Hello, I am not sure if this is the correct discussion topic for this question, So please let me know if it is not and I will post to the correct topic.
I am not a Network specific person, I am a Database Person so the terminology below may not be 100% correct.
I have a question regarding VPN's and before I go to my network folks in my company to see if this is possible, I would like to see if anyone may know this question already (As I hope I am never the 1st person to think of things but I have surprised myself lately).
My company uses Pulse Secure VPN clients on computers (laptops/desktops) in order for employees to access the internal corporate LAN from the internet (aka from home or outside internet connection).
And we Are putting services into the AWS Cloud (RDS, EC2 ..etc) and my network guys want to secure the access to the services 100% entirely via Bastion IPTUNNEL software access Rules (we can only get to AWS bastion server from within the Corporate LAN, and bastion server can get to the AWS resources) due to Authentication requirements (you need access granted to the bastion server) as well as encryption and logging features available via Bastion server.
We have AWS Direct Connect and other VPN machine level access's to AWS. But they want that Authentication and Logging from the Bastion Server to be 100% Sure they know what is going on ( I Call it the Suspenders and Belt Approach).
But From my standpoint this presents a difficulty as I may have very very many services within AWS and as such my iptunnel configuration may end up aliasing 50 or so server:ports and there would be multiple Bastion servers ..etc (and obviously this can be difficult to manage).
So I asked if it would be possible to use the AWS OpenVpn service with openVpn client on the computers instead of IPTUNNELING (As I read in the internet that openvpn gives authentication as well as encryption as well as logging).
And Just to be 100% Clear, Both the AWS Bastion servers as well as any potential AWS OpenVPN server would only be accessible from within the Corporate Network (No Public Internet access).
But The main Rational against it is that we Do have Folks who Are not directly connected to the Corporate LAN (via either direct ethernet or via a wireless connection from within the network) but that they access the LAN via Pulse Secure VPN and they say that a computer cannot VPN thru a VPN
I have read that this is possible (i.e. You login to Pulse Secure Client First and then Login to OpenVPN Client to get to AWS networked services from the computer).
All Laptop/Desktop Computers in question are either Linux or Apple or Windows 7 or 10.
Has anyone ever done this type of VPN Chaining successfully (A VPN thru a VPN).
Thanks for your Time
Anthony
VPN within a VPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
uyuy
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Sep 24, 2018 3:09 pm
Re: VPN within a VPN
I am not familiar with the VPN software / vendor you mentioned.
Presuming if your overall network is hierarchy like site office to main office or employees working from home connected to office via VPN. Then the 1st layer VPN could be a home/site router to the main office router, it connects the home/site to the main office over encrypted VPN already.
Then if you want within this VPN another VPN, e.g. a laptop at home/site office, connected to your database more securely, then within the main office there is another VPN router / gateway inside the 1st VPN, it shields a bunch of database servers. And at the site/home the laptop runs another VPN client to get connections into the 2nd layer VPN to access database servers.
I think such a hierarchy is functional. But performance is expected to be hinder by VPN overhead TWICE as much as normal.
However if your network is not so hierarchical, and it is just a laptop that requires to go through 2 layers of VPNs itself from e.g. a mobile broadband, then the connection setup will be confusing and troublesome to debug. It also get the full burden of TWICE encrypting decrypting every packet. But I still think it can be done finally, your hierarchy of 2 layers must be 2 distinguished logical tunnel devices e.g. tun0 and tun1 cascading correctly to one another.It is easy to get it wrong in confusion.
I will be even harder if you require simultaneous connections for different applications each to a different layer of the 2 VPNs. E.g. if your emails from laptop require to be within ONLY the 1st layer VPN, and your database connections requires to be into the 2nd layer VPN, and both the email and database applications are simultaneous running on the same laptop. Then there is definitely yet another layer, which is NON-VPN e.g. the laptop want to DIRECTLY browse the Internet for google or youtube completely free from the VPNs. These can cause confusion for OS & users, they got errors and failures when they are not routed correctly.
Presuming if your overall network is hierarchy like site office to main office or employees working from home connected to office via VPN. Then the 1st layer VPN could be a home/site router to the main office router, it connects the home/site to the main office over encrypted VPN already.
Then if you want within this VPN another VPN, e.g. a laptop at home/site office, connected to your database more securely, then within the main office there is another VPN router / gateway inside the 1st VPN, it shields a bunch of database servers. And at the site/home the laptop runs another VPN client to get connections into the 2nd layer VPN to access database servers.
I think such a hierarchy is functional. But performance is expected to be hinder by VPN overhead TWICE as much as normal.
However if your network is not so hierarchical, and it is just a laptop that requires to go through 2 layers of VPNs itself from e.g. a mobile broadband, then the connection setup will be confusing and troublesome to debug. It also get the full burden of TWICE encrypting decrypting every packet. But I still think it can be done finally, your hierarchy of 2 layers must be 2 distinguished logical tunnel devices e.g. tun0 and tun1 cascading correctly to one another.It is easy to get it wrong in confusion.
I will be even harder if you require simultaneous connections for different applications each to a different layer of the 2 VPNs. E.g. if your emails from laptop require to be within ONLY the 1st layer VPN, and your database connections requires to be into the 2nd layer VPN, and both the email and database applications are simultaneous running on the same laptop. Then there is definitely yet another layer, which is NON-VPN e.g. the laptop want to DIRECTLY browse the Internet for google or youtube completely free from the VPNs. These can cause confusion for OS & users, they got errors and failures when they are not routed correctly.