>>Yeah it doesn't work like that. Person starts VPN app and it kills all other internet traffic on the machine,enters VPN password, then if all is good they can enter the RSA key. ...so not really something that can be hijacked from the internet as no traffic other than the local intranet is allowed at that point. There are no browser credentials of any use outside the intranet.
>>
>
>First thought would be to check if VPN app started from a VM kills:
>a) all access from physical host (including other guest VM) to directory structure available/reachable to "VPN app VM"
>b) internet traffic of all other VM running on same physical host
>
>Snooping can happen via odd paths ;-)

In our case none of the machines have VM on them. In that scenario I don't know what would happen - never bothered to try it. I know you can capture packets on VM machines but I've never tried to use VM on a machine to capture packets on the same machine while it's connected to a VPN. Seems like it wouldn't do you any good and all you'd see is the encrypted packets.
.