VPN within a VPN
Posted: Thu Sep 13, 2018 2:50 pm
Hello, I am not sure if this is the correct discussion topic for this question, So please let me know if it is not and I will post to the correct topic.
I am not a Network specific person, I am a Database Person so the terminology below may not be 100% correct.
I have a question regarding VPN's and before I go to my network folks in my company to see if this is possible, I would like to see if anyone may know this question already (As I hope I am never the 1st person to think of things but I have surprised myself lately).
My company uses Pulse Secure VPN clients on computers (laptops/desktops) in order for employees to access the internal corporate LAN from the internet (aka from home or outside internet connection).
And we Are putting services into the AWS Cloud (RDS, EC2 ..etc) and my network guys want to secure the access to the services 100% entirely via Bastion IPTUNNEL software access Rules (we can only get to AWS bastion server from within the Corporate LAN, and bastion server can get to the AWS resources) due to Authentication requirements (you need access granted to the bastion server) as well as encryption and logging features available via Bastion server.
We have AWS Direct Connect and other VPN machine level access's to AWS. But they want that Authentication and Logging from the Bastion Server to be 100% Sure they know what is going on ( I Call it the Suspenders and Belt Approach).
But From my standpoint this presents a difficulty as I may have very very many services within AWS and as such my iptunnel configuration may end up aliasing 50 or so server:ports and there would be multiple Bastion servers ..etc (and obviously this can be difficult to manage).
So I asked if it would be possible to use the AWS OpenVpn service with openVpn client on the computers instead of IPTUNNELING (As I read in the internet that openvpn gives authentication as well as encryption as well as logging).
And Just to be 100% Clear, Both the AWS Bastion servers as well as any potential AWS OpenVPN server would only be accessible from within the Corporate Network (No Public Internet access).
But The main Rational against it is that we Do have Folks who Are not directly connected to the Corporate LAN (via either direct ethernet or via a wireless connection from within the network) but that they access the LAN via Pulse Secure VPN and they say that a computer cannot VPN thru a VPN
I have read that this is possible (i.e. You login to Pulse Secure Client First and then Login to OpenVPN Client to get to AWS networked services from the computer).
All Laptop/Desktop Computers in question are either Linux or Apple or Windows 7 or 10.
Has anyone ever done this type of VPN Chaining successfully (A VPN thru a VPN).
Thanks for your Time
Anthony
I am not a Network specific person, I am a Database Person so the terminology below may not be 100% correct.
I have a question regarding VPN's and before I go to my network folks in my company to see if this is possible, I would like to see if anyone may know this question already (As I hope I am never the 1st person to think of things but I have surprised myself lately).
My company uses Pulse Secure VPN clients on computers (laptops/desktops) in order for employees to access the internal corporate LAN from the internet (aka from home or outside internet connection).
And we Are putting services into the AWS Cloud (RDS, EC2 ..etc) and my network guys want to secure the access to the services 100% entirely via Bastion IPTUNNEL software access Rules (we can only get to AWS bastion server from within the Corporate LAN, and bastion server can get to the AWS resources) due to Authentication requirements (you need access granted to the bastion server) as well as encryption and logging features available via Bastion server.
We have AWS Direct Connect and other VPN machine level access's to AWS. But they want that Authentication and Logging from the Bastion Server to be 100% Sure they know what is going on ( I Call it the Suspenders and Belt Approach).
But From my standpoint this presents a difficulty as I may have very very many services within AWS and as such my iptunnel configuration may end up aliasing 50 or so server:ports and there would be multiple Bastion servers ..etc (and obviously this can be difficult to manage).
So I asked if it would be possible to use the AWS OpenVpn service with openVpn client on the computers instead of IPTUNNELING (As I read in the internet that openvpn gives authentication as well as encryption as well as logging).
And Just to be 100% Clear, Both the AWS Bastion servers as well as any potential AWS OpenVPN server would only be accessible from within the Corporate Network (No Public Internet access).
But The main Rational against it is that we Do have Folks who Are not directly connected to the Corporate LAN (via either direct ethernet or via a wireless connection from within the network) but that they access the LAN via Pulse Secure VPN and they say that a computer cannot VPN thru a VPN
I have read that this is possible (i.e. You login to Pulse Secure Client First and then Login to OpenVPN Client to get to AWS networked services from the computer).
All Laptop/Desktop Computers in question are either Linux or Apple or Windows 7 or 10.
Has anyone ever done this type of VPN Chaining successfully (A VPN thru a VPN).
Thanks for your Time
Anthony