It makes me super uncomfortable to have to install something so intrusive on a personal device, since it can capture any internet traffic without my knowledge and outside class hours. Somehow I find this worse than protractor software like Respondus privacy-wise...
According to the school, the only other alternative is to use campus Wifi (even though my uni is still doing all classes remote since Omicron). They do not and have never offered school-supplied laptops like companies usually do for secure connections.
I've never heard of another school doing this before. Have you?
At my university, we could use any client we wanted. The school just provided the VPN endpoint. Minimally invasive.
Almost all campus type VPNs are based on "standard-ish" VPN protocols, and have an open source and widely used client available for them. Note that you might need to delve a little into the configuration file to work out what it is. Common ones are Cisco vpnc, ipsec, etc.
At least on Linux, with Network Manager, one of the options when configuring a network interface (including a VPN) is to set the subnets that are reached via it. Most universities will have a /8 or /16 subnet, within which their internal services sit (assuming the services are on-premises). You can do a split route, so this subnet is reachable via the tunnel, but everything else is routed through your regular WAN connection.
Many universities are shifting towards cloud services like 365, where IP/VPNs are less necessary, so I guess that this is primarily for on-prem services, where they feel requiring VPN adds a layer of security beyond the (usually not spectacular) login form on the application itself.
If you need to use internal DNS to resolve IPs for campus-based resources (as public WAN DNS isn't good enough), you might need to go a little further in setting this up (run your own local resolver and use their DNS server, which is through the VPN tunnel, for resolving subdomains of their main domain), or use a VM (for an easy option).
When I was in grad school, the VPN was mostly useful because it granted your access to most academic journals. Routing non university traffic around the VPN would probably break that.
That means you have to do an SSO (or have a browser session already authenticated through SSO), but you should still have access to journals and resources without using the VPN.
With Covid, I believe any that didn't do this have implemented it, so they weren't overloading their VPN routers with traffic. I've seen a few trying to remind people how to use resources via SSO and access federation, rather than VPN, just to reduce that load.
[1] https://www.sheffield.ac.uk/departments/it-services/campus-o...
If, like Sheffield, they also require Duo, it is possible to use that without a phone or hardware token by extracting the HOTP secret from a real or fake phone/tablet registration. It's probably also possible to use that automatically with a free VPN client, like for ssh, but I've never bothered to try making it work.
All schools and organizations I am familiar with use VPN for remote access. Some provide pre-set laptops to which users don’t have admin permission.
This is the standard way of securely connecting to internal resources.
You can probably at least use a free software client, though that may require extracting some configuration info from whatever proprietary one they distribute. I use openconnect when I have to use the Palo Alto GlobalProtect one, and it appears to be a better option than the proprietary one, judging by the continual problems and update churn I see. openconnect also works with recent network-manager on GNU/Linux. You may ignore the pushed configuration and only tunnel traffic for the campus net and use external DNS.
[I once had to use the Cisco corporate VPN to evaluate the HPC gear they were trying to sell use, and was told as an HPC system manager that I had to get an MS Windows client to do that; sorry, no. From experience with a local old Cisco VPN elsewhere (use vpnc) I looked around for a solution and landed on openconnect then.]
If you're extra paranoid, you could just run the vpn client in a VM.
You're only "on" the school network when you actually connect the VPN client
Don't want to be "on" the network? Don't VPN
It's not rocket surgery :)
> They do not and have never offered school-supplied laptops like companies usually do for secure connections.
One solution here, although you may not like it, is to obtain a second "personal device" and dedicate it to use with the school network. I.e., supply your own "school-supplied laptop" that is only used to access the school, and never used for any personal use.
Note -- this does not mean you have to buy a new laptop/desktop, a used/second-hand system that is a few years behind cutting edge is likely still more than enough for school use, while being significantly less expensive than a brand new system.
You can always turn the VPN off when you're not connecting to school resources.
I get why it feels a little weird, but you are connecting to the university private network. You always have the option to go to campus to access what you need. Really, you should be happy to have the option to use VPN and work from home.
