Split Tunnel May be an Option to Reduce Impact on Campus VPN Infrastructure and Internet Capacity
Many campuses require or advise their faculty and staff (and to a lesser extent, students) to utilize a VPN to securely access resources that are located on the campus (e.g., ERP systems used by administrators, research data sets including virus research, and learning resources that are not in the cloud).
VPNs can be configured to route all of the user’s traffic (both traffic to on-campus systems and the rest of the Internet) to the campus VPN server, or they can be configured to send only campus traffic to the VPN server. The latter, sending only campus traffic to the VPN server, is known as a “split tunnel” configuration.
Without split tunnel, traffic to services such as Zoom and Canvas will first travel to the campus VPN server, then it will use the campus’ connectivity to travel to its destination (e.g., traffic to Zoom would first travel to the campus network, then the regional network, then to Internet2). With a split tunnel, only traffic destined for resources within the campus network will travel to the VPN server, traffic to other sites, such as Zoom and Canvas will traverse the user’s normal commercial home connection.
Using split tunnels for off-campus users can improve their performance to services such as Zoom, as well as reduce the load on the campus VPN server. However there can be security tradeoffs. Some campuses may require that all traffic be directed to the on-campus VPN server so that it can be routed through devices such as firewalls and intrusion detection/prevention systems. Increased off-campus access via a VPN server may require additional capacity both for the VPN server and the number of licenses it supports.