Options for Internet Access Through a Mobile VPN with IPSec Tunnel

When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted. In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.

Default-Route VPN

The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the Firebox. From the Firebox, the traffic is then sent back out to the Internet. With this configuration (known as default-route VPN), the Firebox is able to examine all traffic and provide increased security, although the Firebox uses more processing power and bandwidth.

For more information about dynamic NAT, see Add Network Dynamic NAT Rules.

The Mobile VPN with IPSec client configures client routes that match your Firebox configuration. It is possible that user computers have additional routes configured manually or because of other installed software. If you use the WatchGuard Mobile VPN with IPSec client, you can configure the Link firewall to exercise greater control over client connections. To learn more, see Secure Your Computer with the Mobile VPN Firewall.

Split Tunnel VPN

Another configuration option is to enable split tunneling. This configuration allows users to browse the Internet normally. Split tunneling decreases security because Firebox policies are not applied to the Internet traffic, but performance is increased. If you use split tunneling, your client computers should have a software firewall.

The VPN client on macOS or iOS devices does not support split tunneling. You must configure Mobile VPN with IPSec for default-route VPN (0.0.0.0/0).