Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Tips for managing two VPN connections at the same time

As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But that might not be possible -- or safe.

The dramatic increase in remote access to business information systems and services due to COVID-19 means network managers must examine ways to optimize the amount of resources available to remote users.

This article discusses the pros and cons of setting up two VPN connections at the same time from one remote device.

Here's a possible scenario: A remote laptop normally connects to host-based systems via a VPN using the internet as the transmission medium. The VPN device provides access control, security and other mechanisms to ensure a secure connection.

Now, suppose the remote user wants to connect to another resource offered by the company. Can that user connect via the same VPN tunnel? In most cases, the answer is "no" because the VPN software generally supports only one connection at a time.

Installing a second image of VPN software and an additional network interface card probably won't work, as the VPN clients may overlap and interfere with each other. This visual depicts how that might work in practice.

VPN tunnel splitting

Remote workers normally use a VPN tunnel to their primary work systems and resources. However, accessing additional web-based services means using a non-VPN connection to the remote host. Security and availability are primary drivers for VPN usage. As such, network managers must make arrangements -- e.g., using encryption -- for traffic that uses non-VPN connections to ensure the information being accessed is secure, its confidentiality and integrity are protected, and its availability is assured.

Configuring a single VPN client with a policy that permits the client to reach more than one destination is called split tunneling.

Configuring a single VPN client with a policy that permits the client to reach more than one destination is called split tunneling. For example, the VPN policy might say all traffic sent to goes over a VPN tunnel to the main office. Other traffic -- with no VPN -- goes over the internet to the remote locations.

Questions to ask when planning VPN connections

The following are seven questions network managers should answer when contemplating concurrent VPN connections and split tunneling:

  1. Can you program a VPN policy definition that performs what you want to do?
  2. Are the IP addresses of the two private destinations you want to use nonoverlapping and static? If the remote host has a dynamic address, configuring a policy may be difficult.
  3. Does the VPN device permit split tunneling?
  4. What arrangements must be made in advance before using split tunneling?
  5. Does the split-tunneling device have a security feature to prevent opening a backdoor in which traffic that goes through the non-VPN connections could enter through the VPN tunnel and enter your machine?
  6. Does the VPN device permit detailed VPN policy definition and configuration?
  7. Does the VPN device permit your client-server protocol to accept incoming connections to your laptop?

Planning considerations for concurrent VPN connections

If your VPN client does not support split tunneling, you may not be able to access local and international internet services concurrently; you may use up much of the network bandwidth; and you may not be able to access LAN-connected devices while on the VPN.

If the VPN device supports split tunneling, verify that it can access remote systems, as well as local IP addresses; verify that downloads can be made safely without affecting the throughput to other web activity; and verify that other local devices, such as a printer, can operate while accessing internet resources.

Data traffic that doesn't travel over a secure VPN may be accessible by others, such as an internet service provider or cybersecurity threat actors.

Determine the business requirements from remote workers before investigating alternate VPN arrangements. To ensure optimum VPN response times, security and performance, network engineers must carefully analyze the following:

  • which resources workers are accessing remotely;
  • the kinds of activities -- e.g., sessions -- remote users will be performing;
  • available bandwidth; and
  • network access and security devices.

Network engineers can use these best practices to generate additional efficiency to remote users who are using VPNs to access company information services. Teams must carefully research the necessary requirements before evaluating any specific devices and network configuration changes.

Next Steps

What's involved in VPN maintenance and management?

Guide to telecommuting during the coronavirus pandemic

Cameyo NoVPN removes a remote work bottleneck

This was last published in March 2020

Dig Deeper on Network services