Alan Shearer wrote:
> What is the preferred way to have PPTP vpn users browse the Internet? I
> currently have it setup so when they connect to a remote m0n0wall box
> they use that location's ISP for browsing the 'net. Is this the
> recommended way when connected to a PPTP VPN (I only have experience
> with Cisco VPN connections where your workstation is cut off completely
> from the Internet).
I don't think there are any general guidelines or best practices, it
depends on the level of control you want to have.
1. if you do a "split tunnel", meaning only traffic destined for your
internal network is sent through the tunnel, anything else through the
local ISP, your road warrior will likely have a faster connection to the
rest, but can be more exposed. You can also not control or monitor what
they are doing outside of your VPN destination.
2. if you tunnel all traffic, it puts a heavier load on both your VPN
endpoint as well as your Internet connection, but you can determine what
the user can do, what he sees, and monitor *all* activity. If the road
warrior's machine is compromised, there is a better chance you catch it,
since return traffic comes through your network due to the default
gateway being set to your LAN.
That said, with PPTP, forget the security aspects, since PPTP is
inherently broken :)