Hello all,
TL;DR - Is this thing on? Also, is Prituni a hell-beast?
So my remote job has asked to have Prituni VPN installed on my laptop to access their backend, and I’m wondering about security, and especially how to confirm they are using split-tunneling.
After doing a bit of research, I gather I don’t have to worry as much about monitoring if they’re using split tunneling, which is a setting on their end that captures only traffic headed for whitelisted addresses (presumably company resources) for routing through the encrypted tunnel.
Broadly, I’ve heard that the two ways to check that are to 1) compare visible IP’s, and 2) traceroute.
For #1, I checked the IP address with VPN OFF and ON. IP matched.
For #2, I ran traceroutes with the VPN off and on. The results were a little confusing but seemed very close. The first two hops were identical. Everything else was either identical or only differed in the last three numbers (aka 142.251.50.xxx). Not every hop was labeled, but none of the labels I did see were called like spy.private.[myemployer].net, and it hit a [mycity].[myISP].net address by hop #4.
Does this indicate split tunneling is on?
If so, am I understanding correctly that ST gives me only partial security, in the sense that they are still sniffing (and potentially logging) my DNS queries (addresses I type in) as they go by, and that even the ‘split’ is according to their admin-determined whitelist - but my traffic routed off the VPN is otherwise private?
Last, how secure is turning off the VPN? Can these things run in zombie/stealth mode after I manually hit ‘disconnect’? Is prituni known for that? While it’s on can it do keystroke logging or any other hell-beast attributes?
Thanks in advance!
So, first things first, it’s PritunL with an L. 
Split tunnel merely means that any traffic that is NOT intended to go to INTERNAL sources on the end of the VPN, will go out your normal routing table.
Does this indicate split tunneling is on?
If you do a “what’s my IP” and it comes back with YOUR public IP, but you are also connected to the VPN, then split tunneling is working.
If so, am I understanding correctly that ST gives me only partial security, in the sense that they are still sniffing (and potentially logging) my DNS queries (addresses I type in) as they go by, and that even the ‘split’ is according to their admin-determined whitelist - but my traffic routed off the VPN is otherwise private?
kind of. Your DNS queries are going through their servers, and anything that is a “local” resource for them of course routes correctly. Anything that’s not a resource in their org will just use your normal route. They aren’t really monitoring DNS queries though. DNS just says “This hostname belongs to this IP address”. If their DNS doesn’t have an entry for the thing you are looking for, it just sends the request out to the internet to resolve that IP.
Last up, how secure is turning off the VPN? Can these things run in zombie/stealth mode after I manually hit ‘disconnect’? Is prituni known for that? While it’s on can it do keystroke logging or any other hell-beast attributes?
Turning it off means that it cannot connect to work resources any more. There is no “logging” happening. It doesn’t just connect when it wants to and tell you it’s not connected. Pritunl is open source and anyone can review the code. It’s not doing nefarious things behind your back.
As an IT person, it’s not my job to monitor what you do. I have more important things to worry about. If you are doing your job, and satisfying your management, meeting deadlines, there is no need to monitor you. So many people seem to get this idea that IT is sitting there watching their every move. We don’t have time for that shit. So many people worry about nothing when they connect to their work VPN. Your work VPN is merely a way to access resources at work. It’s not a spy tool.
Other details:
- no I can’t afford a spare ‘work laptop,’ thanks for asking
- I’m talking about random browsing during breaks/downtime, not streaming the entire LOTR trilogy during meetings, or other long/intensive browsing
- they haven’t asked for any other software (teamviewer etc)
- I know I could just be disciplined about turning it off, or even sandbox it somehow, but I’m trying to determine how much energy to devote to blocking/evading it.