0

Background:
I was (for the first time) setting up a remote connection from home to my office:

  • Install OpenVPN client, install certificate (.ovpn file) in it, start connection
  • Start Windows 10 Remote Desktop and try to login to my work PC
  • This failed, Windows 10 on the work side complains that I have to log in through Windows Hello or with a smart card.
    That may indeed be something to configure there. The smart card was plugged in at home, OpenVPN requires it.
    The key point here is that I did NOT log in to my work PC. That work PC was running, locked and had no programs running (other than some background processes).
  • At home, my Win 10 machine was running FireFox with Lastpass active.

Issue:
8 minutes later, I get two Google security alerts for failed login attempts: one from a dormant Google account that I have not used in ages, and one from an alias for my mother in my main Google account (different password).
The IP address for those two attempts is my work public IP address.

This really baffles me. Does software on the work computer know anything about these Gmail accounts and make a login attempt? Maybe in the distant past have I used those Google accounts from work, but I don't remember.

The only 'suspect' I can think of is LastPass, which stores these accounts.
But my FireFox at work was NOT running when I left Friday, and I'm never automatically logged into LastPass at work anyway.

Any suggestions as to what I can investigate?
Security at work is pretty tight, a compromise somewhere seems unlikely (and the issue is too coincidental).

Improve this question

1 Answer 1

Reset to default
0

I found out what is causing this:

The VPN connection was not set up for split tunneling: all my internet traffic went to the office and from there onto the internet, not just the RDP connection.

The Google logins originate from my browser session at home.
I had those two Google accounts logged in:

enter image description here

Update 2 days later:
Since signing out from all Google accounts and logging back in with only my main one, the issue no longer repeats:

enter image description here

Improve this answer
1
  • This can be mitigated by modifying some options in the OpenVPN server config, which I'm assuming is managed by the business' network admins. They should be made aware WAN side traffic is being routed through the VPN, as it's likely that is not intentional and is simply misconfigred since it would not only throttle the VPN client's internet traffic but would also force the client's WAN side request through the business' firewall appliances. Privacy is also a concern, as a business should not be privy to an employee's internet traffic when the employee is not on their intranet or premises.
    – JW0914
    Commented Mar 18, 2020 at 11:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .