On 12/02/2010 11:17 AM, Paul McNett wrote: > On 12/2/10 4:16 AM, Paul Hill wrote: >> On Wed, Dec 1, 2010 at 11:17 PM, Paul McNett<[email protected]> wrote: >>> Some vpn clients tweak the default route to be over the VPN, but I think >>> that is >>> silly unless the workstation is supposed to be totally locked down by the >>> company's >>> network. >> The problem with not tweaking the default route is that it opens up a >> security hole into your network. >> If a compromised PC connects to your VPN then your internal network is >> also compromised, >> making your expensive firewall useless... > Well, you have to be very careful about what ports you allow over the VPN. For > instance, most of my VPNs only allow SSH (port 22) and vnc (5900). > > In a couple instances, people have needed (shudder) access to a windows share > from > home, so I had to enable (shudder) ports 137-139. But I enabled it only for > them, and > disabled their $IPC access completely. > > But common ports like 80 are explicitly disabled over the vpn. > > You already open a security hole by putting remote systems on vpn. Properly > mitigated, I don't see how not redirecting the default route is any less > secure. > > Paul > >
If you're connecting to the client's network using vpn, then you should be part of the client local network, just like everyone else in the local network. If you're just another computer in the client's local network, then it seems you should be able to vnc to any desktop within the local network without regards to the router's/gateway's incoming or outgoing rules. In other words, once you connect over a vpn tunnel, the router/gateway firewall become irrelevant. I don't know what vnc server and client you're using, but you might try using vnc just like any other nodes in the local network can connect between and local vnc server and local vnc client. I'm using TigerVNC, which works great within the local network using Windows or Linux, but I don't have a remote computer out in the internet to connect to my router's vpn, so I can't test whether TirgerVNC works over a vpn connected computer. Regards, LelandJ _______________________________________________ > Post Messages to: [email protected] > Subscription Maintenance: http://leafe.com/mailman/listinfo/profox > OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech > Searchable Archive: http://leafe.com/archives/search/profox > This message: > http://leafe.com/archives/byMID/profox/[email protected] > ** All postings, unless explicitly stated otherwise, are the opinions of the > author, and do not constitute legal or medical advice. This statement is > added to the messages for those lawyers who are too stupid to see the obvious. _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
