Defeating VPN Always-On

VPN Always-On is a security control that can be deployed to mobile endpoints that remotely access corporate resources through VPN. It is designed to prevent data leaks and narrow attack surface of enrolled end-user equipment connected to untrusted networks. When it is enforced, the mobile device can only reach the VPN gateway and all connections are tunnelled.

We will review the relevant Windows API, the practicalities of this feature, look at popular VPN software and... bypass them with ridiculously complex exfil methods but also with unexpectedly trivial tricks. We will exploit design, implementation and configurations issues to circumvent this control in offensive scenarios. We will then learn how to fix or harden VPN Always-On deployment to further limit the risks posed by untrusted networks.

This talk is more than just the outcome of my technical research against one particular network security feature. It is an attempt to fully embrace the hacker spirit through the revolt against Control, the unreasonable time trying to understand the technological subtleties and finally the sharing of beautifully simple techniques to break free.

This original research has outcome that will give security practitioners (blue & red) tangible ways to attack & defend in the context of corporate VPN setups. I am not a security researcher but I would like to share my experience on this topic after years of penetration tests and red-teaming in mature environments.