Forward Proxy vpn dns

Having a discussion with some people and there seems to be some misunderstanding about proxy server setups.

Someone says;
We could set up a vpn for the employees but then all traffic flows through our network so we would need an awful lot more bandwidth since their work files are huge. Isn't there some other way of giving them full anonymous internet access using our DNS servers but where they can use their own bandwidth directly? Like a url re-writing dns setup or something? Does the traffic have to I/O 100% through our network?
 
---

The discussion begins and all kinds of information is pulled off the net. There are dns proxy services which only re-route your dns queries, There are smart proxy services which seem to have all traffic, including all bandwidth for downloads coming from the proxy server network. There are vpn services which have everyone connecting to one or more networks and all traffic is then I/O from that one network and of course, to the users own location.

The question is...

Are there other methods where we could give the remote employees fully anonymous internet access for their work without having to take on all of the bandwidth requirements?

Some kind of proxy server which anonymizes the remote workers traffic but where all of the data doesn't have to flow I/O from that proxy network.

Or more specifically, a dns server which re-writes the urls and dns queries between itself and the user but the user still connects directly to what ever web site they are interested in, effectively using only our dns servers but their own bandwidth to download the huge work files.
projectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
It sounds to me like all you need is to use split-tunneling with your VPN.  With split-tunneling on, traffic that is directed to an IP that is in the range defined by the VPN connection is routed over the VPN connection, while traffic to an IP that is not in that range and destined for the internet is routed using the client's default gateway and thus doesn't use the VPN connection.  In other words, only VPN traffic goes over the VPN connection, while internet traffic remains separate.

With split-tunneling off, all traffic will flow over the VPN connection when it is established.

How you set up split-tunneling depends on your setup.  It might be a setting in your VPN appliance, or it could be a setting on the client (in the VPN connection's properties).
projectsAuthor Commented:
Thanks.

However, the point being that the managers want to have all remote workers traffic being anonymized while not taking on the burden of all the bandwidth going through the proxy setup.

More of an anonymous redirection setup.
footechCommented:
For traffic to be anonymized it has to flow through the anonymizing proxy/device.  No way around that.  All the proxy does is make it so the traffic appears to originate from itself.  Any other sort of anonymizing (like spoofing the source address) and return traffic would have no way of being routed correctly.  If all you were looking to do is have the DNS requests "anonymized" (I wouldn't call it that, but all the requests would just appear to come from your servers, not directly from any client), then the split-tunneling suffices.

What is the concern that motivates providing "fully anonymous internet access" for remote workers?  What information are you trying to conceal from being exposed via a user's browsing/other internet activities?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

projectsAuthor Commented:
The company does a lot of research and they are frustrated by how traffic is being scrutinized by search engines, providers, you name it. All of that data ends up being correlated and in the end, it means no privacy.

So, this discussion came up about what options there might be. Even a proxy would only anonymize the employees, not what they are doing or what they are visiting.

Your split-tunneling VPN is interesting but I don't know that there would be a list of specific IPs. Is there such a thing as split tunneling proxy without vpn but based on the type of content? Depending on content, all traffic would flow through the proxy otherwise, would go direct to the remote.
footechCommented:
The closest I can think of to what you're after is Tor.  I'm not an expert on it, but as I understand it it will dynamically route packets, switching the route periodically.  There is also the Tor browser and plugins for Firefox, etc.
https://www.torproject.org/about/overview.html.en

You wouldn't need a list of IPs for split-tunneling.  Here's an example.  The office's network is 10.0.0.0/24.  A user's home network is 192.168.0.0/24.  Anything destined for the 192.168.0.x network is routed on the user's LAN.  Anything destined for the 10.0.0.x network is routed over the VPN connection.  Any traffic for other computers uses the default gateway and is routed over the internet.

I've never heard of anything that routes content based on type.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
projectsAuthor Commented:
There is a lot of content based routing out there but I'm not sure it exists for this kind of thing.

Anyhow, back to your last post, how would content be destined to the network or user, what controls that, what is controlled?
footechCommented:
I'm not sure I understand your last question.
Routing is based purely on what IP address is being communicated with.
projectsAuthor Commented:
I just meant local content routing.
footechCommented:
Still not seeing what you're asking that wasn't already answered.
projectsAuthor Commented:
Now I don't know what you are talking about... I picked an answer already :)
footechCommented:
:)
After the post that you accepted as the answer, you had a question.  I was just trying to answer it but didn't really understand what you were getting at.  If it's something you'd like to clear up, please try to clarify what you're after, but if not, I won't worry about it further.
projectsAuthor Commented:
No worries, you basically answered one part of my question so I awarded with the intention of possibly posting a new question based on what I learned from this one.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.