Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use a VPN without it taking over the network' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use a VPN without it taking over the network
Authored by: mstolove on Sep 09, '05 12:46:29PM

Handy tip, but this can be a security risk and expose your corporate network to any compromised services or trojans that may be running on the client. It's less of an issue with Macs, but I do not allow my Windows clients to connect in this manner.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: Loren on Sep 09, '05 12:52:39PM

I agree. You are endangering your corporate network if you keep the VPN connected, and still allow incoming Timbuktu connections over your regular network connection.

However, is there a reason, with the VPN connected, you couldn't Timbuktu into your home machine from within the corporate net?

I can normally Tiimbuktu into my home machine using my cable modem's IP address. But if I leave my computer VPN'd into my company, then I can Timbuktu in using the internal 192.168 address that the VPN assigns my home computer.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: jvr on Sep 09, '05 02:09:03PM

But that option (connect using VPN-assigned IP) still presents an inconvenience, because the user cannot use his/her "dyndns.org" domain name to establish the connection. Suppose you leave your VPN client running on your home Mac, but you forget to make note of what IP address the VPN has assigned your Mac. Then, if you try to connect to home from the office, you're out of luck.

Personally, I always log out of my Mac at home when I'm done using it (thereby quitting the VPN client), so I have not run into this problem.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 10, '05 12:06:12AM
But that option (connect using VPN-assigned IP) still presents an inconvenience, because the user cannot use his/her "dyndns.org" domain name to establish the connection

When he turns on the VPN, he changes the primary network interface to the VPN-IP. The DNS-update client will report this change to dyndns.org, and his domain name will return the VPN IP.

This assumes he isn't using a router with the DNS-update client set to check the external IP number. I don't know what it will return in that case (probably a number from the VPN server).

[ Reply to This | # ]

Use a VPN without it taking over the network
Authored by: kshetline on Sep 10, '05 09:58:11PM

(Mypologies if this is an extra repost -- I didn't see the first reply attempt show up.)

First of all, I do use the built-in dynamic DNS support in my router for dyndns.org, rather that DDNS client software on one of my computers, so the resolution of my personal domain wouldn't get changed by hooking up to my company VPN, no matter how I have the VPN connection configured.

But even if I was using client software instead of my router, consider this:

Suppose my IP on the VPN is 172.18.99.99
Suppose the WAN-facing IP for my computer -- along with many other computers at the office sharing the same WAN-facing IP -- is 42.43.44.45.

When the client software phones home to dyndns.org, myhomedomain.org will be mapped to 42.42.44.45.

If someone types http://myhomedomain.org into their web browser, an attempt will be made to connect to 42.43.44.45 at port 80.

The connection attempt then hits my company's router and firewall... and those incoming packets will NOT get routed to 172.18.99.99 and its port 80. Nor will any other attempt to connect to any other ports on my home computer for SSH, Timbuktu, etc. get through, not without convincing my company to poke all of those holes in their firewall and to do all of that special port forwarding just for me and me alone -- that ain't gonna happen.

Further, even if my friendly company sys admin were so obliging, I wouldn't want her to set all of that up for me anyway. I really don't want my personal domain becoming my company's IP address on and off all of the time. Also, while dyndns.org works pretty well, the less remapping of my domain to different IP addresses all of the time -- with all of the propagation delays that can entail -- the better.



[ Reply to This | # ]