PPTP VPN and Split Tunneling
I was recently working on a client’s VPN connection for their office. In my case, I was using the Synology VPN PPTP, but this would apply to all (At least PPTP) connections.
In most cases, when you setup a VPN connection, you would want all the traffic to get routed through that VPN tunnel, in order to maintain the most secure connection. However, by doing this you are effectively changing the gateway from your ISP’s, to the destination VPN’s gateway. As expected, this type of connection, would allow you to behave on the network, exactly as you would had you been connected to the local LAN on that remote network.
This is usually ok, but if you rely heavily on your own connection, or perform a lot of bandwidth intensive operations, then using the remote gateway — depending on your WAN pipe, and the remote WAN pipe — your experience may be greatly degraded affected.
There is a way around that by using a split tunnel, and utilizing both gateways depending on the kind of traffic required. Before I show you how to do this though, I have to say that doing a split tunnel will slightly reduce the security of your VPN, as you are allowing traffic from your regular network to be going across the same WAN pipe. The risk is minimal, but it exists more so than if all traffic is through the VPN. I have to admit, that sometimes, there is a real reason to do this, so let’s get our hands dirty.
Let’s consider a real life example for the sake of clarity.
Local Network: (This is your home network)
Network: 192.168.5.0
Mask: 255.255.255.0
Gateway: 192.168.5.1
Remote Network: (This is your remote network where your VPN server exists)
Network: 192.168.1.0
Mask: 255.255.255.0
Gateway: 192.168.1.1
PPTP Network: 10.10.10.0
When you initially create your VPN connection, by default, the connection will use the remote connection’s gateway. When you go to the property of the connection –> Networking –> Internet Protocol Version 4 (TCP/IPv4) –> Advanced … , you will see this:
Default gateway used is the one from the remote connection
(This window may look a bit different on XP or other versions of Windows. This Windows 7)
If you read up on this issue on various blogs, most will suggest to uncheck the “Use Default Gateway on Remote Network”. Though this is a good start, you may notice that when you uncheck this, and reconnect to your VPN, you will not be able to reach any of your end devices on the remote network.
The reason for this, is that there is no route from your local LAN to your remote VPN network.
you can check this by typing: route print, and you will notice that 192.168.1.0 is nowhere to be found in the route list.
To fix this, we have to add the route. Because routes are usually volatile, you may find it useful to create a persistent route which won’t go away between reboots.
There is a small problem with this. The route command requires you to add the Interface (IF) index number, and if the interface number is not included, then it will be automatically populated with the index number of the interface that corresponds with the destination network’s gateway.
Another problem, is that the interface number for the PPTP connection will constantly be changing upon each connection. Here’s how to get it to work correctly:
- First, establish a connection to your VPN.
- Now, the original (and broken) routing table will be populated, what also happened is that you now have the destination networks gateway available.
- Open up a command prompt and type the following: (This is based on the network values above):
ROUTE -p ADD 192.168.1.0 MASK 255.255.255.0 10.10.10.1 METRIC 10
What you have done now, is create a persistent route, (which you can find in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes) that adds the ability to use both networks, the VPN gateway to reach local resources on the local network, and your own ISP, for all other traffic.
If you want to know whether this worked, attempt to check your public IP (i.e: http://whatismyip.com before and after making this change (while connected to the VPN). Before the change, your public IP will be the same one as the public IP of the remote network connection. After the change, your public IP will be the same one your ISP assigned to you for your home connection.
If at any point you would like to remove that persistent connections at any point, you can do the following:
reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes /va /f
Related posts:
About Me
Georges Khairallah
What doesn't kill you... makes you stronger
I'm a husband. I'm a musician.
I'm a technologist. I like to network.
I like to blog. I own a business.
my garden is my bliss. my camera is my escape.
let's connect!
RSS 2.0 Feed URL
Will your tutorial help me with the following setup?
My university has a deal with a publishing house, which allows users from within the network to get free access to academic papers. If I want to access those papers from home, I need to establish a VPN connection with the university network everytime I want to look at a paper that is located at the publishers server.
Is it possible to reroute every request directed at a page on the publisher's server through the VPN gateway, but at the same time have all the regular traffic still go through the gateway of my local router?
@TOMillr I would suspect that you should be able to do a split tunnel even with the setup that you have with your university. The key question would be to see whether your university's VPN client supports split tunneling. I would think it should, but yes, the same concept should apply.
As far as redirecting only the traffic to the publisher's server, that would be a different process than just doing routing. But doing a split tunnel will at least not limit you to your university's web filter, for instance, so that you can do what you need without being restricted while retrieving your papers.
Hope this helps!
Latest blog post: GPO WMI filter to prevent screen rotation
@gkhairallah
They use L2TP/IPSec and I don't have to connect through a specific VPN client but can use the build-in tools of Windows or MacOS.
Do you know if the information about the persistent route will stay active after a reboot as well?
And how can I detect which IP addresses I should add? Do I have to look up which servers the publishers use to serve those papers or would the ip of the publisher's page itself be enough?
@gkhairallah
Ok, got it.
One related point: What happens with to a persistent route when their is no connection to the VPN server? Will it just use the regular ISP route instead?
Is there a way to automatically connect to a VPN server whenever Windows boots? Or do I have to do that manually every single time?
@TOMillr When you setup a route, you are inherently setting it up to a subnet, and not a specific IP, the IPs you're using are basically, the subnet Network ID, and the gateway by which your VPN has to get to that network. So you should be in good shape.
Latest blog post: GPO WMI filter to prevent screen rotation
@gkhairallah
One more thing I'd like to know: Is it possible to setup a reroute for a specific IP range instead of a specific IP? Say for example instead of the page 123.456.789.001 I'd like to reroute every page contained within the 123.456.789.xxx space?
@TOMillr The persistent route information will stay when you add the -p flag. this will add that route to the registry, and will reapply everytime you establish the connection.
As for the IP. you are not going to be connecting to the publisher's IP. you're likely gaining access to the publisher's website through your school's network. So what you need to do is establish that route between your network, and the school's network. you would need to know the internet network on the school's side (with its subnet mask), and the PPTP Gateway address. You can look in the article for the route command I provide, and replace your values with the ones for your network. As to how to obtain them... the internal network at your school can be obtained by doing an ipconfig /all, and get the IP and subnet mask, and extrapolate the network ID from the subnet mask, and you'll have to find out your PPTP gateway.
Latest blog post: GPO WMI filter to prevent screen rotation
Thanks for the tutorial.
However on W8 the connection to the VPN stops after I disconnect and reconnect my VPN connection (e.g. after reboot). And only deleting and recreating the route helps. And yes, I make the persistent routes with -p switch and I can see it in my route table after restart. Any ideas why the connection fails?
@aiskauskas I'm not exactly sure why it doesn't work as expected on Windows 8, when I tried mine, I believe I was on Windows XP or at best Windows 7.
I did dig around a bit, and I saw a suggestion to assign a specific interface for the route, so I wonder if this may resolve your problem. Also, when you do assign the P, and you see it in the route print, I wonder if you're seeing the same in the registry. Try looking in these two places and see if there are any solution that may address your problem here:
http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/58cbac62-dd43-4913-8096-81810eb1d572/
http://technet.microsoft.com/en-us/library/cc757323%28v=ws.10%29.aspx
Latest blog post: KACE Automatic Patching Tip for New Machines
Hi
Thanks for this clear tutoiral
Just one complementary question :
- I configured up to 10 concurrent accesses on the VPN server
- It means my IP can 10.10.10.1 to 10.10.10.10, depending on who connected first
- Do I need to declare ten routes ?
I tried to declare the gateway, like :
ROUTE -p ADD 192.168.1.0 MASK 255.255.255.0 10.10.10.0 METRIC 10
It works fine, but as soon as I disconnect, then reconnect VPN, I can not ping anymore the local network 192.168.1.0/24
Any suggestion ?
Regards
@cpug Regarding the routes, you don't have to declare 10 routes, as you are open a route to the subnet, and not the individual IPs. However, 10 IPs, probably also means 10 devices that will connect, which means if you want each of these devices to to have the split tunnel, then you would have to create that route on each of them, the route will be the same for all of them though.
The second issue, I'm not sure about. If your routing table is the same, then you should be ok. If you reconnect, and then try to re-add the route, does it work? maybe somehow it's not sticking?
Latest blog post: Dropbox stuck on syncing or uploading - [solution]
Hi, in some extreme requirement, for eg. I would like only a small portion of destination going through VPN, all other going through normal network. Say I would only want traffic to 192.168.1.1 to 192.168.1.3 through the VPN, so I added a route route add 192.168.1.0 MASK 255.255.255.252 10.10.10.1 METRIC 10 But I could only access 192.168.1.1 and 192.168.1.2, traffic to 192.168.1.3 will be block by windows, as it seems treating it as a broadcast address for the given range. Win XP does not have this problem, but vista and win 7 seems changes its routing rule on this kind of VPN connection. Do you aware of this and any way to disable this "outsmart" way of rule?
Qunying, I have done what you are trying to do, in a case where the destination network, and the local network are the same: i.e: 192.168.1.0 and 192.168.1.0 (Which is not ideal, but as work around, I used your method) However, I've never tried it on such a small range, and the IP addresses that I had were sufficient. but what you are saying, makes sense, and almost seems like a flaw in Windows XP. The last address in a network is always supposed to broadcast. I guess if you really want to remove it, you can try: route delete 192.168.1.3 (which is the route entry that corresponds with the broadcast address for 192.168.1.0/30) If that becomes what you want to do every time you login, then you may have to write a login script or something that would adjust your routes. I know that the -p will ADD a persistent route, I don't know of a way to REMOVE a route every time it's been dynamically created. A quick batch file can easily resolve that problem though.
Well, I may disagree with you that I think it is the fault of Vista and win 7 in this case. If an IP address is assigned to an interface, e.g. 10.10.0.1/24, I agree that 10.10.0.255 is a broadcast address and OS should act accordingly. But when a network range is added into the routing table, its purpose is just telling the system to redirect this portion of the traffic through certain gateway (if not contradict with system addresses), it may belong to a larger network. Always treating the last address in the range as broadcast address is not the right thing. Manually removed the entry has no effect. I also tried to remove the auto added one and try to add a static entry with metric set to 1, has no effect. It seems it is hard coded in its internal logic regardless of the entry. And it only happened on PPP/PPTP tunnel device, it does not happen if adds the route to a normal ethernet interface. Traffic goes through without problem. Linux/Mac OS X all behave nicely with the added route on PPTP/PPP and ethernet interface.
You may well be right. There may be internal logic that forces the broadcast address. I haven't tested what I had suggested to you beyond just removing the broadcast route. I didn't actually have a device in the other end on that address to verify whether it worked. Regarding the broadcast address, every subnet should have one, so I would assume a /30 will also have its last IP as the broadcast address. Look at the bottom of this page for an example: http://www.watchguard.com/infocenter/editorial/135191.asp If I have time, I'll try a segmented section on my network and test that.
Thanx alote mate. It really works. Now I can run my vpn and internet simultaneously...
after running the above command in windows 7, it shows a message "the requested operation requires elevation". what does this mean??? and the problem is still not solved.
You need to run the command prompt in elevated privileges to be able to run this command. You can follow any of these methods in this link