This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN DNS Priority in Split-Brain Scenario

Hi There,

This is my first post here, so apologies if I've categorized this question incorrectly...

We have a DNS zone on our LAN for example.com, for which we have a handful of records. We also have example.com registered publicly, with a lot of overlap in the records (but not one-to-one).

My question is: How does Sophos VPN decide which DNS server to use in a scenario when the record exists both internally and publicly?

As per the .ovpn configuration used by the VPN client, I'll define:

vpn_gateway = gateway for traffic traversing the VPN

net_gateway = the normal gateway for the LAN in which my computer resides (i.e. home router)

My experience so far has been that traffic will be sent via vpn_gateway only if a usable route to the destination using net_gateway does not exist (i.e. DNS resolution fails at net_gateway). I like this from a security/bandwidth perspective (I believe the term for this is split-tunnel)...

This leads to my last question, which is: In the default "split-tunnel" configuration, is adding a static route to the client-side config The only way to force traffic to route via vpn_gateway instead of net_gateway? (In a scenario where there is a usable route to the destination via net_gateway)

Config I am referring to: C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\user@domain.ovpn

Any advice appreciated.

 

Edit: It just occurred to me that I might be able to force all traffic to go through vpn_gateway by default, but then create a firewall rule restricting SSL VPN clients to the LAN.

This way, when a client connected to the VPN attempts to hit www.google.ca, for example... DNS resolution would fail on vpn_gateway, and they would be redirected to use net_gateway (as desired).

Might be an option?



This thread was automatically locked due to age.
  • Hey Bob!

    I decided not to risk changing it, as I cannot yet determine a suitable time to try it. We have many offsite staff relying on VPN, often in stressful situations.

    Incidentally, new High Sierra Macbook's deployed, with fresh Safari browser, connected via Tunnelblick to the Sophos, can find the internal wiki via DNS hostname, no problem. Finger's crossed...

    I also noticed our firewall needs new firmware upgrades. Included in the update package 9.601005 is a Bugfix in the Changelog: "Delay in accessing internal services after users connect to the remote access SSL VPN". 

    Perhaps this will further improve things.

    Greetings from Berlin, DE!