[ previous ] [ next ] [ threads ]
 From:  Sven Brill <madde at gmx dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP VPN User Internet access recommendation
 Date:  Sun, 06 Aug 2006 08:48:31 -0400
Alan Shearer wrote:
> Howdy!
> What is the preferred way to have PPTP vpn users browse the Internet?  I
> currently have it setup so when they connect to a remote m0n0wall box
> they use that location's ISP for browsing the 'net.  Is this the
> recommended way when connected to a PPTP VPN (I only have experience
> with Cisco VPN connections where your workstation is cut off completely
> from the Internet).
I don't think there are any general guidelines or best practices, it 
depends on the level of control you want to have.

1. if you do a "split tunnel", meaning only traffic destined for your 
internal network is sent through the tunnel, anything else through the 
local ISP, your road warrior will likely have a faster connection to the 
rest, but can be more exposed. You can also not control or monitor what 
they are doing outside of your VPN destination.

2. if you tunnel all traffic, it puts a heavier load on both your VPN 
endpoint as well as your Internet connection, but you can determine what 
the user can do, what he sees, and monitor *all* activity. If the road 
warrior's machine is compromised, there is a better chance you catch it, 
since return traffic comes through your network due to the default 
gateway being set to your LAN.

That said, with PPTP, forget the security aspects, since PPTP is 
inherently broken :)