SoylentNews is people
SoylentNews
Microsoft—and Ars—advise split-tunnel VPNs to minimize coronavirus woes:
When SARS hit its peak, remote work wasn't yet practical enough for quarantine efforts to affect office networks much. With the coronavirus, though, most of the toolset needed to work from home or the road is available—but many office networks are having difficulty handling the sudden increase in scale.
There's not much you can do about a WAN (Wide Area Network) connection that isn't robust enough to handle traffic from remote workers to internal infrastructure such as file servers and application servers. But much of a typical company's infrastructure isn't onsite at all anymore—it's increasingly likely to be hosted in the cloud, behind its own set of protective firewalls and filters.
Traditionally, most office VPNs are set up to route not just office traffic, but all traffic—including Internet-destined traffic—across the user's VPN tunnel. For most sites, that means paying a double penalty—or worse—for all Internet traffic from VPN-connected users. Each HTTPS request and its subsequent response must hit both the upload and download side of the office's WAN twice. This is bad enough with a symmetric WAN—e.g., a 500Mbps fiber link—but it's beyond punishing for an asymmetric WAN, such as a 100Mbps-down/10Mbps-up coaxial link.
[...] We generally advise routing only office-bound traffic over an office VPN and allowing all Internet traffic to proceed directly to its destination—this can easily reduce VPN traffic by an order of magnitude or more, and the router-level filtering and monitoring in most offices isn't particularly useful in the first place.
Doing things this way is simple—the network administrator disables global routing in their VPN configurations and only routes the office's subnet(s) across the tunnel. The details vary by VPN implementation, but in Cisco VPN clients, for example, it's a simple checkbox to be ticked on or off.
[...] IPv6, unfortunately, gets its usual "eh, maybe later" treatment—Microsoft advises that IPv6 endpoints can simply be ignored and notes that its services "will currently operate successfully on IPv4 only, but not the other way around."
(Score: 4, Informative) by vux984 on Friday March 13 2020, @10:09PM (3 children)
"I'm not sure why anyone would have thought this was a good idea."
If you are traveling in china for example, this is precisely the configuration you want.
There are plenty of other scenarios where there is IP whitelisting/filtering in place from business bank account access, to cloud backup admin, ssh connections, etc. Certain academic resources are configured such that you license a site, and connections from that site are permitted to view journals and articles etc. For a lot these types of things you need your internet traffic funnelled through the office network.
There's lot of cases where this isn't necessary too. As always, you need the right tool for the job at hand. As an aside, this is part of why openvpn is big and complicated; and wireguard (while great at what it does) is not really a replacement for it.
(Score: 2) by DannyB on Monday March 16 2020, @02:04PM (2 children)
That is a good point. There needs to be a switch to turn this on or off depending on whether you trust your internet connection or not.
The lower I set my standards the more accomplishments I have.
(Score: 2) by vux984 on Monday March 16 2020, @06:27PM (1 child)
Most comprehensive VPN solutions have 'that switch' somewhere. Including the built-in Microsoft VPN; where the switch is called "Use default gateway on remote network"; (which overrides your normal default gateway, routing all traffic the remote gateway.)
(Score: 2) by DannyB on Monday March 16 2020, @06:42PM
So far, I have not used our older Microsoft VPN client, nor the new one. But that's good to know.
The lower I set my standards the more accomplishments I have.