Summary
Is it possible to filter what traffic can go through a VPN, controlled by the sysadmins in outbound (source) network .. not the inbound (destination) network's sysadmins?
Details
I'm currently working onsite at a client. They are a large company with a strict internet/intranet policy. To access my own computer/dev servers, I need to VPN to my own work network, and then access the servers accordingly. Nothing to hard there.
BUT, at this client, they are very very restrictive over what ports can be opened up, outbound. VPN is not one of them. So after a few discussions, it seems they will open up VPN, provided they can control what ports will be allowed over the VPN tunnel.
Now, I know I can port block on our own VPN but set this up from OUT own side. The client i'm at don't like this .. because even though we might pass the test today .. they said that tomorrow we can suddenlt relax/change the port filters and now break their security policy.
So, is it possible that the client i'm working at, they can config their network so that when I request to make a VPN connection to my static VPN server IP, they allow that connection AND only allow certain ports opened.
I'm under the impression that this won't work because all port traffic gets tunnelled through the single VPN connection … which is encrypted .. so the client i'm working at has no way to interrigate the traffic i'm trying to pass through?
I hope I'm wrong 🙂
Can anyone help, here?
Best Answer
You don't mention what VPN technology you use or what initiates the VPN connection. I am assuming you are initiating the VPN from your desktop system?
What I propose is that you add a second network to your desktop, and then you setup a broadband router to do create the VPN to your personal network, instead of initiating the VPN from your desktop. Then you can give control of the device that initiates the VPN to them. They can adjust the firewall policy of the VPN access device to conform with whatever rules they need.
This would allow them to control they want, but it does to a certain extent compromise your network, if cannot trust them to not allow anyone else to connect to the device creating the VPN.