[BSDobelix]

>I would expect my laptop to use my local DNS server if the VPN is up

No, a correct configured VPN-tunnel is tunneling all data from one point to another (zero exceptions) if vpn is de-connected no data should be transferred (aka interface down).

If you want something else work with per-application proxy's.

>Problem of course is that VPNs used to be expert-level stuff.

And it still should be that way, VPN's where made so you can securely work inside your enterprise/home network while sitting anywhere in the world, all services are provided from local servers and if external, go through the enterprise-firewall (traffic-audit, IDS, and maybe other VPN-tunnels to other external locations subnet's etc).

[ninkendo]

I share GP’s expectations too. For me, VPN’s are that thing you do to access things that are normally not available to the public internet, ie. your work email and stuff.

I use wireguard to access my home network while I’m not at home for instance. I have homelab stuff at *.lan.mydomain.example, and in my ideal world, my iPhone would only connect on-demand when I try to connect to something in that domain. (Currently you can only configure connect-on-demand per IP prefix in the iOS wireguard app, even though iOS NetworkExtension.framework allows domain-based configuration… I should send the author a patch some day…)

Point is, I don’t think of VPNs as something that prevents anyone from seeing my traffic. I use it to get access to stuff that is normally behind a firewall, and a split-tunnel VPN that only sends the minimum amount of traffic over the tunnel is what I want.

This idea of VPNs as privacy tools is the much newer use case that wasn’t really the point when they were originally conceived.

[BSDobelix]

>I share GP’s expectations too.

Sorry but no you don't, since you call into your LAN-network of course you can see your local machines.

But if you sit in a LAN and you call outside there should be no traffic leaked to the local network your calling out from (for example airport/motel etc).

>Point is, I don’t think of VPNs as something that prevents anyone from seeing my traffic

Correct, every middleman (normally ISP) can see that you connect from your External-IP to the other External-IP over an encrypted tunnel (udp or tcp). The expression 'vpn' i nearly as muddled as cloud ;)

If you want to obfuscate your traffic you need something like tor/i2p, however it's also possible to tunnel your vpn-tunnel through tor-tunnel's (but i don't see much sense in that since exit-nodes are for sure under more observation and publicly known)

Tor and vpn traffic can be detected and blocked (for example Chinese firewall) and for that, shadowsocks can be a solution:

https://github.com/shadowsocks/shadowsocks-rust

[ninkendo]

> Sorry but no you don't

Yes, I really do.

I specifically want my traffic to “leak” from my VPN when traveling away from home, because my home internet upload speed is slow and I don’t want it to bottleneck everything else on my device. I only want the tunnel to be used when I am talking to my LAN.

Similarly when I’m at home and using my work VPN, I want a split tunnel there too. I don’t want every bit of traffic going over the VPN tunnel, because my work network tends to have congestion, and if I’m streaming music or something to listen to, there’s no reason that should have to go throufh my work’s network.

Before saying “nuh uh!” every time someone disagrees with you, maybe stop and consider that people have different use cases from you?

[BSDobelix]

>Yes, I really do.

No you don't, you need a normal (for example) ssh-tunnel, not a "VPN"...trust me ;)

>Before saying “nuh uh!” every time someone disagrees with you, maybe stop and consider that people have different use cases from you?

You want to actively weakening a system that was made for one thing only (a point to point encrypted tunnel with no exceptions of data flow), but hey go on and make your setup a cobbled mess, but don't cry about leaked information.

[ninkendo]

> No you don't, you need a normal (for example) ssh-tunnel, not a "VPN"...trust me ;)

Yes I do. (See how tiring this is getting?)

I don’t want an SSH tunnel when wireguard does the same thing but faster and with an iOS app that works correctly out of the box. I’m aware of SSH tunnels and that’s how I used to do things back in 2008 but times have changed and wireguard is infinitely better at that use case.

> You want to actively weakening a system that was made for one thing only (a point to point encrypted tunnel with no exceptions of data flow), but hey go on and make your setup a cobbled mess, but don't cry about leaked information.

Nobody’s talking about weakening anything here, you’re coming into a conversation where someone said “use cases differ”, and you’re trying to deny that reality… every time someone shows you a different use case you childishly shout “nuh uh” and act like such a use case is wrong because it invalidates your point.

A split tunnel VPN is a valid use case, period. It’s not the only use case. People who want full tunnel where all traffic goes through the tunnel, ALSO have a valid use case. But it doesn’t mean split tunnel is not a thing, and it doesn’t mean people who want split tunnels are wrong.

[BSDobelix]

No problem have fun.

[mmsc]

>Your exceptions are wrong, a correct configured VPN-tunnel is tunneling all data from one point to another (zero exceptions) if vpn is de-connected no data should be transferred (aka interface down).

>VPN's where made so you can securely work inside your enterprise network

Discord.com is not your enterprise network.

[BSDobelix]

YourLocation VPN-> EnterpriseFirewall/VPN-Gateway Lan-> LocalNetwork(DNS,NTP,SMB/NFS etc) Lan-> EnterpriseFirewall HTTPS-> Discord.com

Ok?

[mmsc]

>EnterpriseFirewall/VPN-Gateway Lan-> LocalNetwork(DNS,NTP,SMB/NFS etc) Lan-> EnterpriseFirewall HTTPS

This does not seem to agree what you previously said: "VPN's where made so you can securely work inside your enterprise network"

If you're connecting to the internet, route to the internet. If you're connecting to "inside your enterprise network", route through the VPN.

>EnterpriseFirewall HTTPS

If you're talking about forced https interception, then it sounds like an excellent way to make something secure (https) insecure.

[BSDobelix]

>If you're connecting to the internet, route to the internet. If you're connecting to "inside your enterprise network", route through the VPN.

Block-lists, traffic-audit/amount, not allowed ports, protocol/packet inspection, mail-scanning and archival (aka have a hint how in-house data leaves your corporation)...enterprise stuff, you can do that on the endpoint, inside your "server-farm", or both, most enterprises distrust endpoints (for good reason), and completely trust the internal infrastructure (for often not so good reasons).

I know we are in that HN bubble but ~97% of enterprise don't work in IT but need lots of it.

>If you're talking about forced https interception,

No i don't, but some company's absolutely want that (sometimes for good reasons)

But you can also argue that an endpoint-firewall is just allowed to connect to one external ip (VPN-gateway) is also not a bad thing.

If you ever work for something critical (Financial/Defend/Insurance) you see 1000 points for securing/restricting the traffic (especially port 80/443) of endpoints and one for the opposite (that grumpy dev/ceo who wants admin right on his laptop and wants to use it "privately" too...btw even worse with smartphones).

[the_third_wave]

His exceptions aren't "wrong", they just differ from the proposed use case. I use a VPN connection just like that, to temporarily gain access to my private network when abroad. When connected all "regular" (port 53) DNS traffic goes through the VPN so as to have easy access to internal addresses (many of which have external addresses as well), when disconnected the private network is not available. While I use the same setup to avoid being "monetised" by "free" WiFi connections that is not its main purpose. If my intention was to be completely safe from the TLA I'd use a different setup which only presents the VPN interface for outside connections, i.e no VPN means no network connections.