question, i have an ok from my manager to work outside the country, although our company is US based and the juniper web client is even a bit finnicky here at home.
-
is there a way for me to test if it would work from somewhere else, while i’m here in the US?
-
assuming it has problems connecting from outside the country, is there a way for me to set up a VPN inside a VPN; essentially have my laptop VPN to something in the US, then while connected, run another VPN over that channel to get to work?
-
if this is possible, is it easier/better to actually use a wifi router that supports VPN connections to automagically do that first entry point VPN?
-
assuming any of the above is viable, what are my cheap/free options for a US vpn? amazon or some hosting service? run the VPN from behind a router and home internet? what VPN software would be advised?
thanks!
- Yes, this is technically possible.
- Yes, this is also technically possible.
- Not sure I understand this one.
- Ain’t nothing cheap/free about what you’re wanting to do.
So I do what’s called nested VPN or VPN chaining. All day, every day. A tunnel within a tunnel.
You can do nested VPN tunnels one of two ways :
IPSec inside another IPSec
or
TLS/SSL tunnel inside an IPSec.
You cannot do a TLS as an outer, and an IPSec as the inner.
The ‘outer’ tunnel is the only one that could have a no-split-tunnel / or default route pushed to the client. The inner tunnel must contain specific routes. Really, just can’t have two default routes in the table; it jacks shit up.
If you were to find a IPSec based subscription service, and connect up, you’d most likely get 0.0.0.0 through their interface. You could then tunnel to your corp VPN and get your specific corp routes pushed. So when you want to go to Google, you’d hit your first VPN but since it doesn’t have a specific route, it uses the first connection as the gateway. When you want to copy that excel sheet from the corp server, you’d use both.
My Q’s :
-
Can you find an IPSec subscription service?
-
And as /u/ItsDieselTime asked - “why would you need another VPN if you can connect to your work one directly?”
You can also run two VPN clients (least on Windows) in parallel, (not nested) provided they use separate adapters.
The entire framework of how this gets done.
If I understood correctly, your employer provides VPN access to your work network so that you can work while not being physically in the building (e.g. from home)? If that is the case, why would you need another VPN if you can connect to your work one directly?
And if all that sounds way over your head, yes, running the US entry point VPN on a router is a very easy way to do it without any technical skills. I would recommend an Asus router supported by Merlin firmware, the $100 ac56u is my choice.
my company vpn is a pulse/juniper thin client (network connect) which only seems happy via IE. it also requires entry of an entrust token on the web page. i’m not sure if it is ipsec or tls but i think i used it as an inner for occasional lab access at my prior job with an outer fat client that i assume must have been ipsec for things to have worked. the outer was an at&t client and i was at ibm, fwiw.
the reason is largely because i do not know how to test out #1 before getting to country x. if it works in country x, great! i’d use this as a backup in case there was a general routing problem or something from there but i would probably not need it. if it doesn’t work from country x then i’d like to figure out how to make it do so.
to test connectivity from country x, do i need to find an ipsec subscription service first, then run my inner work vpn through it?
Thank you so much. this concept has being in the back of my mind for months now… But i’ve never seen anyone else talk about it. Now, I have a wonderfully clear picture 
my manager something to the effect that it can have problems outside the US. what that entails, i don’t know. i have read about people in general having VPNs that block non-US IPs though. even if i am unlikely to have a problem, it would be nice to know of a workable solution in case i do have a bad/non-working path to our VPN server or something.
looks like this has some integrated openvpn functionality - is it ipsec? seems i could use it as my outer vpn and US entry point if i ran an openvpn server at my house/behind the wifi router in the US?
A thin client connection is neither IPSec or TLS. Really no different than authenticating on a website, and being able to access resources.
If that’s your method of connectivity, you could most likely run OpenVPN and your connect to your corp web portal. OpenVPN is used by a majority of VPN subscription services, to which you get some branded client to install. Saves you the hassle of finding IPSec.
Read up on some of the subscription ones, find one you’re comfy with trying out, and connect up to a gateway out of the US, and then connect to your web portal. You’ll at minimum, be secured in your traffic.
Don’t know about IPSec, I thought that was a different protocol than openvpn, but I could very well be wrong. And yes, you absolutely could connect the openvpn client in the foreign router to an openvpn server in the US, whether that’s at a private residence or a paid VPN service.
so i found this vpn - https://www.goldenfrog.com/vyprvpn/buy-vpn
with this server map - The Fastest VPN Servers with Locations Worldwide | VyprVPN | VyprVPN
my understanding is in the US i can use their VPN to log into one of these servers, like australia, then launch my client to simulate trying to log in directly from australia.
if i’m in australia, it looks like i can log into their US server, then run my work vpn, and look like i’m connecting directly locally (if i cannot get a direct connection to work.)
for free i can try this service (haven’t yet) and the pro version allows for unlimited ipsec data, for about $100 a year, over 2 connections. not bad.
by thin client i do not mean a clearly local fat client. it looks like my pulse/juniper work one does some authentication on the web but ultimately runs some kind of java app locally. this seems similar to vypr. is it incorrect to call these thin clients?
i am not sure how this is any less safe than regular internet? especially if i choose a popular one. isn’t best case scenario the data is doubley encrypted, with the worst case scenario being they are capturing and analyzing it - but it’s still encrypted at the original level i’m passing through the internet right now anyway?
they certainly appear to be different options in vypr (links below)
