ANYCONNECT VPN via Nord/SurfShark VPN

Deepthi · ‎03-26-2021

Hi Everyone,

We (my office) are planning to use ANYCONNECT VPN via Nord/SurfShark VPNs for some of our Customers. And I was testing it connectivity and I came across an issue.

My issue:

I am able to connect to the ANYCONNECT VPN while I am connected to Nord/SurfShark VPNs. But, when I try accessing my servers using DNS names, they are not working. The access works via IP addresses.

With out the Nord/SurfShark, DNS resolution works well, but with Nord/SurfShark, the DNS Server information obtained via the ANYCONNECT VPN is not being preferred. NordVPN DNS is taking preference.

My network setup: External User --> INTERNET ---> Cisco ASR ---> Fortigate Firewall ---> Cisco ASA (VPN Server with Public IP)

LAN is connected to Fortigate firewall's other interface.

I spoke to the CustomerService support team of Surfshark and all they kept saying was - you cannot run a VPN on another VPN and when I explained the DNS/IP problem, they didnt have a solid answer for me.

I wanted to see if you anyone of you faced this issue and have any work arounds for this issue or I wanted to know I there are any configuration settings I need to change on the ANYCONNECT end.

Thank you all in advance.

Richard Burts · ‎03-27-2021

I am not familiar with Surfshark vpn and have looked at their web site and have found a couple of things that might relate to your issue. I did find a statement about their use of DNS "With private DNS on each server and leak protection when using IPv4 stack, we take our security to the next level." It does sound like they control DNS requests and it would be logical that they would not allow DNS resolution that was not through them.

I found a reference to a feature called Whitelister which says "Allow specific apps & websites to bypass the VPN. Works great with mobile banking apps." I wonder if there is a way to use this feature to exempt AnyConnect traffic from their controls. In another part of their web site it says "Does your banking website not work with a VPN? Perhaps you’re having issues with Outlook or some other app? Simply add them to the split tunneling and they’ll use the internet as if you didn’t have a VPN at all. At the same time, apps and websites not on Whitelister will benefit from the usual levels of VPN protection." I wonder if Whitelister would be a way to exempt AnyConnect from their control.

I would agree that using a vpn within a vpn is very unusual. I am not sure that I would go as far as "you cannot run a VPN on another VPN". I wonder if there is something in their implementation that makes this be the case? And the fact that AnyConnect seems to work if access is via IP rather than by name would seem to suggest that you can indeed run a vpn on another vpn.

HTH

Rick

Richard Burts · ‎03-27-2021

As I have thought about this issue I have a couple more thoughts about it.

- with AnyConnect you can choose when to run it (and when to run without it). I am not clear whether Surfshark has a similar ability to select when to run with its vpn. I get the impression that Surfshark may run all the time. Do you have any information about this?

- I believe that split tunnel is the likely solution for your issue, if you can get it to work the way that I will describe. The concept of split tunnel is that you can configure a vpn so that certain traffic is carried over the vpn and other traffic is not carried over the vpn. From what I read it sounds like Surfshark implements split tunnel in the feature that they call Whitelister. If you can identify the resources that you want to access using AnyConnect and then in Surfshark configure those resources to not be carried in that vpn then it might allow that traffic to be carried by AnyConnect.

HTH

Rick