NetID and password.
- Traffic to and from Cornell IT resources hosted on campus is sent through an encrypted "tunnel" to campus.
- All other traffic goes over your local Internet connection and does not use the encrypted VPN tunnel.
- Cornell IT resources hosted on campus "see" your VPN-connected system as a computer on campus with an IP address in the range of 220.127.116.11 - 18.104.22.168 or 10.41.224.0 - 10.41.255.255 for the General Pool. Department VPN pools are in the range of 10.17.0.0 – 10.18.255.255.
- Internet or cloud-based resources see the IP address of your local Internet connection. As a result, use of CU VPN will not help when trying to log in to non-Cornell services that check IP addresses to allow access, such as some databases linked from Cornell Library.
Why don't computers outside see my computer as part of the Cornell network when I'm connected to CU VPN?
While you're connected through CU VPN, only traffic to and from Cornell IT resources hosted on campus is routed through the encrypted VPN tunnel. Internet or cloud-based resources will see the IP address of your local Internet connection. So if you're in a hotel room and connected to CU VPN while you access an on-campus resource and place an order with an online retailer, you will appear to have a Cornell IP address when you access the on-campus resource and at the same time appear to have the hotel Internet providers IP address to the online retailer you are placing your order with.
This is a configuration called, variously, split tunneling or split horizon. The rationale behind split tunneling is that it's inefficient to route all your Internet traffic through CU VPN, receive it at Cornell, then send the results back to you. Not only would that create bandwidth concerns, it would bring privacy concerns as well.