Most remote work VPN deployments use split tunneling: only traffic destined for internal corporate IP ranges goes through the VPN tunnel; direct internet traffic bypasses it. This is the wrong default for security. Here is why, and how to configure full-tunnel mode correctly.
Split tunnel vs full tunnel: the security difference
Split tunnel:
Remote device → [VPN tunnel] → Internal resources (192.168.1.0/24)
Remote device → [Direct internet] → Web browsing (no gateway inspection)
Full tunnel:
Remote device → [VPN tunnel] → Gateway → Web browsing (gateway inspection)
Remote device → [VPN tunnel] → Gateway → Internal resources
In split-tunnel mode, a remote worker's web browsing bypasses the office gateway entirely. Gateway antivirus, URL filtering, and traffic logging do not apply. The worker's laptop connects to the office for file access and connects directly to the internet for everything else — with only endpoint security between them and web-borne threats.
Full-tunnel mode routes all traffic through the gateway. The remote worker gets the same gateway-level protections as an on-site employee.
StrongSwan IKEv2 configuration for full tunnel
# /etc/ipsec.conf
conn remote-workers
keyexchange=ikev2
left=%any
leftid=@vpn.example.com
leftcert=server.crt
leftsendcert=always
leftsubnet=0.0.0.0/0 # ← Full tunnel: route ALL traffic through VPN
leftfirewall=yes
right=%any
rightauth=pubkey
rightsourceip=10.8.0.0/24 # Virtual IP pool for remote workers
rightdns=10.8.0.1 # Internal DNS resolver
ike=aes256-sha256-ecp256!
esp=aes256-sha256!
dpdaction=restart
dpddelay=30s
auto=add
The critical line is leftsubnet=0.0.0.0/0. This tells IKEv2 to install a default route through the tunnel on the client — all traffic, not just traffic to internal subnets, routes through the VPN.
Traffic selectors for full tunnel
In IKEv2, traffic selectors (TS) define which traffic flows through the SA. For full tunnel:
TSi (initiator): 0.0.0.0/0 (all traffic from client)
TSr (responder): 0.0.0.0/0 (to anywhere)
The client installs:
default via 10.8.0.1 dev tun0 # All internet traffic → VPN tunnel
10.8.0.0/24 via tun0 # VPN subnet direct
192.168.1.0/24 via tun0 # Internal LAN
Gateway forwarding for VPN traffic
The gateway must forward VPN client traffic to the internet and apply the same inspection stack as local clients:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# NAT VPN traffic to external interface
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# Redirect VPN client HTTP through proxy (same as LAN clients)
iptables -t nat -A PREROUTING -s 10.8.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
# VPN clients subject to same FORWARD rules as LAN clients
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
Client profile generation
For iOS/macOS (native IKEv2):
<!-- mobileconfig excerpt -->
<key>VPNType</key>
<string>IKEv2</string>
<key>RemoteAddress</key>
<string>vpn.example.com</string>
<key>RemoteIdentifier</key>
<string>vpn.example.com</string>
<key>LocalIdentifier</key>
<string>worker@example.com</string>
<key>PayloadCertificateUUID</key>
<string><!-- UUID of client cert payload --></string>
<!-- IPv4 routing: send all traffic through VPN -->
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer> <!-- Full tunnel -->
</dict>
For Windows:
Add-VpnConnection -Name "Work VPN" `
-ServerAddress "vpn.example.com" `
-TunnelType IKEv2 `
-AuthenticationMethod MachineCertificate `
-SplitTunneling $false # ← Full tunnel: route all traffic
What the remote worker gets
With full-tunnel mode and a properly configured gateway:
- Web traffic scanned by gateway antivirus (same as office)
- URL filtering applied (same categories and policies as office)
- Traffic logged at gateway (same visibility as office)
- Internal resources accessible as if on-site
The home network becomes a transport layer. Everything meaningful happens at the gateway.
CacheGuard implements this: IKEv2 VPN with StrongSwan in full-tunnel mode, integrated with the gateway antivirus, URL filtering, and logging stack. Client profiles generated for all major platforms through the web interface.
→ https://www.cacheguard.com/network-security-for-remote-workers/
Originally published on the CacheGuard Blog. CacheGuard is free and open source — GitHub.
Top comments (0)