Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

OpenVPN access to internet site

Posted on 2014-01-21
5
Medium Priority
?
774 Views
Last Modified: 2014-01-23
Recently have installed OpenVPN to secure access to a single Window 2008 R2 server. Users now have to invoke the OpenVPN client to access the server which disables their access to the internet. One problem has surfaced where they have an internet site that provides a report which they would like to have up at the same time they are connected to the server and accessing certain files. I'm thinking that I can have that link on the server for them to run but not sure if the VPN tunnel will block that as well. What say you Experts?

As always, thanks
Brian
0
Comment
Question by:bjbrown
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39798572
You could create VPN split tunneling on client, but be aware that such an approach breaks strict security rules in your company.
Here's one nice step-by-step: http://support.vpnsecure.me/articles/frequently-asked-questions/openvpn-split-tunneling

...except those commands:

route 174.137.125.44 255.255.255.255 vpn_gateway
    should be in your case
route 174.137.125.44 255.255.255.255 <IP-of-client's-default-gateway>

and you should not add this to config file:

route no-pull
0
 

Author Comment

by:bjbrown
ID: 39798599
Interesting article and idea, not sure if it will fly as you stated, may be risky.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 39798606
The basic question is: Is the "Internet Lockout" intentional? If not, you should change that ASAP by not overriding the default route in OpenVPN server config.

In case you do not want to allow local Internet access, why doesn't it work passing the OpenVPN tunnel? You might have to fix that before doing anything else.

A link on the server will only work if it runs on the server (or inside the office LAN), e.g. in a Terminal Server session.
0
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 2000 total points
ID: 39798640
...also route via VPN tunnel will work perfectly for any client, as long as it uses server-side DNS to resolve names. Traffic will go through VPN tunnel, but it will work.

So, on client side, you have an option to define custom DNS servers. Set them to server-side router IP or maybe even better, set client's DNS for VPN connection to server-side DNS server, where you can manually add an A-record.
Then on server do
     nslookup www.desired.destination.com
and add that IP address and name as a new DNS zone to local DNS server.
Doing so, VPN clients will resolve only desired web site, and traffic will go through VPN tunnel, keeping security on high level.
0
 

Author Comment

by:bjbrown
ID: 39798681
Great feedback by all, I will leave this thread open for now until I consult with my network folks to determine the appropriate solution. I will post back with best solution.

Thanks again, I sincerely appreciate the recommendations I receive from all of the experts.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question