Forum Discussion
Prevent users from disconnecting AOVPN user tunnel
- Microsoft have implemented the required change (just needs to filter into Windows 10 and the intune management profiles)
https://learn.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp#deviceprofilenamedisabledisconnectbutton
posted for anyone else seeking this info in the future
also see the blog post by the incomparable Richard Hicks https://directaccess.richardhicks.com/2023/03/06/always-on-vpn-csp-updates/
Peter HollandMost in your situation would set up the router handle everything, and not the client, such as network service configuration, including the VPN login / tunneling, as well as DNS filtering ( which is necessary to block proxies / DoH / 3rd party resolvers from bypassing the endpoint filtering. )
Peter Holland Routers allow you to create VLANs where you can partition each device on the network. Obviously if you're worried about a client not being able to see a LAN address, then of course you could enable that network service, but block all the rest, so the client is forced to tunnel through the VPN to get to a WAN address ( all incoming connections MUST be blocked. ) The most basic service configuration has Unicast DNS ( UDP 53, ) Multicast DNS / mDNS ( UDP 5353, ) HTTP ( TCP 80, ) HTTPS / SSL / TLS 1.3+ ( TCP 443, ) and maybe WireGuard ( UDP 51820. ) In a rare situation, it would be UDP 123 for NTS / NTP ( Network Time Security / Network Time Protocol. ) Often you can tunnel almost any other service, including NTP, over the VPN, other than using DNS to bootstrap a DNS Stub Resolver, which in turn feeds a DNS server. In actuality, you could block all outgoing connections that don't utilize WireGuard ( UDP port 51820, ) and it would still work, although it will fail if the timestamps are inaccurate, or the system clock is not up to date. This is for the router though, not the operating system's firewall. You could even use a 3rd-party service to update the system clock if you're REALLY worried about security. Don't try to offload EVERYTHING to a software firewall, unless you want really high latency, and high power usage. That is a really big mistake. Even if you have interrupt moderation enabled for the network adapter, tons of receive buffers, and a decent multi-core CPU, it won't be anywhere near as fast as the ASIC / ASSP ( in this case a form of applications processor that has hard-IP blocks specifically made for encryption ) that comes with the VPN Router. A CPU is a general purpose processor, and will always be slower and less efficient at this task ( networking 101. )
"I would still expect split tunnel to work, the point of most of our AOVPN deployments to be solely to ensure clients can reach internally hosted services."
Most commercial-grade entry-level SOHO routers have VPN support, and VPN passthrough, which is above and beyond the speed of any desktop computer you have. The method you have chosen ensures maximum lag for anyone on your network, if you were wondering. Nobody does that. You have to see the VPN is just an extra layer, a virtual one at that, in which packets / traffic are encapsulated over / through, and they traverse this one layer, to reach this specific endpoint. All you're doing is tunneling traffic from the router to the VPN server, which is treated much like an exit node. So while it still uses the service provider's network, the exit node in this sense will not be the router, but the VPN server. Split tunneling just removes that layer for one particular program or service. You could actually change the firewall rules to unblock certain services, and add an extra VLAN that has another DNS server and HTTPS port that bypasses the VPN, if you are that worried. You could even change the service configuration to assign it a fixed IP address based on the port, or a certain range, and assign that one particular range to another VLAN, which of course uses up memory to do this ( VLAN partitioning, a feature based on the concept of Software Defined Networking / Network Virtualization. ) The operating system settings could be bypassed, regardless of what you do, or if there is a BYOD policy, anyone can bypass it, so this is why the router is used to configure this and not the device itself. When you properly configure the VPN, the device is not even aware the traffic is being tunneled through the VPN, because the router handles it, and you can't change it no matter what you do. This is why people do this, and they don't do anything else. Any other solution doesn't work. People will use simple DNS workarounds to bypass it, and you will look like an amateur ( even a lot of teenagers know how to get around this. ) Most Public WiFi hotspots are set up like this btw, and they often have a captive portal as well. If you don't want to use a hardware router, you could use VyOS, or some other combination of software on Solaris 11,x, or another operating system ( lots of open source software routers / software appliances that can run in a container, docker image, or whatever it is you have in mind. )
"its just ensuring that the clients are always going to try to connect and users can't disconnect it."
NOTE: I would suggest looking at a certification like CompTIA's Network+, Security+, or even CCNP, MCSE, etc. Here are some more free resources to help: https://techcommunity.microsoft.com/t5/windows-deployment/educational-resources-for-systems-administration-servicing/m-p/3062844/highlight/true#M836
