As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Tie a VPN to one application?

templewulftemplewulf The Team ChumpUSARegistered User regular
edited February 2011 in Help / Advice Forum
Hey all,

I've been having to work from home a lot lately, which means signing into a VPN and using mstsc to connect to my work computer.

Unfortunately, that means that I can't do anything else on my home computer, since all traffic is routed through the VPN. Is there anyway to set it up so that it only applies to MSTSC, in the same way you can specify domains to use a proxy in browsers and Internet Options.

Any ideas?

Twitch.tv/FiercePunchStudios | PSN | Steam | Discord | SFV CFN: templewulf
templewulf on

Posts

  • Options
    KakodaimonosKakodaimonos Code fondler Helping the 1% get richerRegistered User regular
    edited February 2011
    No. Not on an application level. You can set it up so only specific routes/addresses go over the VPN.

    In the TCP/IP settings for the VPN, uncheck the "Use default gateway on remote network" box under Advanced settings.

    You may need to add a static route into your work IP addresses. If you do, I'd recommend setting up a batch file, since you'll need to do it every time you connect.

    http://support.microsoft.com/kb/317025

    Kakodaimonos on
  • Options
    templewulftemplewulf The Team Chump USARegistered User regular
    edited February 2011
    No. Not on an application level. You can set it up so only specific routes/addresses go over the VPN.

    In the TCP/IP settings for the VPN, uncheck the "Use default gateway on remote network" box under Advanced settings.

    Oh, what the hell? That's on by default now? :lol:
    You may need to add a static route into your work IP addresses. If you do, I'd recommend setting up a batch file, since you'll need to do it every time you connect.

    http://support.microsoft.com/kb/317025

    Thanks for the link, I appreciate it.

    templewulf on
    Twitch.tv/FiercePunchStudios | PSN | Steam | Discord | SFV CFN: templewulf
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    If it's a work VPN, those settings will often be locked down and not able to be changed by you. It's also usually designed the way it is for security reasons and is a pretty flagrant violation of policy for most companies even if you can manage to make it work.

    What you're looking for is refereed to as a Split tunnel configuration. Work related stuff goes down the VPN connection, everything else goes through the normal Internet connection.

    Depending on how you connect and how they have the VPN configured, you may or may not be able to do this on your end. I know the VPN systems I configure there is no way for anyone to change the adapter settings. If they do it while connected they get kicked off. If they do it while not connected the settings simply get overwritten when they connect. All settings are controlled and configured by me on the Server side, the only thing the user can control is their user credentials, a couple of basic settings (like local logging and keep alives), and which VPN they are pointing to.

    EclecticGroove on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2011
    Temple, you may consider SSH. That would do pretty much what you need to do.

    Create an SSH tunnel to map port 4000 to (someip):3389 then just do mstsc -v localhost:4000. SSH should be as secure as a VPN, less overhead, and not lock down your local network. Once you're done just disconnect your SSH session.

    Any reason they decided to use VPN? Windows only environment maybe?

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    bowen wrote: »
    Temple, you may consider SSH. That would do pretty much what you need to do.

    Create an SSH tunnel to map port 4000 to (someip):3389 then just do mstsc -v localhost:4000. SSH should be as secure as a VPN, less overhead, and not lock down your local network. Once you're done just disconnect your SSH session.

    Any reason they decided to use VPN? Windows only environment maybe?

    Most big companies will lock down SSH from the internet to any of their internal or trusted networks. If his company has any sort of reasonable security posture it just will not be available.

    EclecticGroove on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2011
    bowen wrote: »
    Temple, you may consider SSH. That would do pretty much what you need to do.

    Create an SSH tunnel to map port 4000 to (someip):3389 then just do mstsc -v localhost:4000. SSH should be as secure as a VPN, less overhead, and not lock down your local network. Once you're done just disconnect your SSH session.

    Any reason they decided to use VPN? Windows only environment maybe?

    Most big companies will lock down SSH from the internet to any of their internal or trusted networks. If his company has any sort of reasonable security posture it just will not be available.

    This may have been the case before 2006. I'd be more worried about having a webserver on my network than an SSH server.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    bowen wrote: »
    bowen wrote: »
    Temple, you may consider SSH. That would do pretty much what you need to do.

    Create an SSH tunnel to map port 4000 to (someip):3389 then just do mstsc -v localhost:4000. SSH should be as secure as a VPN, less overhead, and not lock down your local network. Once you're done just disconnect your SSH session.

    Any reason they decided to use VPN? Windows only environment maybe?

    Most big companies will lock down SSH from the internet to any of their internal or trusted networks. If his company has any sort of reasonable security posture it just will not be available.

    This may have been the case before 2006. I'd be more worried about having a webserver on my network than an SSH server.

    Usually you have your Webservers in a separate security zone from the user systems... not always of course, but usually. Regardless, most of the time you don't allow web services in from the internet to the user pool either.

    In fact, you almost never allow ANYTHING from the internet to your internal network. That's why you have a boundary device like a VPN in the first place. You could set up an SSH server to do the same thing as well, but in the end it may have the exact same restrictions for the end user as the VPN server. Depends on the company of course. But setting up a random SSH server you create on your own lacks any audit trail. He could be anyone coming in over that tunnel and there's no way of looking into it or inspecting what is going on. And if there's no monitoring going on internally he could be hopping off that box to almost anything and pulling data out.


    Point is, many companies, mine included, you will flat out get fired for doing what he's asking or what you are suggesting as you're bypassing (or attempting to) security policies.

    EclecticGroove on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2011
    I never said set up your own SSH server.

    I don't think you understand what he's asking. He can already do what he wants, VPN, and terminal service into the computer in question. He wants to be able to use his local computer while VPNed in, in theory, limit it to the single port. Disabling the use remote gateway solves this for the most part. The other possibility is SSH tunneling, which is a similar practice. Having something listening on port 1723 as opposed to 22 does not significantly change your network security.

    Now you can disable TCP forwarding in the SSH server, but, if you've already got a VPN tunnel open and accepting connections, it practically makes no difference in your architecture, especially if you're given access internally to the same network.

    As far as I know SSH is no less secure than a VPN handshake. Especially a VPN that doesn't encrypt after the handshake has happened.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    bowen wrote: »
    I never said set up your own SSH server.

    I don't think you understand what he's asking. He can already do what he wants, VPN, and terminal service into the computer in question. He wants to be able to use his local computer while VPNed in, in theory, limit it to the single port. Disabling the use remote gateway solves this for the most part. The other possibility is SSH tunneling, which is a similar practice. Having something listening on port 1723 as opposed to 22 does not significantly change your network security.

    Now you can disable TCP forwarding in the SSH server, but, if you've already got a VPN tunnel open and accepting connections, it practically makes no difference in your architecture, especially if you're given access internally to the same network.

    As far as I know SSH is no less secure than a VPN handshake. Especially a VPN that doesn't encrypt after the handshake has happened.


    Actually it does make it less secure, which is the entire reason it's usually not possible by default. Having split tunnel capability, or simply forwarding a single port means that if his machine was exploited by any number of means that give a remote attacker access to it, then all they have to do is sit by and watch him connect in, then ride his connection through to his corporate network. They are then bypassing all the perimeter security and sitting inside the corporate network which is, for good or ill, almost always less protected.

    As far as the VPN vs SSH handshake, it is secure on both counts. BUt the way you phrased it made it sound like you wanted him to set up an SSH server on his own. VPN generally uses 2 factor authentication tied to his corporate account via a certificate or token of some type. This provides some level of security that they know who is coming in and that the connection is valid.

    If his work has a SSH connection available to use, chances are he would be under the exact same restrictions as VPN due to the above security concerns. And if he's not, then chances are he'd need a much better reason to be approved for use of it than "I want to browse the intertubes".

    This is sort of getting off the main topic with this discussion, but suffice it to say that if I were him I'd look at the policy of if he SHOULD be doing this long before trying to do it. Is it worth getting fired for? Since I have seen many a person fired for doing exactly these things and getting caught red handed.

    EclecticGroove on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2011
    bowen wrote: »
    I never said set up your own SSH server.

    I don't think you understand what he's asking. He can already do what he wants, VPN, and terminal service into the computer in question. He wants to be able to use his local computer while VPNed in, in theory, limit it to the single port. Disabling the use remote gateway solves this for the most part. The other possibility is SSH tunneling, which is a similar practice. Having something listening on port 1723 as opposed to 22 does not significantly change your network security.

    Now you can disable TCP forwarding in the SSH server, but, if you've already got a VPN tunnel open and accepting connections, it practically makes no difference in your architecture, especially if you're given access internally to the same network.

    As far as I know SSH is no less secure than a VPN handshake. Especially a VPN that doesn't encrypt after the handshake has happened.


    Actually it does make it less secure, which is the entire reason it's usually not possible by default. Having split tunnel capability, or simply forwarding a single port means that if his machine was exploited by any number of means that give a remote attacker access to it, then all they have to do is sit by and watch him connect in, then ride his connection through to his corporate network. They are then bypassing all the perimeter security and sitting inside the corporate network which is, for good or ill, almost always less protected.

    As far as the VPN vs SSH handshake, it is secure on both counts. BUt the way you phrased it made it sound like you wanted him to set up an SSH server on his own. VPN generally uses 2 factor authentication tied to his corporate account via a certificate or token of some type. This provides some level of security that they know who is coming in and that the connection is valid.

    If his work has a SSH connection available to use, chances are he would be under the exact same restrictions as VPN due to the above security concerns. And if he's not, then chances are he'd need a much better reason to be approved for use of it than "I want to browse the intertubes".

    This is sort of getting off the main topic with this discussion, but suffice it to say that if I were him I'd look at the policy of if he SHOULD be doing this long before trying to do it. Is it worth getting fired for? Since I have seen many a person fired for doing exactly these things and getting caught red handed.

    I still think you're confused.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    bowen wrote: »

    I still think you're confused.

    How so? He wants to RDP to his windows system in the office.
    In order to do that he needs to use VPN to access his company network.

    This VPN connection is configured to route all traffic, not just RDP to his one computer, down the VPN tunnel.


    He wants to just use RDP to the office PC and have the rest of his connection free.


    That's it. Unfortunately, that is not how his company has it set, and may be exactly as they designed it to be.
    By taking steps to do what he wants, he could very easily be bypassing policy that was purposefully put in place and enforced. Taking these actions could get him fired.

    There's no confusion here in my telling him why these things are usually set up the way they are and that he should make sure it won't cost him his job bypassing them.

    EclecticGroove on
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2011
    Like I said, a single application makes more sense with SSH tunneling, which may be available to him. Which he should ask about.

    Not sure why you think he's doing this without permission. O_o

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    EclecticGrooveEclecticGroove Registered User regular
    edited February 2011
    Simply because him coming in here and asking how he can get around it is screaming of "I want to do this and not have my company know about it, how do I get away with it"

    EDIT:
    To be fair I don't mean that he's trying to be malicious with that, he simply may not know. Which is why I stress he should not try it without asking, and if he asks and says no he should not try it and hope he gets away with it.

    EclecticGroove on
  • Options
    ceresceres When the last moon is cast over the last star of morning And the future has past without even a last desperate warningRegistered User, Moderator mod
    edited February 2011
    This is really something you should discuss with your IT department, and possibly management. Those guys are all there to make it so you can do your work, and they know the ins and outs of your company network much better than we do. No matter what you do you will need to go through them or risk ending up in hot water, and I'd rather we didn't help you put yourself there.

    ceres on
    And it seems like all is dying, and would leave the world to mourn
This discussion has been closed.