• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Allowing traffic only over VPN

P

polygonbloom

Junior Member

So I have a VPN connection from my machine to a remote host. Occasionally the VPN connection goes down, and my machine then goes to the next access method which is my primary/public internet connection. I want to make sure that my traffic can *only* go over the VPN, and if the VPN goes down, I just lose my network connection entirely.

Also this needs to be enable/disable-able so I can go from normal "use my default connection" mode to "secure only VPN allowed mode". My friends think I should be able to do this by setting up a firewall rule that only allows traffic over the VPN connection, but I don't know how to do all this network shizzle.

Thanks
 
usually this is done on the VPN appliance side, not the client side. Talk to your VPN admin about this
 
Originally posted by: nweaver
usually this is done on the VPN appliance side, not the client side. Talk to your VPN admin about this
Click to expand...

Really? I don't see how that can be, it's not a server side thing, it's my client.

Just to make sure I'm clear :

My machine is on a standard public network; either my home DSL or a public WiFi or whatever. I connect to the VPN "adapter" and that's fine, but when that connection is lost my local machine falls back to using the base network access.

BTW I'm using OpenVPN.
 
It's usually specified as you connect to the other end.....by your admin. iirc it's split tunneling? (or am I thinking something else here?)

so when the VPN is CONNECTED, all traffic goes out that tunnel....when the VPN disconnects, of course it falls back on the regular connection, that is totally normal. VPN should not allow LAN access while you are VPNed in, it's a security hole.
 
so when the VPN is CONNECTED, all traffic goes out that tunnel....when the VPN disconnects, of course it falls back on the regular connection, that is totally normal.
Click to expand...

Right, that's the expected behavior and that's what I want to be able to disable. I want to be able to put the client machine in a mode where it's only allowed to talk to the VPN, and if the VPN disconnects it just can't get to the network.
 
The VPN connection is what allows this...when the VPN is disconnected, it cannot control this. You COULD do some really fancy routing stuff, only allowing traffic to go OUT the virtual interface for the VPN connection, but you are more likely to break something then not.

The best chance you have for help isn't to ask very specific questions, but more general...tell us what you are trying to accomplish here, and let us provide ideas on how to do that, a VPN may not be the best choice for what you are trying to do.
 

Well basically I have a laptop that has sensitive applications on it. I want to set it up so that it can only access the internet through the VPN. Obviously I can just unplug the network cord to work offline, the problem phase is when I'm starting up, or if the VPN connection drops for some reason - then I'm left with a live public net connection and my applications will retry their connections and not go over VPN.

I want the machine to act like it has no net connection until I connect to the VPN. I need to be able to connect to the VPN from public nets such as wifi access points.
 
Okay, for example, I came up with own solution that I'm not happy with :

I can use a little router between my client and the network. In the router I set the firewall rules to only allow the port to the VPN server and forbid all other net access. I think this pretty much accomplishes what I want.

Ideally I would have a software solution that I can toggle on and off rather than an extra piece of hardware to carry around.

 
a software firewall could do this. Only allow the client to communicate with the other VPN endpoint. deny all other IP addresses and ports.
 
Originally posted by: spidey07
a software firewall could do this. Only allow the client to communicate with the other VPN endpoint. deny all other IP addresses and ports.
Click to expand...

Yeah, totally, it should right? I suck at this networking stuff, but I'm using ZoneAlarm Pro and I was trying to set this up in the firewall rules, and from what I can tell they're doing their firewall *before* the traffic gets to the VPN adapter. From reading their documentation that appears to be the case and it's considered a feature because it lets them virus-check the packets or whatever they do before it gets encrypted by the VPN. The problem is this totally breaks my ability to set up the "only allow VPN" rule, which needs to be applied to the traffic after it goes through the VPN adapter.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top