Solved

Stopping VPN split tunnelling

Posted on 2015-01-05
6
519 Views
Last Modified: 2015-01-08
I have a client which has a draytek vigor 2860 firewall router which is setup for VPN connections.

They have had an IT audit (by their major client) and they must implement controls to prohibit split tunnelling during remote access. The problem is that i need to access their network via VPN on a PC. I understand that by default split tunneling is turned off when creating a vpn connection in windows and usually you would control these setting and lock them down via group policy. My machine isn't part of their network so it cannot be controlled, so i could just enable split tunnelling if i wanted. Is there a VPN client or a setting on the draytek router, where i could lock down VPN settings (prohibit split tunnelling) or use some sort of software to have these settings included and not easily changed by a user on a vpn client?? Or do i need to implement another solution?

Thanks for your help.

Riccardo
0
Comment
Question by:RiccardoQuest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40531411
Split tunneling is configured on the VPN concentrator (or firewall or whatever device you  are establishing the tunnel to).  It is not configured on the remote access computer.

Is there a reason you want split tunneling?
0
 

Author Comment

by:RiccardoQuest
ID: 40531417
i don't want split tunnelling, i want a method of locking down the client machine settings so they cannot change their settings on their local machines and then enable split tunnelling?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40531423
Clients can't choose between split tunneling and hair pinning.  That's determined on the other end of the tunnel.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:RiccardoQuest
ID: 40531434
i understand that if you follow the steps in the below link, that will enable a split tunnel (at the client end) which could have adverse effects on the other network (the one connected via VPN). These settings are all controlled at the client machine.

https://kb.meraki.com/knowledge_base/configuring-split-tunnel-client-vpn-on-windows-and-mac-os-x
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40531655
Okay, I see where you're going now. Sorry.

The thing is, that there are many ways of circumventing a VPN which is not configured for split tunneling.  And most of those methods can not be prevented from the HQ side unless they have control over the host.  For example, if it's a company PC, you can lock it down to prevent changes to the configuration or installation of applications which could bypass the "no split tunnel" rules.

If not, there's not much you can do to enforce that.  For example, on my laptop, I have a wired and wireless NIC.  If I use the Cisco VPN client to establish a VPN over the wired NIC, But I can still browse the internet over the wireless NIC.  So having split tunneling disabled isn't stopping me from having my own, unsecured, internet connection.
0
 

Author Comment

by:RiccardoQuest
ID: 40538180
Thanks for your help! I now understand that to fully prevent split tunneling, restrictions need to be applied to the host machine stopping additional hardware being added as well as restricting VPN connectivity setting using Group Policies.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server adapter cards 3 57
qbutilities dll could not be found 27 96
Outlook PST (cloud) backup 3 89
Spam Attack - Exchange 2010 14 48
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
An article on effective troubleshooting
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question