Evils of split tunnel VPN connections illustrated

[Bill Sanderson]

I'm not sure this will be of interest to many here, but you can ignore it if
you aren't interested.

Anyone working with VPN connections is probably aware that you are told that
a split-tunnel VPN connection can be evil--that is, a tunnel where you
uncheck "use default gateway on remote network" in advanced properties of
TCP/IP of the VPN connection.

You do this because leaving that checked tends to either restrict Internet
connectivity, or perhaps remove it completely, while the VPN is connected,
and many remote users, including me, find this objectionable.

So--what can go wrong? Someone could create a malicious machine named in a
way that might result in your connecting to that machine, rather than the
one you were intending to connect, and thus sending critical data over an
unencrypted connection to an unknown machine, rather than through the VPN
connection to your expected target.

I've just had an experience that illustrates this issue rather well: I've a
machine at work somewhat unimaginatedly named "webmaster-pc." I just put a
new monitor on it but didn't have time to put the monitor driver in place
befor I went home, so I fire up the VPN connection, open Remote Desktop, put
in "webmaster-pc" and get "cannot connect."

So--I connect to the server at work, do a Remote Desktop connection from
there to webmaster-pc, which works fine. Verify that remote desktop is
enabled. Check OneCare's firewall to see that connections are allowed from
both same subnet and different subnets. Scratch head.

Disconnect Remote Desktop to webmaster-pc. Disconnect remote desktop to the
server.

ping webmaster PC.

AHA: response comes from "webmaster-pc.mshome" at 8.15.7.117 !

My home desktop is in workgroup mshome, so this suffix is added by default
to dns queries--and, somebody has a machine with the above name listed in
DNS. The work lan is 10.25.25.xxx, home is 192.168.2.xxx.

Open up remote desktop, and put in webmaster-pc.domain.local and it connects
just fine as expected.

So--in this case, when I had my VPN connection up and typed in
"webmaster-pc" I expected to be connected to "webmaster-pc" a vista
workstation on my work network a few miles away. Instead, I was attempting
to connect to a machine at 8.15.7.117, which is probably somewhere in the
northwestern part of the U.S.--I'm in the mid-east coast.

Fortunately, it isn't running Vista, and or doesn't have RDP enabled, so it
didn't respond to my attempts to connect, and I didn't end up typing
credentials into some phony dialog box--but it sure could have happened....

So--will I stop running with that box unchecked? Probably not--but I'll be
more careful! I can set up dns suffixes on the VPN connection at the client
end to fix this, I believe, and that's what I'll probably do first...

--

 

[Stu]

Hmm - very interesting reading. I would like to set up a VPN facility with my
home network as I have often found the need when travelling but don`t have
the confidence to `go for it`. I`ve done some research on the subject but
would welcome any suggestions as you seem very well versed in the areas of
Networking. We are not talking commercial use rather more personal use. I`ve
looked at several VPN software applications which will supposedly do this for
me but do you have any suggestions which may point me in the right direction?

Thanks in advance

Stu

 

[Bill Sanderson]

You don't need to buy anything more than you already have, I suspect.

You probably do need to have your own machine with you when traveling--you
really don't want to try to make a VPN connection from a public machine,
even if it were possible.

Any recent version of Windows can act as a VPN end-point. You must open
certain ports in any firewalls involved--either software firewalls on your
home machine, or the router which connects you to the Internet.

Additionally, you need to have a means of knowing the IP address of your
home network at all times--usually this is accomplished by means of a
dynamic DNS service such as dyndns.org.

VPN connections have advantages and disadvantages. Basically, you have a
network connection which is secure, between your remote machine and a
machine on your home network. This connection will allow you do do most
things that you could do locally, but slowly--the speed of the connection is
limited by the slowest connection on the link, which is often the uplink
speed from your home machine to the Internet. So--running a database
application against a database that lives on the home network is going to be
nearly impossible--unless it is a client-server database--SQL server or
MYsql, for example.

If this still sounds like something you'd like to try out, let me know, and
I can get into the details, which aren't too complex, but vary depending on
the versions of Windows and the router hardware involved--so I'd need to
know a little more.

--

 

[Stu]

I`m sorry if this doesn`t fall into WD category. What to do as things seem
slow on here these days. My home network consists of nothing more than a
Desktop and two notebooks. Access to the internet is thru an ADSL router
(Belkin) which allocates the IP adresses to my network. Or is it subnet? I
can`t get to grips with the differnce yet. Think I know but am not 100% sure.
I have USB enabled and wireless printers (HP) all of which are shared. The
USB is used for draft docs while the wireless for something more presentable.
The IP adresses present on my network starts with 192.168 x. x. and each node
has its address bumped by the appropriate number. What I have noticed is that
following a system reset some time ago the router did not reset itself .
Rather it continued to reallocate IP addresses from where it left off before?
Is there a ROM chip in there somewhere retaining previous info?

I`m running XP SP3 with all drivers and security installs.

Stu