Carnegie Mellon University
August 15, 2019

Using a Virtual Private Network at CMU

The Internet is one of the greatest advancements in modern technology. It delivers information, answers, entertainment, and connections to you on demand in a matter of seconds from anywhere on the globe at any time from desktop computers, laptops, smartphones, and tablets. However, the Internet is not perfect and has flaws that make users vulnerable when online. Surfing the web or making transactions on an unsecured network, such as public Wi-Fi, means you could be exposing your private information. A cybercriminal could eavesdrop on a user’s network activity if not using encrypted communications protocols such as HTTPS. One way to protect online activity is to use a Virtual Private Network (VPN).

What is a VPN?

When a user browses the Internet, every site that is visited, button that is clicked, and information that is entered is traced back to the IP address of that device which is assigned by the Internet Service Provider (ISP). When connected to a VPN, the user’s public IP address is hidden from the world. Instead, the IP address shown is the one the VPN substitutes in its place.

A VPN will mask the user’s IP address and provide some anonymity by creating a secure and encrypted private connection called a tunnel. This tunnel allows secure communications and the ability to extend local campus network access to off-site locations. As far as most websites are concerned, the user is browsing from the VPN server’s location, not the computer’s actual location.

There are two modes that VPNs can operate in: fully tunneled, and split-tunneled. When a VPN is fully tunneled *all* traffic goes to the VPN server first, then out to the internet. When connected to the library resources full tunnel VPN, your full network connection is encrypted through the CMU server and out to the Internet

When a VPN is split-tunneled, only *some* traffic is encrypted to the VPN server first, all other traffic goes directly to the service(s) requested. When a user connects to the General Use Split tunnel VPN the connection is encrypted only to campus IP addresses such as Andrew Printing and Windows File Shares

What addresses are tunneled through the VPN connection is part of the VPN settings, but usually includes only resources that belong to the company/service providing the VPN. Fully tunneled VPN connections have performance implications as well as costs to the organization providing the VPN server.


At Carnegie Mellon University, Cisco AnyConnect is the VPN client available for connecting to Carnegie Mellon’s VPNs. There are two primary VPNs available at CMU:
  • General Use Campus VPN- This split tunnel VPN will encrypt network traffic only going to campus IP addresses. You can access services on campus that are restricted to a campus connection (e.g. Windows file shares, Andrew printing)
  • Library Resources VPN- This full tunnel VPN will encrypt ALL Internet network traffic and allows access to library resources such as research databases.

You will need a VPN connection for the following:

  • Off-site access to an IP restricted service such as library databases
  • Applications that do not provide secure transfer of data from off-campus
  • Access to services on a restricted subnet

For more information on the Cisco AnyConnect VPN Client and instructions on how to download, please visit the Computing Services Virtual Private Networking webpage.