10
Aldar
26d

Reasons to dislike our work VPN when working remotely: Forces all traffic to be routed through it, not only the important internal stuff.

For some reason, I just dislike having everything I do potentially recorded and/or at least slowed down.

Comments
  • 0
    that sucks - the same reason why I've switched from Cisco's AnyConnect to OpenConnect.

    If you're not using AnyConnect - any chance you could get away with custom routes?
  • 0
    @netikras for me anyconnect resets routes when I change them. the only way to come around it to use a vm and use it as a proxy server.

    if you use an openconnect client can you do it? isn't this server side setting?
  • 1
    @coffeeholic OpenConnect is an anyconnect-server-compliant client. Works with hotp/totp codes as well (you just need to have the *top SECRET in its raw format -- there are ways to get it :) ).

    Been using openconnect for over a year now. No problems there. And, in fact, I enjoy the debug logging as I can see when there's a glitch in my network. Less time wasted ;)
  • 1
    I've had that too and I might have sent some N(aa)SFW pron through it occasionally.. So I changed the openvpn config to not do that anymore.
    Nowadays I run a dedicated work VM (Qubes OS).
  • 3
    My hobby is breaking IT security. And sometimes flatly necessary to do my job.

    I do vpn at the router level. Pfsense has, among other things, the ability to configure redirection of traffic ranges through a vpn connection on a virtual or physical adapter. Set up the VPN on pfsense, then configure it to route your work device traffic for whatever class c 10.x.x.x range your work network uses through it. It's split tunneling without the split.

    You can do the same thing low key and locally with either a second network adapter, or a bridge network and a VM clone of your work laptop acting as a proxy. Just set an OS level static route to push the same 10 dot ranged thorough the alternate ip.

    Make sure your local DNS also has your work DNS last to ensure you're not getting routed through a Palo Alto-style content filter. Or if you can swing it, don't use name resolution at all.
  • 0
    @SortOfTested why not use the same physical NIC, just fixing your routing table to route work-related CIDRs through the virtual VPN NIC?

    I don't see what you're getting with a separate physical NIC.
  • 0
    @netikras
    The router hosted connrction is persistent, so you don't have to deal with reauthing. You can also use it on multiple machines without having to run vpn on them.

    In the case of anyconnect, it has mechanisms to detect fuckery and prevent split or side tunneling. The alternatives are mostly to work around that.
  • 1
    @SortOfTested I see. I didn't figure this part was meant for the router configuration as well - I assumed you were mentioning a physical dongle in the per-host-configuration case :)

    As for anyconnect - last I checked it simply upserts the whole routing table every second or so :) Since this procedure is not resource-demanding, it's not noticeable. At least so the internets claim
  • 2
    @netikras
    The latest versions started including security checks and all manner of scanning. For example, it can be configured to block if you're running a local development proxy, if a particularly cert authority is unavailable, certs are missing or have invalid signatures, scan window names, process lists and phone home with that data in telemetric payloads and even rewrite or disallow local DNS modifications. It really abuses it's admin perms.

    One or the bright sides of working with shitty clients who have gui-pilot admins s you learn what "all switches to on" looks like in all sorts of networking scenarios and tools.
  • 1
    @SortOfTested scanning process list and window names.. and why they do it? I guess it is least about malware protection. The reasons I could think of is corporate surveillance to protect data leaks and/or monitor employee is working by using the rigth windows with open times...
    Can you filter this kind of data on the firewall?
  • 2
    @coffeeholic
    It's usually the VPN gateway itself that validates it to enforce policy, so filtering the data fails your auth.

    My personal favorite was on a windows system, a client insisted we use their hardware. The hardware had this shitty aggressive appliance called sentinelone installed. It basically eradicated system perf.

    Naturally, I kill it with a script on a loop and go about day. Then I leave the client site after a few weeks because project startup is finished and dev work has begun in earnest.

    I get home and try to sign into the VPN. "security assertion failed." Bit of fiddling later and sure as shit its the security system I killed. Turns out it was only validating process name in its rule, so spinning up a bullshit CLI that set it's name allowed me to get in.

    This was the project I cooked up the vm laptop hd clone as proxy trick on.
  • 1
    @SortOfTested wow. Just... Wow.

    I will no longer dare to call it a VPN client... Calling THAT a vpn client is like calling SSH a SOCKS5 proxy
  • 2
    @netikras
    Yeah, I'm either too old for this shit, or just old enough to know how to combat it
Add Comment