Tunnel VPN FAQs: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
Line 14: Line 14:
=== Can I only route certain protocols through the tunnel VPN? ===
=== Can I only route certain protocols through the tunnel VPN? ===


No, routing can be done only based on the information known at the time the packet is routed. If a new connection is opened, then the application and many other properties of the session are not yet known, only the IPs, hosts, ports, etc. Even though the application, website, domain, or other information ''might'' be identified in the future this can not be used to making routing decisions made in the past.
No, routing can be done only based on the information known at the time the packet is routed. If a new connection is opened the application and many other properties of the session are not yet known, only the IPs, ports, etc.
 
Later [[Application Control]] may identify the "application" or "category" and [[Web Filter]] may identify the domain or site categorization (if its HTTP at all). However information that is learned later can not be used to change routing decisions that are made in the past.


However, one common workaround is to detect a certain application and tag the host using that application with a tag. Then you can create a Tunnel VPN rule to route hosts tag with that tag through the tunnel.
However, one common workaround is to detect a certain application and tag the host using that application with a tag. Then you can create a Tunnel VPN rule to route hosts tag with that tag through the tunnel.

Revision as of 02:44, 19 September 2017


My Tunnel keeps disconnecting; What can I do about it?

Different services provide different parameters for managing disconnects in the config file.

Some services often explicitly specify to not reconnect when the connection is lost. This configuration is not optimal and is likely done by the services to minimize server load.

To tune these settings simply edit the .ovpn file (or the .ovpn file inside the zip) before uploading it to Tunnel VPN. You can change the "keepalive" setting or the "ping" and "ping-restart" settings. If non of those are specified just adding "keepalive 10 120" will be sufficient to tell it to test the connection every 10 seconds and restart if after 120 seconds all tests fail. Similarly if ping or ping-restart is already specified simply replace the existing "ping" configuration with "ping 10" and the existing "ping-restart" with "ping-restart 120".

More can be read about openvpn configuration here.


Can I only route certain protocols through the tunnel VPN?

No, routing can be done only based on the information known at the time the packet is routed. If a new connection is opened the application and many other properties of the session are not yet known, only the IPs, ports, etc.

Later Application Control may identify the "application" or "category" and Web Filter may identify the domain or site categorization (if its HTTP at all). However information that is learned later can not be used to change routing decisions that are made in the past.

However, one common workaround is to detect a certain application and tag the host using that application with a tag. Then you can create a Tunnel VPN rule to route hosts tag with that tag through the tunnel.