Is there a path around VPN?

The thread on corporate snooping via VPN, and in particular the
comments about VPN terminating access to the local network have me
wondering whether there is a way to keep access to the local network
when VPN is running? I have a pc that I use to VPN to my work and
when it is at home also use to access some non-work sites (e.g
Fidelity Investments and ESPN). Now, some of the non-work sites
require access to ports that are normally blocked from the corporate
internet. However, if the machine could talk "directly" (i.e. via the
local lan gateway) to the site, the machine could still access them as
I don't have those ports blocked on my router. (I can still access
some of the site features with VPN, but the streaming quotes don't
come through, for example.)

Is it possible to do that, or does VPN truly remove one from the local
net (by forwarding all packets via the tunnel)? I vaguely recall that
the wireless software setup had some entries for "local" machines, so
that one could use ones home printer. However, that might just be the
wireless connection and not VPN. I vaguely once remember RDPing
(using Windows remote desktop) from the laptop to both my home desktop
and my work desktop, but perhaps I did home with VPN off and work with
VPN on. However, if it is possible to punch holes in the forwarding,
then all I have to do is determine what addresses and ports I want to
access via the local gateway (after verfying that it is also permiss-
ible, since not everything one wants to do, one is allowed to do).

On Thu, 05 Oct 2006 15:21:59 -0400, in alt.internet.wireless , Chris F
Clark <(E-Mail Removed)> wrote:

>The thread on corporate snooping via VPN, and in particular the
>comments about VPN terminating access to the local network have me
>wondering whether there is a way to keep access to the local network
>when VPN is running?

This wwould kinda toast hte entire point of the VPN. When VPN'ed your
machine is inside the private network of your company, and is only
able to see and connect to whatever your office PC can.

If you could also connect to non-office resrouces, your PC would be a
bridge between the private and public internets and would be a huge
security hole.

>Is it possible to do that, or does VPN truly remove one from the local
>net (by forwarding all packets via the tunnel)?

Thats its purpose.

--
Mark McIntyre

"Chris F Clark" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The thread on corporate snooping via VPN, and in particular the
> comments about VPN terminating access to the local network have me
> wondering whether there is a way to keep access to the local network
> when VPN is running?

I use a laptop for my VPN connection. When I am on my laptop, I just open a
remote desktop connection to a PC on my home network. I have to use the IP
address to get the remote desktop connection to work. ( command line = mstsc
/v 192.168.x.x) The remote desktop PC uses my home network' s Internet
connection and not the VPN for stuff like email. I can ping between the 2
machines using their 192.168.x.x addresses - I cannot ping from the home
desktop to the laptop using the IP that the VPN assigns, nor can I access
anything on the VPN network from the home machine. I can see shares and map
drives on either computer from either computer. If I want to get something
from work onto the home PC, I have to download it to a share on the laptop
then copy over on the home network.

mike in montana

"Mark McIntyre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This wwould kinda toast hte entire point of the VPN. When VPN'ed your
> machine is inside the private network of your company, and is only
> able to see and connect to whatever your office PC can.

That's not the purpose of a VPN. The purpose of a VPN is to get that client
machine connected into the remote network. Now, while it might be
considered somewhat advantageous to force "all" traffic into the VPN pipe
it's not necessary, nor really any more secure.

> If you could also connect to non-office resrouces, your PC would be a
> bridge between the private and public internets and would be a huge
> security hole.

Wrong. VPN client software acts as a connection for that client machine
ALONE. Not as a router between that machine and whatever other networks
might be connected. If you've got compromised software on the client
machine it's not going to matter what the VPN "thinks" it has control over.

> >Is it possible to do that, or does VPN truly remove one from the local
> >net (by forwarding all packets via the tunnel)?

You can do this by removing the default route. When the VPN software makes
it's connection it tells windows about the new TCP/IP network route. Most
VPNs I've seen feed it a 'default' route. That is, 0.0.0.0 routed to the
remote side of the VPN. Remove that default route and your packets will
revert to using whatever other local routes exist. But if you remove the
default route you'd need to make sure the remote subnets that ARE needed are
setup in it's place.

The hassle with doing this is you have to know the remote subnet numbers and
set them up properly. If the remote network only has one then it's not that
bad. But some remote networks might have a lot more than just the one
remote network and then you get into some pretty complicated routing
hassles. There are ways for the remote network and the VPN client to
automagically negotiate routes but few are setup well enough to do this
properly. Thus using the 0.0.0.0 default route is the lazy way out of it.

-Bill Kearney

So, to make it work, I need to know that I want to connect to
192.104.0.0 and 10.0.0.0 via VPN and 192.174.0.0 via my gateway.
Then, I route 192.104.0.0 and 10.0.0.0 via VPN and let everything else
go to the gateway (the old default route).

Now, is there (windows) software the allows one to view and edit (and
better yet programatically edit) the routing tables in my pc? If so,
what do I go looking for (on google or whatever)? This sounds like a
fun little learning exercise.

On Thu, 5 Oct 2006 21:36:17 -0600, in alt.internet.wireless , "Montana
Mike" <(E-Mail Removed)> wrote:

>
>"Chris F Clark" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> The thread on corporate snooping via VPN, and in particular the
>> comments about VPN terminating access to the local network have me
>> wondering whether there is a way to keep access to the local network
>> when VPN is running?
>
>I use a laptop for my VPN connection. When I am on my laptop, I just open a
>remote desktop connection to a PC on my home network. I have to use the IP
>address to get the remote desktop connection to work.

I'd guess that this works because your company has opened the RDP
ports on their firewall.

--
Mark McIntyre

On Fri, 6 Oct 2006 09:12:22 -0400, in alt.internet.wireless , "Bill
Kearney" <(E-Mail Removed)> wrote:

>
>"Mark McIntyre" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> This wwould kinda toast hte entire point of the VPN. When VPN'ed your
>> machine is inside the private network of your company, and is only
>> able to see and connect to whatever your office PC can.
>
>That's not the purpose of a VPN.

Eh? Thats what the Virtual and Private parts mean.

>The purpose of a VPN is to get that client
>machine connected into the remote network. Now, while it might be
>considered somewhat advantageous to force "all" traffic into the VPN pipe
>it's not necessary, nor really any more secure.

I beg to differ. If you could see both networks simultaneously, you
would be bridging the two. For instance if /you/ can copy a file, then
so can a background process.

>Wrong.

Saying it don't make it so. Can you copy a file from one network to
the other? Then you've bridged between them.

>VPN client software acts as a connection for that client machine
>ALONE. Not as a router between that machine and whatever other networks
>might be connected.

I agree, thats whats its supposed to do. This is my point, so I'm
puzzled as to the relevance of this comment!

--
Mark McIntyre

On Fri, 06 Oct 2006 11:42:34 -0400, in alt.internet.wireless , Chris F
Clark <(E-Mail Removed)> wrote:

>Now, is there (windows) software the allows one to view and edit (and
>better yet programatically edit) the routing tables in my pc?

Open a command window and type "route print" or "route" by itself for
help info.

--
Mark McIntyre

> >> This wwould kinda toast hte entire point of the VPN. When VPN'ed your
> >> machine is inside the private network of your company, and is only
> >> able to see and connect to whatever your office PC can.
> >
> >That's not the purpose of a VPN.
>
> Eh? Thats what the Virtual and Private parts mean.

Virtual and Private THROUGH whatever other networks are present. Not to the
exclusion of whatever other networks might ALREADY be present. It's a
virtual route being made through whatever interim networks are present
without transmitting native packets on it. It's private in that the
sessions are generally encrypted. It's not private in the sense that it's
an 'exclusive' connection.

> I beg to differ. If you could see both networks simultaneously, you
> would be bridging the two. For instance if /you/ can copy a file, then
> so can a background process.

No, that's entirely incorrect. Unless the client PC is configured as a
ROUTER then no packets would get passed between the local network and the
VPN. That and the VPN software would have to be configured to allow it, and
most WILL NOT.

> >Wrong.
>
> Saying it don't make it so. Can you copy a file from one network to
> the other? Then you've bridged between them.

That's not bridging. That's a client on both networks engaging in client
actions. Bridging would be some OTHER computer on the local network being
able to cross through the client, over the VPN and out onto the remote
network.

Now, might an admin desire such a thing perhaps. But if you remove the
ability for the local client to see it's own network then you'd also lose
the pipe through which the VPN is tunneled. You'd also lose the ability to
print to any local networked printers (and users would certainly dislike
this). If you want to isolate a user so that they cannot copy anything
locally then you'd be much better served using remote terminal sessions.
That way everything would stay at the distant end. That and it wouldn't
require a VPN, just a port mapped on the firewall. Using an encrypted RDP
session over an encrypted VPN would be adding more overhead than is
necessary.

> >VPN client software acts as a connection for that client machine
> >ALONE. Not as a router between that machine and whatever other networks
> >might be connected.
>
> I agree, thats whats its supposed to do. This is my point, so I'm
> puzzled as to the relevance of this comment!

Apparently because you've got a fundamentally incorrect understanding of
what VPNs are designed to offer. That's fine, but if you're going to give
advice you'd do well to have a better understanding of what you're
commenting about.

-Bill Kearney

> >> The thread on corporate snooping via VPN, and in particular the
> >> comments about VPN terminating access to the local network have me
> >> wondering whether there is a way to keep access to the local network
> >> when VPN is running?
> >
> >I use a laptop for my VPN connection. When I am on my laptop, I just open
a
> >remote desktop connection to a PC on my home network. I have to use the
IP
> >address to get the remote desktop connection to work.
>
> I'd guess that this works because your company has opened the RDP
> ports on their firewall.

WTF? Again, entirely incorrect. If he's on the laptop, at home, using
work's computer and the work VPN is active then the laptop may not be
properly resolving the addresses for local machines. But if he uses the
local machine's IP address then the TCP/IP stack can route it just fine.
That is, when he's at home, let's say, the network is 192.168.10.0. The
laptop gets IP address 192.168.10.4 (or whatever). And there's another PC
at home, named "home pc" at IP address of 192.168.10.3. If the laptop
doesn't make the VPN connection there's a good chance it'll resolve the
"home pc" using netbios or wins. When he makes the VPN connection to work,
however, the VPN client software changes his name resolution methods to use
the machines at work. Thus a lookup of "home pc" won't work because the
resolvers at work don't have a record for it. Nor can the "home pc" machine
make a connection to work to register itself anyway (which is part of the
original thread). But since VPN connections are NOT exclusive of local
subnets then a direct IP address connection to 192.168.10.3 will work just
fine.

If he wanted the work laptop to remain able to resolve the home machines via
names he'd either have to rejigger the DNS and/or WINS lookup information or
put static entries into the %WINDIR%\system32\drivers\etc\hosts file.

VPNs, DNS, WINS and routing are not '101 level classes' and if you're not
familiar with them then don't give people bad advice.

-Bill Kearney