As of January 2026, more than 230 universities and research institutions use eduVPN as their corporate VPN solution. But why did they choose this software? We asked Tuukka Vainio from the University of Turku about this.
Previous VPN experience and requirements
The University of Turku is an active international academic community in Southwest Finland. Established in 1920, the institution has 8 faculties and 4 independent units, with approximately 22,000 students and around 3,400 staff members.
We had been a long-time user of a commercial VPN system for the university’s VPN solution. The hardware solution was slow and constantly had security vulnerabilities. In fall 2023, we were surprised to learn that our hardware had fallen out of support, despite our belief that we had a model with longer support. Because we could not obtain security updates, we were anxiously following the situation with ransomware gangs hacking organisations through these VPNs. Luckily, we had hardened the devices to minimise vulnerable functionality, and only used them as a VPN gateway, which helped us avoid being attacked through the VPN. SSL VPNs have had a rough time over the last few years, with nearly every commercial solution experiencing significant issues caused by a legacy code base that is no longer actively developed.
Although prepared for high VPN usage at the university, actual adoption remained low until COVID-19 in 2020. Anticipating rising demand, we began exploring alternatives even before the pandemic, but the low performance of commercial VPN concentrator solutions led us to try out IPsec-based options in 2020. Ideally, we aimed to use the VPN client built into operating systems to avoid deploying and maintaining our own VPN client or third-party clients across various platforms.
Authentication plays a significant role in the security of a VPN solution. While IPsec is an adequate protocol, it does not support web-based single sign-on (SSO) for multi-factor authentication (MFA). Client certificates were considered, but they do not scale effectively in a heterogeneous academic environment where bring-your-own-device (BYOD) usage prevails. We also excluded solutions priced per user (the multiplier associated with personnel and students is too high for any price) or cloud-based solutions, since we mainly operate on campus with on-premises services.
We had several key requirements that needed to be fulfilled, so we wanted to:
- use public IP addresses for tracking and to avoid NAT;
- have multiple nodes for load balancing and fault-tolerance;
- offer web-SSO and MFA for authentication to our users;
- provide access management that supports separating group members by their own IP addresses;
- benefit from wide client support;
- get high performance and coexistence with Microsoft’s Always-On VPN (because we also use Microsoft’s IPsec-based Always-On VPN to connect Windows laptops to our essential services when outside our campus network).
Choosing eduVPN as the solution
We initially evaluated eduVPN in 2020 as a remote access solution for labs, so we knew that it was flexible and suited to our environment. Since security should be the primary requirement for any security solution, seeing that eduVPN had been audited multiple times with public results was encouraging. When have you read an audit report for a commercial VPN system?
eduVPN also has good client support, which is very important for an academic organisation like a university.
Having in mind the requirements mentioned above, we set up a test environment to try out everything. CSC, the Finnish NREN, has organised a chat for eduVPN users, but in our case we found it convenient to go straight to the eduVPN developers since the support we needed required deep technical understanding. The developers in IRC’s #eduvpn channel were really helpful in understanding how eduVPN works and how it should be configured.
We are particularly keen on the new support for the WireGuard protocol. WireGuard, a modern and simplified VPN protocol, presents a reduced risk of vulnerabilities and offers better throughput and lower latency compared to IPsec. Its stateless nature also enables seamless roaming even when the underlying connection changes or has packet loss. WireGuard uses UDP natively, and the eduVPN project developed ProxyGuard to support HTTPS tunnelling automatically as a fallback if a UDP tunnel cannot be established from a firewalled network.
The WireGuard protocol doesn’t really handle user authentication itself, so the eduVPN project also implemented its own authentication solution using certificates and an OAuth API. Regular password authentication with MFA scales well, while SSO allows users to manage multiple services through a single set of credentials. Certificate authentication is strong, but it isn’t easy to implement in BYOD environments. In eduVPN’s solution, users authenticate with web-SSO to authorise the VPN client, and the eduVPN server provisions a certificate from its own PKI, by default, valid for 90 days.
“eduVPN is designed for continuous use, requiring no user intervention. I use it even on campus, as eduVPN has finally brought mobility to Internet usage – I can change from Ethernet to WiFi to a hotspot, and I don’t need to care about the VPN or my open SSH connections, for example. Typically, on a train trip, where you go through tunnels, other VPNs get disconnected, but eduVPN maintains stable connectivity throughout”. – Tuukka Vainio, Systems architect, cybersecurity, University of Turku, Digital Services
Performance-wise, eduVPN is the bee’s knees. With gigabit Ethernet, eduVPN works practically at line speed, and we can easily add server capacity if needed. ProxyGuard has a lower throughput, as one would expect from a TCP-based protocol. However, since it’s a fallback in restricted environments, its performance isn’t an issue.
People might find the ‘Secure Internet’ option also useful, besides its intended use to secure your browsing in an Internet café. It can also be used by researchers to access the Internet through other countries, which might enable new possibilities. IT staff can use it for testing and to verify problems from other countries, especially because the Tor network is often blocked.
Interested in learning more? Check all the technical details in the full case study on the eduVPN website: https://www.eduvpn.org/eduvpn-case-study-university-of-turku-improved-the-performance-and-security-of-remote-access-systems/
