No VPN was provided for us to use - it was pretty much just connect to port 22 with the university’s website as the hostname, from any network.
It was a pretty niche thing as only a few students (including myself) used it remotely, and only a tiny part of the course that included a DBA exercise actually required us to use SSH access an Oracle DB server.
I believe the attacks were carried out external to the campus, but they didn’t clarify that to us