Use customer VPN via encrypted VM

in my job as a consultant I often work for a short period for customers. Most of the time they have a solution in place for working remotely. Or by using a laptop from them, or by a VPN portal.
To have the oppertunity to work remotely is a blessing. But when it is, using their VPN portal… well…. most of the time you have some issues. Why ?
Well, most of the time the VPN client will limit the use of your laptop. all your internet activity is send through the tunnel….via the customer…. hmmm I have nothing to hide, but it is not a desirable situation in my opinion.

  • my company e-mail traffic is routed through their VPN
  • some sites are blocked (vendor sites)
  • downloading of software could be an issue
  • etc…..

So I have the following solution. I use a VM running in VMware workstation.
I installed a clean windows OS VM,with tools that I like to use. Keep the VM as clean as possible. And I make a full clone of the VM. The original VM is more a template.
I’ll encrypted the cloned VM introducing another line of defense / security. And I use that VM to use the customers VPN.
VMware workstation has a function called Unity. Unity makes it possible to experience the applications running in the VM as if they where running directly on your laptop. So no extra console / RDP session. (of course in the background there is some sort of a console running)

Pros:

  • internet traffic from my laptop is not routed via the customers VPN
  • no extra browsing limitations due to customers policies
  • secured VM. ‘sandboxed’
  • dedicated VM. After the assignment is finished you can remove the VM.
  • Installation of customer software will not mess with your laptop
  • you can put customer data (like a temporary keepass… or notes) in the VM

Cons:

  • You have some extra actions to run before a VPN tunnel is created.
  • Everytime you start the VM, an encryption key is requested.
  • Using extra disk space (40 GB +)
  • getting used to unity functionality
  • you need some extra time to setup the VM. But by having a windows OS VM already available, and make a full clone, you’ll save time.

 

I use the following configuration options for this VM:

  • Windows OS
  • NAT network portgroup (you could also use bridged, but then the VM is presented on the network as your laptop.)
  • Unity mode
  • VM Encryption (VM needs to be a full clone, so all files can be encrypted)
  • disk clean up on exit. (Vmware Workstation will reclaim unused disk space from the VM, making sure the VM’s footprint is as compact as possible.)
  • VMware Workstation 14
  • disable USB / floppy. Making sure to have a small attack surface.
  • 1 vCPU / 4 GB RAM / 40+ GB disk size

 

Well that is how I use it at the moment. Feedback / input is welcome. I hope you enjoyed this article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.