 You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
If I have my work laptop at home on my home network, and I open up port 3389 or whatever it is, I can remote-desktop in to my work laptop. If I then start the VPN client - a) will it work or will it cut off any traffic that's not on the work network, and b) assuming it did work, is there a security risk I'm missing?
This is a bit of a guess if i'm honest 😀
I reckon if you've got split tunneling enabled then it'll just route specific traffic down the VPN (either a pre defined subnets or just the subnet in the range of IP addresses you've been allocated) and i'd guess you'd stay connected.
If there's no split tunneling then the VPN will use the default gateway on the remote network and all your traffic would get routed down the VPN and i suspect you'd get D/C.
I'm not sure i'd be wanting to open up 3389 on my home firewall though, at the very least i'd be changing the port that RDP listens on and open something non standard
Scaled is right, it depends on the client and the policy.
Most vpn clients take over the IP stack though and would usually by default, disconnect any inbound connections.
What client do you use and I'll tell you how aggressive it tends to be normally?
Can you not achieve everything using just remote desktop?
I used to use Remote Desktop via a VPN when away from my office. I now do everything through Chrome Remote Desktop, which rocks..... but I don't need access to files stored on the office network as it's now in the cloud.
No one has split tunnelling enabled on a standard corporate VPN profile though do they?
You [i]might[/i] be able to do it with two interfaces, again depending on how aggressive the client is, and the OS. I assume you mean open 3389 on your PC firewall, not your NAT/router box thingy, so you can RDP your work PC from anohter internal PC?
Can you not achieve everything using just remote desktop?
No, the VPN tunnel will effectively obscure the local IP before you even get on to 'what to do once connected'.
Depends on the policy, if the default gateway is enforced.
FWIW all our staff laptops start their VPN client on boot (automatically), and once connected, route all traffic through the tunnel.
Hmm.. I meant open up rdp on the router to allow connections over the internet.
I'm trying to avoid having to travel with both my work laptop and the client's laptop which are both quite large.
Just did an ip check via google and it has told me one belonging to my mobile isp, not my company. So it might work..
something weird is going on.
The VPN client seems to have installed a second ethernet adapter which is connected to the work network, that's fair enough.
I'm connected to the internet via my phone (which is a windows phone) via wifi and internet connection sharing, and the default gateway is 192.168.something. When I do a tracert to a public website it goes through that and 10.something as well. How odd.
192.168.x.x is the rfc 1918 class b private subnet and is the default internal address space for most home networks.
10.x.x.x is the rfc 1918 class a private subnet and would be the preferred choice for larger organisations.
connecting to work (10.x.x.x) via home network (192.168.x.x) would give those results
192.168.x.x is the rfc 1918 class b private subnet and is the default internal address space for most home networks.
10.x.x.x is the rfc 1918 class a private subnet and would be the preferred choice for larger organisations.
connecting to work (10.x.x.x) via home network (192.168.x.x) would give those results
What he said (192.168 addresses are class c), but the 192 address could also be the pool assigned to VPN connections by your concentrator/DHCP server, difficult to say without seeing it where it's referring too. And probably not helpful anyway 🙂
Can't you rig something up with TeamView? Think it runs over http tunnelling so works nearly everywhere.. setting it up and keeping it secure is your problem though, and your employers may (will) have a policy against it.
I run my VPN sessions from inside a Virtual Machine. This way the the network connection on the virtual machine is locked and I still have access to Web/email from my PC.
What he said (192.168 addresses are class c)
oops, head hanging in shame
Mobile networks usually use a class a network for handsets. Essentially you're NAT'ing behind their router, just like in your home network.
So RDP is inherently insecure?
Yeah I know about private networks, I just didn't understand what I was seeing in my tracert. The phone has given itself 192.168.137.1 which seems to be some kind of default in MS internet sharing, and given itself the hostname of windows-phone.
The 10.x.x.x in the tracert are apparently the IPs of the routers in the ISP.
Can you not RDP into your work machine over the VPN?
Struggling to see what your problem is?
So RDP is inherently insecure?
It's not "insecure" so much as "not secure". If you open up 3389 on your router you'll attract the attention of every passing script kiddie on the planet. At the very least, as someone said right at the start, you really should get it listening on a non-standard port.
TBH though for what you're trying to achieve I'd use an Internetty remote access solution like GoToAssist / TeamViewer / LogMeIn and let someone else worry about it.
I want to use my ultraportable computer for work emails and docs etc. But connecting it to the work network requires special exemption cos it doesn't meet the requirements. And it's slow and all. So if I could use it as an rdp terminal that might work. Full access to the work laptop without needing to lug it about.
Cougar would I need to install software on the target PC?
Another option might be to migrate my work PC to Linux.
Of course none of this would be necessary if our webmail worked over the internet. I mean what's the point in having webmail?
What Couger said here ^ (although I would suggest GoToMyPC rather than Assist).
To be honest, I'm struggling to see what the use case is here. Are you saying you want to travel with your laptop, but be able to access your work/client laptop (at home) whilst out and about over RDP?
Damn, too slow in my typing.
Ok, a quick follow up question... Does your work IT security policy allow for the use of personal laptops to punch holes in their firewall and access internal IT assets? If your laptop does not meet thier requirements, it may well be that your aim here could well fall foul of the same policy.
Cougar would I need to install software on the target PC?
Yeah. You'd have a service running on the target listening (which is essentially what RDP does anyway).
If you want to stick with RDP, work through this; it's an excellent write-up on its security and pitfalls:
http://www.howtogeek.com/175087/how-to-enable-and-secure-remote-desktop-on-windows/
Personal laptops are allowed on if they comply with the requirements and have the spyware on. I don't know if I am allowed to connect into my work laptop or not. Not sure it specifies. But it is allowed on my home network and public internet without any protection other than Symantec. The VPN is only needed for intranet access.
Just occurred to me - if I had a VPN endpoint at home, this would be dead useful for lots of reasons, and would solve some security issues...?
I run my VPN sessions from inside a Virtual Machine. This way the the network connection on the virtual machine is locked and I still have access to Web/email from my PC.
This. Most VPNs shut down all other network interfaces to stop your machine being used as a bridge to the unsecure internet, although not all our customers enforce this (which is incredibly stupid of them).
I'm trying to avoid having to travel with both my work laptop and the client's laptop which are both quite large.
Can you not clone your client's laptop and run it as a VM?
I cloned my work laptop and run it as a VM on my MBP at home......
Personal laptops are allowed on if they comply with the requirements and have the spyware on.
You mean anti-spyware right??
Molly, seriously, check your security policies before you do this. A lot of companies will not let you RDP to an internal machine from an outside machine, despite AV or whatever on the home machine. This may be because it is seen as a way in for malware (home machines being seen as a greater risk of infection than work ones).
Moving on to VPN endpoints, I use a Raspberry Pi as one. That limits my router to a single open inbound port and prevents the IP camera being exposed to the internet.
You mean anti-spyware right??
No I mean corporate spyware. The stuff that analyses what we have installed (badly) and checks we are compliant.
Fairly sure policy doesn't mention remote connections, but I will check before I do anything.
There's no chance of cloning the bank's machine though. That'd never fly!
Re the VPN endpoint. Was there a ready made appliance for it or did you just configure it in Linux yourself?
[i] What he said (192.168 addresses are class c)
oops, head hanging in shame [/i]
It's alright, you're right. It's a class B subnet.
Classes have been irrelevant for about two decades, it's a non-issue (miscellaneous pedantry aside).
(And you're wrong, it's class c)
We're geeks, of course it's important!
Edit:
and..... as a nomenclature the class references are still used all the time amongst networking people.
(sorry, ninja edit)
as a nomenclature the class references are still used all the time amongst networking people.
True enough. Most of of the time though, far as I can tell(*) it's mostly to show off that they understand classful networks.
(* - as I keep telling people, I Am Not A Network Engineer)
I'm not wrong, a class B subnet has 16 net bits, a Class C has only 8.
192.168.0.0/16 is the RFC1918 subnet under discussion, CIDR of /16.
If said work laptop had a Wifi card and an Ethernet port you might be in with a chance.
Connnect to your router via the Ethernet.
On the router, bind the MAC of the Ethernet port to an IP address, say 192.168.1.10 add a rule to open up the RDP port and point it to 192.168.1.10
RDP in to the laptop then kick off the VPN connection but via the Wifi.
the default gateway is 192.168.something. When I do a tracert to a public website it goes through that and 10.something as well. How odd.
Mol: On my home network I use a hardware firewall between the main network switch and the broadband router. Internal network is 192.168.4.x, the gateway (which is the LAN side of the firewall) is 192.168.4.200, the WAN port of the firewall is 10.0.0.2 and the BB router is 10.0.0.1.
Maybe your phone is doing something similar - it has an internal 'LAN' port of 192.168.x.x and a WAN [public facing] port of 10.x.x.x.
What's happened there is the VPN client has created a virtual interface which has an IP address assigned from a pre-designated pool. This is so the VPN server can act as the gateway for all VPNed traffic and so the corporate network knows where to return all the VPN traffic to.
I'm not wrong, a class B subnet has 16 net bits, a Class C has only 8.192.168.0.0/16 is the RFC1918 subnet under discussion, CIDR of /16.
Except you're applying classful notation to a CIDR network. foo/16 is "class b" yes, for everything that means; however, 192.168.0.0 isn't possible in a classful network, it's 192.168.x.0/24 (where 'x' is whatever the third octet of the network is).
Which, is why we shouldn't really be using the terms, even though everyone does.
(Sorry for the thread derail)
see? Ridiculous pedantry is important to you!
Continuing the pedantry, 192.168.0.0/16 is entirely possible in a classful network.
Class B has 16 network bits and 16 host bits, a Class C has 24 network bits and 8 host bits.
Running a /64 here
Continuing the pedantry, 192.168.0.0/16 is entirely possible in a classful network.
My networking knowledge isn't solid enough to argue. If you're sure then I'll cheerfully bow to your superior knowledge (and sincerely appreciate an explanation).
as you say, class discussions remain mostly on a superiority basis. It's simply a term and doesn't actually relate to specific networks, private or otherwise.
Classes were originally developed to describe large routable networks on the internet and the most common classes were grouped in the a, b, and c derivatives that we've all heard of.
So as long as the sizing is held, then classful networks can be implemented and utilised. I've seen a class A 5.0.0.0/8 private network implemented and a 192.168.0.0/16 network, all appropriate, all working fine. Not very well, admittedly, but possible.
Cisco in particular used to drive this style of networking. Make a huge, big, flat network. Create a strong shell around it and then just create this crazily huge switched network with a single default gateway out the front door.
you'll not see things like that any more.
Just clone the laptop and run it on vmware. Then you only need one laptop. I've done this in the past and it worked well. Your client may not be too pleased if they find out... but then that's probably the case for most of what's being discussed.
I am quite surprised how few large organisations allow access to their networks from anything other than hardware they provide. I've worked for a few that have really neat (usually Citrix based) solutions to allow you to use your own hardware.