Hi,
I have a question about Remote Access VPN when the remote user’s LAN is within the range of the workplace LAN. We're on a Sophos UTM320 v9; our users are on Macintosh:
Our office subnet is 192.168.0.0/19 (long story; it was set up years ago before I got here and too much of a nightmare to try to change to something less “residential” at this point).
Our remote access users are put into the VPN Pool 10.242.3.0/24.
Now, if they are at home and connect to the VPN (and on Mac the “Send All Traffic Through VPN” is checked to prevent split tunnels), they can see resources if the resource they are looking for happens to not be in the range included in their home LAN.
Example: they can see 192.168.0.2 if their home LAN is in the 192.168.1.x range. If their home LAN is 192.168.0.x then they cannot because, I imagine, their home router will try to connect them with 192.168.0.2 at their house, not inside our LAN.
If I issue a command “sudo route add 192.168.0.2 10.242.3.1” on the computer it then works because it tells the computer to go THROUGH the VPN “gateway” to find the host.
My question is this: Why should this be necessary? Doesn’t the home router pass through the VPN traffic (if passthrough is enabled) to the UTM at 10.242.3.1? Why is the home router doing anything with any traffic from the computer other than handing it off to the VPN?
Thanks,
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
