As of January 2025, more than 250 universities and research institutions use eduVPN as their corporate VPN solution. But why did they choose this software? We asked Tuukka Vainio from the University of Turku about this.
Previous VPN experience and requirements
The University of Turku is an active international academic community in Southwest Finland. Established in 1920, the institution has 8 faculties and 4 independent units, with approximately 22,000 students and around 3,400 staff members.
We had been a long-time user of a commercial VPN system for the university’s VPN solution. The hardware solution was slow and constantly had security vulnerabilities. In fall 2023, we were surprised to learn that our hardware had fallen out of support, despite our belief that we had a model with longer support. Because we could not obtain security updates, we were anxiously following the situation with ransomware gangs hacking organisations through these VPNs. Luckily, we had hardened the devices to minimise vulnerable functionality, and only used them as a VPN gateway, which helped us avoid being attacked through the VPN. SSL VPNs have had a rough time over the last few years, with nearly every commercial solution experiencing significant issues caused by a legacy code base that is no longer actively developed.
Although prepared for high VPN usage at the university, actual adoption remained low until COVID-19 in 2020. Anticipating rising demand, we began exploring alternatives even before the pandemic, but the low performance of commercial VPN concentrator solutions led us to try out IPsec-based options in 2020. Ideally, we aimed to use the VPN client built into operating systems to avoid deploying and maintaining our own VPN client or third-party clients across various platforms.
Authentication plays a significant role in the security of a VPN solution. While IPsec is an adequate protocol, it does not support web-based single sign-on (SSO) for multi-factor authentication (MFA). Client certificates were considered, but they do not scale effectively in a heterogeneous academic environment where bring-your-own-device (BYOD) usage prevails. We also excluded solutions priced per user (the multiplier associated with personnel and students is too high for any price) or cloud-based solutions, since we mainly operate on campus with on-premises services.
We had several key requirements that needed to be fulfilled, so we wanted to:
- use public IP addresses for tracking and to avoid NAT;
- have multiple nodes for load balancing and fault-tolerance;
- offer web-SSO and MFA for authentication to our users;
- provide access management that supports separating group members by their own IP addresses;
- benefit from wide client support;
- get high performance and coexistence with Microsoft’s Always-On VPN (because we also use Microsoft’s IPsec-based Always-On VPN to connect Windows laptops to our essential services when outside our campus network).
Choosing eduVPN as the solution
We initially evaluated eduVPN in 2020 as a remote access solution for labs, so we knew that it was flexible and suited to our environment. Since security should be the primary requirement for any security solution, seeing that eduVPN had been audited multiple times with public results was encouraging. When have you read an audit report for a commercial VPN system?
eduVPN also has good client support, which is very important for an academic organisation like a university.
Having in mind the requirements mentioned above, we set up a test environment to try out everything. CSC, the Finnish NREN, has organised a chat for eduVPN users, but we went straight to the eduVPN developers for support. The developers in IRC’s #eduvpn channel were really helpful in understanding how eduVPN works and how it should be configured.
We are particularly keen on the new support for the WireGuard protocol. WireGuard, a modern and simplified VPN protocol, presents a reduced risk of vulnerabilities and offers better throughput and lower latency compared to IPsec. Its stateless nature also enables seamless roaming even when the underlying connection changes or has packet loss. WireGuard uses UDP natively, and the eduVPN project developed ProxyGuard to support HTTPS tunnelling automatically as a fallback if a UDP tunnel cannot be established from a firewalled network.
The WireGuard protocol doesn’t really handle authentication itself, so the eduVPN project also implemented its own authentication solution using certificates and an OAuth API. Regular password authentication with MFA scales well, while SSO allows users to manage multiple services through a single set of credentials. Certificate authentication is strong, but it isn’t easy to implement in BYOD environments. In eduVPN’s solution, users authenticate with web-SSO to authorise the VPN client, and the eduVPN server provisions a certificate from its own PKI, by default, valid for 90 days. Because the eduVPN portal isn’t used for configuration, the risks of hackers getting wider access to the university network, authentication data, and VPN configuration through web vulnerabilities are not the same as for SSL VPN solutions.
“eduVPN is designed for continuous use, requiring no user intervention. I use it even on campus, as eduVPN has finally brought mobility to Internet usage – I can change from Ethernet to WiFi to a hotspot, and I don’t need to care about the VPN or my open SSH connections, for example. Typically, on a train trip, where you go through tunnels, other VPNs get disconnected, but eduVPN maintains stable connectivity throughout”. – Tuukka Vainio, Systems architect, cybersecurity. University of Turku, Digital Services
Performance-wise, eduVPN is the bee’s knees. With gigabit Ethernet, eduVPN works practically at line speed, and we can easily add server capacity if needed. ProxyGuard has a lower throughput, as one would expect from a TCP-based protocol. However, since it’s a fallback in restricted environments, its performance isn’t an issue.
Table. eduVPN download and upload performance with 1 Gb/s Ethernet
| Down (Mb/s) | Up (Mb/s) | |
| WireGuard (UDP) | 964 | 963 |
| ProxyGuard (TCP) with TLS pass-through by ADC | 286 | 262 |
| ProxyGuard (TCP) with TLS termination by ADC | 279 | 64 |
People might find the ‘Secure Internet’ option also useful, besides its intended use to secure your browsing in an Internet café. It can also be used by researchers to access the Internet through other countries, which might enable new possibilities. IT staff can use it for testing and to verify problems from other countries, especially because the Tor network is often blocked.
Technical details
We went to production with multiple Ubuntu-based virtual servers to decentralise the different server roles for security and scalability, and to avoid the old VPN’s single point of failure. We decided to use only the WireGuard protocol, as new installations currently do, and only with the eduVPN client – it gives us better control over the VPN connections.
We wanted to use public IP addresses for clients instead of using NAT, since it is easier to debug problems and trace security incidents when the IP address is the same everywhere. In our testing, we found out that WireGuard only supports one IP prefix per connection profile. With NAT, it doesn’t matter, but with public addresses, eduVPN doesn’t have a solution for sharing the prefix between multiple nodes. Therefore, we need to assign each connection profile to only one node, and the IP prefix should have enough addresses to support the expected number of concurrent users.
With the old VPN solution, personnel and students had the same access to the university network. With eduVPN, we aimed to grant secure access to the university’s resources and limit student account access in the event of leaked credentials. We divided staff, faculty, students, affiliates, and special groups into their own connection profiles to distribute the traffic to multiple nodes. As each connection profile has its own range of IP addresses, we can use them in our firewall to grant wider access to personnel and restricted access to students.
To assign people to their profiles, we utilise eduVPN’s live-permissions model, which incorporates SAML-based SSO authentication and Active Directory for additional attributes.
To ensure coexistence with Microsoft’s Always-On VPN, we configured the eduVPN Windows installation package for our managed Windows computers.
Another useful tidbit for new eduVPN admins might be that, in our experience, it’s best to use port 500/UDP for WireGuard. eduroam, for example, requires 500/UDP to be open in the firewall, whereas the default WireGuard port 51820/UDP and QUIC port 443/UDP are not yet as usable. Unfortunately, we also found out that some home routers block 500/UDP – the firewall can be opened in some models.
eduVPN is simple enough for everyone to use as-is. The main hurdle is that users who skip instructions see the options ‘Institute Access’ and ‘Secure Internet’ and often select the wrong one. If someone would come up with even more self-evident terms, that would be helpful.
eduVPN’s architecture also creates possibilities beyond traditional VPN systems. You can, for example, set up an eduVPN node to remote location for special needs, allowing users to simply select the appropriate connection profile to access the remote network. Additionally, eduVPN supports federated access, though this typically requires prior agreement on specific eduPersonEntitlements.
In summary, eduVPN can effectively replace other VPNs in typical roaming remote access VPN setups, with users reporting high satisfaction. However, because eduVPN is built for a specific use case, alternative solutions are necessary if you need to connect networks with site-to-site VPNs or if you want cloud-based SASE features.
You should assess whether you have sufficient in-house expertise to install and maintain eduVPN. A typical Linux admin should be able to manage it. Support is available from the mailing lists, IRC, the code repository, and the eduVPN user community. Although eduVPN is developed with consideration and comprehensive testing, major updates should always be tested before deployment. You might have to update your Linux servers more frequently since the project doesn’t support LTS versions.
eduVPN probably is cheaper than any commercial solution. The price-quality ratio is excellent. With commercial solutions, you need to consider the appliance and licensing, as well as the cost, in case your university is hacked through a VPN product whose security has not been good enough.