Ok I am looking for a solution for VPN that can be policy based for protocols or ports along with normal IP routes.
For example:
Client connects to VPN, all traffic goes out local interface to internet except when they want to SSH it goes out over the VPN interface so the source IP is the VPN connection.
Any ideas?
It’s been awhile but the followup here is we went with Barracuda CloudGen Access and very happy with it. We have worked with them quite a lot as we are using it way more and in more ways than they imagined. Been happy with its performance and their involvement in making it better.
This sounds like a DNAT rule at the network edge.
I don’t think this is a thing. I’ve never seen a product do this. Split tunneling works by manipulating the local route table on the clients. For what you want to work, it would require some kind of policy based routing that says when dest port =22 route blah. I don’t know of any products that does this natively. Can windows even do policy based routing?
“Client connects to VPN, all traffic goes out local interface to internet except when they want to SSH it goes out over the VPN interface so the source IP is the VPN connection.”
Are your users SSH-ing to public ip addresses? It’s very common to disable public facing ssh logins. Try SSH-ing to the internal interface (specified private networks will route over the vpn). Public ip addresses will use internet. A full tunnel is needed if they use ssh to connect to devices you don’t have listed or don’t know about.
GPO can be used to configure the windows firewall to only allow authorized devices.
You can also configure a “SSH known_hosts” file; this file lists all the trusted public keys of ssh servers. Simply disable the ability to connect to unknown hosts.
Dnat would still need an ip entry for the device the user is accessing. I need all ssh to route out vpn tunnel without knowing the IP of the device we are trying to connect to.
We have hundreds of clients who whitelist our data center IP. Right now split tunnel is off so all techs can connect to end user servers. We also get all traffic from tech for all internet browsing. We want to stop all their traffic except when they SSH to a client who we may not know their up as we connect via dns name.
A bastion/jump box would probably be much easier, have them connect to a host on your network and initiate all ssh from there.
Otherwise maybe something like Fortinets ZTNA offering might do this.
Sorry, I meant to say SNAT (too much multitasking). I’m not sure I fully understand the use case, but it should be possible to craft the required policy.
You can make this pretty transparent too, with pubkey auth and appropriate client config for session proxying.
Yeah jump box was going to be our final choice. Still looking at other options, Barracuda Cloudgen Firewall can act as vpn and do policy based routing it’s looking like. I have a call with them Friday to discuss with an engineer.