Local proxy solution to circumvent my VPN

1

I work in a remote office, and in order to connect to corporate resources, we have to log into a software VPN. Once authenticated, this VPN then gets an IP address and configures its gateway as the default gateway, thus routing all traffic into the corporate network. Then in order to be able to access any corporate resources (wiki, git, etc) we have to use the corporate proxy server. The problem there is the proxy filters are significant, blocking access to many commonly-used sites, and the throughput ranges from lousy to awful (downloading a 600MB image from docker.io can take >20 minutes over the VPN but <1 minute while off the VPN).

I want to be able to bypass the VPN (and specifically the default route into the VPN) whenever I want. What (I think) I want is a local proxy server that routes all traffic over the local network gateway, NOT the VPN gateway. That way I avoid managing network/domain by-pass configurations (which I've already attempted to do, and there are at least 200 networks/IPs, so it's way too much to manage) and just use the local proxy only when I'm connected to the VPN and explicitly need to bypass it entirely. How can I accomplish this?

DrStrangepork

Posted 2017-04-25T16:12:07.120

Reputation: 1 023

The "right answer" is to use a split-tunnel configuration on the VPN so that it identifies only traffic to VPN protected endpoints for tunneling. This would be along the line of setting your default route to be the VPN for the network(s) that are company-private and leaving your ISP route for everyone else (read: local & internet). This should be setup in the VPN policy, so it should be done by corporate. They may not do it becasue its hard, or they may want to monitor all traffic (policy/compliance reasons are common for non-split-tunnels). – Ruscal – 2017-04-25T16:53:36.363

If you are trying to setup a local proxy (and assuming this isn't a breach of policy, but that corporate has some other [unknown?] reason for not configuring the VPN policy to split) then you'll need to list what your current routing policies are. I would suspect that no matter what you will have to enumerate all the VPN networks since it sounds like corporate policy is 0.0.0.0/0 to do a full catch-all. In the end, no proxy and just writing good split-tunnel routes would be easier (and if lucky you can get corporate to do it-try arguing excess consumption of expensive ISP connection at HQ) – Ruscal – 2017-04-25T16:58:21.027

>

  • Won't happen. Corporate deliberately forces all traffic through the VPN. That's why I'm asking the question. 2) Basically, I want to route 10.0.0.0/8 through the VPN gateway and all other traffic through the WiFi gateway (which will be 10.1xx.x.x/20). I think I am asking for recommendations on tools that will do manage that split-tunnel routing.
    • < – DrStrangepork – 2017-04-25T17:58:06.990

    Just that one network for VPN? Thats fairly easy. What OS are we talking about? If I have an image handy I'll run a quick command test and drop that as an answer. But basically you'll remove the VPN default route and replace it with a proper split-route. Make that a script that you run right after the VPN connection and Bob's your uncle. – Ruscal – 2017-04-25T18:06:14.637

    MacOS 10.12.4. What else do you need to know? – DrStrangepork – 2017-04-25T18:16:03.170

    Answers

    0

    Given what you're attempting to do, and the way it sounds like corporate is pushing their VPN policies, YMMV. (Also, decide if this is a bad technological setting you're fixing versus countering an actual corporate policy. Once makes you a techie who fixed something, the other makes you an employee blatantly breaking the rules. I'll give technical how-to but be careful with your execution of such)

    After connecting to the VPN I'll be working from the command shell, so go ahead and pop that open. I run this image as an elevated account, so all these commands "just work" for me. You may have to prepend the command sudo to the beginning to elevate the command execution depending on your account setup.

    First, we need to remove the default route as set by the VPN.

    route delete default

    Then we want to add in the route for the VPN to only corporate-ish things

    route add 10.0.0.0/8 <IP of the VPN gateway>

    And then we return your normal default that uses the local router as the gateway

    route add default <IP of your local gateway>

    This will have the default traffic use your local next-hop which should progress to your local ISP connection for internet connectivity. But any traffic destined for corporate HQ, it will go to the VPN gateway.

    It sounds like your initial attempt was to put in a local-next-hop route for every internet location you wanted to access. While that would perform the same end result, it is a lot of work to keep up with. A good split-tunnel design does just the opposite; it specifies the limited network (company VPN) that needs the special path (via the VPN gateway) and everything else should use "normal means".

    Oh, and if you don't have the info already, you can get your current route information by running

    netstat -nr

    Run that while on VPN to get the VPN gateway info, and while off VPN to get the normal gateway info.

    Ruscal

    Posted 2017-04-25T16:12:07.120

    Reputation: 504

    Asked: 2017-04-25T16:12:07.120

    Viewed: 200 times

    Active: 2017-04-25T18:33:12.210