We are currently going through an ISO 27001 certification process and we are asked to:
Screenshot or other evidence that VPN configurations prevent devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
Further clarification of this requirement was provided as follows:
“When using a VPN, all network traffic from a user’s device should be encrypted and routed through a secure server or gateway before reaching its destination, providing an added layer of security. This can help protect against data interception, and unauthorized access to data while it is transmitted over the internet. By encrypting and tunneling all traffic through a secure connection, VPNs can help prevent insecure connections from multiple sources, such as public Wi-Fi networks or other untrusted networks, which may be vulnerable to interception or data breaches”
In principle we could use Tailscale exit nodes to meet this requirement but AFAICT exit nodes are an opt-in feature which technically means that we can’t prevent use of the VPN without an exit node. Is there any feature of Tailscale that can be used to enforce the requirement to use an exit node?
Alternatively, is there a good argument for why enforcing use of exit nodes may not be necessary when using a Tailscale network?