Let’s say you’re operating on sketchy wifi and the quiet guy in the corner on his laptop is sniffing your traffic. Web is already easy, you fire up SSH port forwarding and tell your browser to use yourself as a proxy. Other apps aren’t so easy. Not everything supports/honors SOCKS5 proxies, or any sort of proxies for that matter.
From my tcpdumps over the weekend, despite having various remote proxies (via v4/v6 AnyConnect VPN) configured in the System Preferences pane and FoxyProxy, there were several things that try to hit the Internet directly. Some background Facebook actions, Mobile Me, instant messaging apps, and Pandora (via PandoraJam) were leaking to the outside. DNS was also unprotected. Some of the leak was SSL traffic, but the majority was all clear-text. Yahoo! IM claims to try to use a SOCK5 proxy via the MacOS’s web proxy preferences, but apparently it falls back to using the public internet. There’s no way to know when it does/doesn’t use a proxy.
It took me a little while of hunting to figure out how to do this “properly” on an ASA. Most examples try doing this with a split-tunnel ACL that works on 0.0.0.0/0. It turns out that Cisco has a document specifically for this and they call the method “VPN Client for Public Internet on a Stick” (of course). Under a group-policy there is a “split-tunnel-policy tunnelall” directive instead of “tunnelspecified“. Don’t forget your global NAT!
