Quiz: VPN & Tunneling¶

3 questions

L0 (1 questions)¶

1. What is the difference between split tunneling and full tunneling in a VPN, and when would you choose each?

Show answer

Full tunneling routes ALL traffic through the VPN (WireGuard: AllowedIPs = 0.0.0.0/0). Split tunneling routes only specific subnets through the VPN while internet traffic goes direct. Choose full tunneling for compliance requirements or untrusted networks (coffee shop WiFi). Choose split tunneling for developer access to internal resources where you want fast internet browsing without VPN overhead.

L1 (1 questions)¶

1. In WireGuard, what does the AllowedIPs field do, and why is it described as serving a dual purpose?

Show answer

AllowedIPs serves as both a routing table and an access control list. For outgoing traffic, it determines which destination IPs get routed through that peer. For incoming traffic, it acts as a filter — only packets with source IPs matching AllowedIPs are accepted from that peer. For example, AllowedIPs = 10.0.0.0/24 means: send traffic destined for 10.0.0.0/24 to this peer, and only accept traffic from this peer if its source is in 10.0.0.0/24.

L2 (1 questions)¶

1. You need to give a developer temporary access to a PostgreSQL database behind a firewall. The database is at db.internal:5432, accessible only from a bastion host. What is the fastest secure approach and the exact command?

Show answer

Use an SSH local port forward: ssh -fN -L 5432:db.internal:5432 -o ServerAliveInterval=60 bastion.example.com. The developer then connects to localhost:5432, which tunnels through the bastion to db.internal:5432. The -f backgrounds the tunnel, -N skips opening a shell, and ServerAliveInterval prevents timeout. This avoids setting up a full VPN for temporary single-service access.