If only it were that simple! But you don't have to be afraid of the topic. But a coffee while reading can't hurt for sure...
VPN is used when you are not inside the company, and thus not in its network, to enable encrypted transmission of data. So if you are at the TU Wien and connect your device to the network, you are in the network of the TU Wien. The TUnet (https://www.it.tuwien.ac.at/en/services/network-infrastructure-and-server-services/tunet, opens in new window).
According to Ondrej Hosek (a top specialist in networking and fortunately for all of us an employee of TU.it) there is a difference between Remote Access VPN and Site-to-Site VPN (not the subject of this article). Remote Access VPN is again divided into
- Client-Based VPN and
- Clientless VPN.
Client-Based VPN: This variant requires either the operating system or a corresponding program (at the TU Wien, for example, Cisco AnyConnect1), which is instructed to establish a tunnel with the VPN server. This way the whole network communication or at least a certain part of it goes through a secured tunnel. Usually you start the VPN client manually and authenticate yourself with username and password. At the client - i.e. at the PC you use to establish the connection - an encrypted tunnel to the target network (for example the network of the TU Wien) is now established.
Clientless VPN: In this case, only a specific application is routed through the tunnel or a web browser-like interface (quasi a browser within a browser) is provided (this service is not (any longer) offered by TU.it, as it was unfortunately misused for sending spam).
A VPN connection ensures that
- the transmitted data can no longer be read by third parties, especially in cases where a transmission protocol does not use encryption.
- privacy is (more or less) preserved by routing the resolution of Internet names (DNS resolution) through the tunnel and not tracking which web sites or services are accessed.
- a company VPN allows access to drives and other accesses and resources in the company network, because accesses happen with an IP address of the VPN provider.
Generally speaking, a corporate VPN is meant to ensure the security of the company by getting into the corporate network through a controlled access. You do not necessarily protect your privacy with it.
For example, if you use the TU Wien VPN to access a specific website on the Internet, your IP address may be hidden to the website. However, the visit of this website will not be hidden from the TU Wien, because the traffic goes through the DNS server of the TU Wien.
What else the TU Wien can read or track depends on what is routed through the tunnel. If a VPN tunnel is set up and you call up your Gmail account in the browser, for example, the TU Wien cannot read anything because the connection between the PC and Gmail is already routed via HTTPS and is therefore encrypted. Occasionally, there are still applications that do not transmit their data encrypted. These could theoretically be recorded somewhere between the TU VPN server and the target server. However, the number of these applications is decreasing and they are almost never used to transfer data that requires protection. Unfortunately, e-mail is a notable exception. Most servers gladly accept an offer to establish an encrypted connection, but do not require it, which means that the content of mail messages may be transmitted unencrypted if it is not already encrypted "by itself" with S/MIME or PGP (here you can find the corresponding services of TU.it: https://www.it.tuwien.ac.at/en/services/access-login-and-identity/identity, opens in new window) or a similar technology.
If I log in to a public WLAN hotspot and then activate the TU VPN, it is a matter of the VPN profile chosen what all is routed through the tunnel. On the one hand, we have "1_TU_tunnelled" (where only connections with IP addresses that are within the TUnet are routed via the tunnel) and on the other hand "2_All_tunnelled" (where all connections are routed via the tunnel). In order to avoid overloading the VPN server, the following basic guideline is recommended:
- If one wants to access articles etc. of the academic copyright publishers (Elsevier, Springer etc.), "2_Alles_getunnelt" should be chosen for the duration of the access.
- If you are in a less trustworthy network (e.g. you are connected to a public WLAN hotspot), select "2_Alles_getunnelt".
- If you are in a more trustworthy network (e.g. your own home network), select "1_TU_tunnelled".
- If in doubt, select "2_All_tunnelled".
Feel free to leave questions and suggestions about the topic in the comments at TU Wien coLab. I will be happy to respond to them.
 Whereby there are also alternatives to Cisco at TU Wien. See: https://www.it.tuwien.ac.at/services/netzwerkinfrastruktur-und-serverdienste/tunet/vpn-virtual-private-network/vpn-client-software.