Hello!
I use Cisco AnyConnect to access some resource at my company servers when I work remotely from home. I am planning to travel to Europe in the summer for 3 months and I might be on support call when I need to access some logs available only via Cisco AnyConnect. My boss is Ok with that but I want to take extra precautions in case if they limit access only to US based IP addresses. So I wanted to explore if I can use Cisco AnyConnect for remote access over over a VPN, e.g. Surfshark or NordVPN.
My goal is to have traffic flow like this:
My MacBook -----> VPN (US IP address) -----> Cisco AnyConnect Remote client ------> Servers
Any ideas if it this kind of setup is possible and what VPN to use in this case?
PS: I am on MacBook, OS Catalina
I’d probably set up WireGuard at home and buy a little travel router such as those made by GL.inet which can connect back to it directly.
When you’re away your can connect to that little router which will ‘teleport’ your connection back to your house and then run AnyConnect on your laptop exactly as normal.
It is difficult to get two VPN clients working alongside each other on the same os without jumping through significant hoops so this is by far the easiest solution.
I think I was able to set it up the way I want by using Mac internal networking settings. What I did was I opened network settings, created a new connection with the below params:Interface: VPNVPN Type: L2TP over IPSEC Then I connected through this VPN using a random Japan server that I found online just for a quick test. After this I launched Cisco AnyConnect and also connected. When I checked trace route, I found traffic flows like this: my laptop → Japan servers → My work VPN servers —> target IP address
When I disconnect from the test Japan VPN , the traffic flows via regular route:my laptop → ATT provider → My work VPN servers —> target IP address
It does add some latency, but I think the problem is that I used a free VPN server for test purposes.
I wouldn’t go for a technical answer to this question, instead work with your IT department to find out what their restrictions are and what they can do for you. Remember to mention that your employer has already approved this trip.
He’s concerned that his employer restricts VPN via geography so he’s essentially planning to use a 3rd party VPN to make it look like his AnyConnect request is coming from his home in the US rather than Europe where they may deny VPN requests from.
If you using a VPN provider as you initially said then nowhere else. You just connect to them from your travel router.
If you want to look like your dialling in specifically from home then you can install the secondary WireGuard endpoint on any device you have at home - router, PC, laptop, raspberry pi. Anything you like that runs WireGuard. then connect your travel router to that.
EDIT: Sorry missed your edit:
Do I run AnyConnect on my remote laptop or on laptop installed at home in this case?
Just run it on your laptop as usual. That laptop will be connected to the wifi of the travel router which will encapsualte the AnyConnect session (and all other laptop traffic) within the Wireguard connection back to your VPN provider or house, where it is unencapsulated and goes on its merry way to your company endpoint as if it originated at VPN/house.
My mistake, I read the question wrong. I would get with your IT department and forward the approval from your boss to them and see what you can come up with.
Thank you again! This is very helpful. I am trying to play with this setup…
Is WireGuard faster than OpenVPN?
Are there any routers that support WireGuard server out of box? GL.inet routers can works as a client, but I cannot find any that have WireGuard server
Wireguard has no concept or client/server - both nodes are peers. The concept as to who is the client and who is the server is dependent entirely on how you decide to route traffic over the link once it is up and running.
FWIW, given your requirements the GL.inet travel router would be working as the ‘client’. If you are thinking you could do with another one to run at home as the ‘server’ then you might be better off buying something like a cheap Raspberry Pi and installing Wireguard on that. This is made simple (relative of course) using something like the PiVPN project.