Hi There,
This is my first post here, so apologies if I've categorized this question incorrectly...
We have a DNS zone on our LAN for example.com, for which we have a handful of records. We also have example.com registered publicly, with a lot of overlap in the records (but not one-to-one).
My question is: How does Sophos VPN decide which DNS server to use in a scenario when the record exists both internally and publicly?
As per the .ovpn configuration used by the VPN client, I'll define:
vpn_gateway = gateway for traffic traversing the VPN
net_gateway = the normal gateway for the LAN in which my computer resides (i.e. home router)
My experience so far has been that traffic will be sent via vpn_gateway only if a usable route to the destination using net_gateway does not exist (i.e. DNS resolution fails at net_gateway). I like this from a security/bandwidth perspective (I believe the term for this is split-tunnel)...
This leads to my last question, which is: In the default "split-tunnel" configuration, is adding a static route to the client-side config The only way to force traffic to route via vpn_gateway instead of net_gateway? (In a scenario where there is a usable route to the destination via net_gateway)
Config I am referring to: C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\user@domain.ovpn
Any advice appreciated.
Edit: It just occurred to me that I might be able to force all traffic to go through vpn_gateway by default, but then create a firewall rule restricting SSL VPN clients to the LAN.
This way, when a client connected to the VPN attempts to hit www.google.ca, for example... DNS resolution would fail on vpn_gateway, and they would be redirected to use net_gateway (as desired).
Might be an option?
This thread was automatically locked due to age.
