vpn : Split Tunnel Concept

Once a user starts a vpn client to connect to company extranet, all network traffic is diverted to the vpn tunnel. Routing gets setup by VPN client such that everything would go down the tunnel. Split tunnel can fix that by keeping traffic for internet from tunnel and only direct extranet traffic to the tunnel. But it comes with few risks on its own. Lets review the concept for a minute.

The VPN tunnel can be configured to work in two modes.

  1. Mandatory (default)
    While a client tunnel is established in mandatory mode, all client traffic is tunneled through it by default. This is the default vpn mode. So accessing yahoo.com will go through vpn tunnel to company extranet which will then route it via its own internet connection after applying access policy etc.
  2. Split Tunneled mode
    Split Tunneling allows configuring specific network routes that are then tunneled and sent to the client’s Extranet adapter; any other traffic goes to the local PC Ethernet or Dialup adapter interface. So Split tunneling allows the user to get access to the Internet or print locally even while the system is tunneled into the company Extranet. But this comes with a security issue because it opens a backdoor into the secure office network from internet via the home system. A hacker can exploit the home system and can use that as a jump box to get into the company network. Or if the system at home is infected it will further that infection into office network. That is why organizations want vpn users to ensure they are up to date and have anti-virus installed and most will provide vpn clients that are tightly controlled to enable the Default mode.

Lets see these modes tunnel in action. Here is an example network for discussion.

SplitVPN

In Mandatory or default VPN mode system will have the default route going to the Extranet adapter (or VPN interface). For example, in below routing table a default route exists for tap0 interface. This route is responsible of sending all network traffic into the tunnel. This means that the local NAS at 192.168.1.4 will seem like it is somewhere in office extranet which will not have a clue on what to do with that traffic and will drop it. So even though the printer or NAS is sitting right next to user, they are no longer accessible.

vishalj@dreams:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.49.12.1 0.0.0.0 UG 0 0 0 tap0
.......

Now if Split tunneling is enabled, then routing table will be very different.

vishalj@dreams:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
172.49.12.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
199.200.12.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
199.111.23.25 0.0.0.0 255.255.255.255 UH 0 0 0 tap0
.....

This indicates that default route is pointing to the wlan0 or to local network while some network and host routes are added which route the traffic to tap0 interface which is extranet/vpn interface. So when the user checks the office emails, packets go via tap0 to the Mail Server at 172.49.12.22. Checking source code gets to git.myorg.com via tap0 as well. Next, without exiting the tunnel, the user can print the document through the PC’s local network interface 192.168.1.2 to the Printer at 192.168.1.3. The user also has the capability of browsing the Internet without taking the tunnel down. The routing controls how traffic is diverted.

One final hurdle that remains is the DNS. The issue here is that with Split tunnel, our system has to resolve the server names within company’s Intranet domain (e.g. git.myorg.com). The usual DNS servers over Internet will have no idea and will fail to resolve them. For that the home system has to setup a DNS forwarder in such a way that DNS requests for company domains will be forwarded to company DNS server and anything else on public internet. DNS forwarding is a topic of its own which I will cover in another post when time comes. But for now this is how split tunnel works. It adds extra routes to go to company network and adds a DNS forwarder to resolve company hosts, leaving everything else to go over Internet.