I was recently working on a client’s VPN connection for their office. In my case, I was using the Synology VPN PPTP, but this would apply to all (At least PPTP) connections.
In most cases, when you setup a VPN connection, you would want all the traffic to get routed through that VPN tunnel, in order to maintain the most secure connection. However, by doing this you are effectively changing the gateway from your ISP’s, to the destination VPN’s gateway. As expected, this type of connection, would allow you to behave on the network, exactly as you would had you been connected to the local LAN on that remote network.
This is usually ok, but if you rely heavily on your own connection, or perform a lot of bandwidth intensive operations, then using the remote gateway — depending on your WAN pipe, and the remote WAN pipe — your experience may be greatly
There is a way around that by using a split tunnel, and utilizing both gateways depending on the kind of traffic required. Before I show you how to do this though, I have to say that doing a split tunnel will slightly reduce the security of your VPN, as you are allowing traffic from your regular network to be going across the same WAN pipe. The risk is minimal, but it exists more so than if all traffic is through the VPN. I have to admit, that sometimes, there is a real reason to do this, so let’s get our hands dirty.
Let’s consider a real life example for the sake of clarity.
Local Network: (This is your home network)
Remote Network: (This is your remote network where your VPN server exists)
PPTP Network: 10.10.10.0
When you initially create your VPN connection, by default, the connection will use the remote connection’s gateway. When you go to the property of the connection –> Networking –> Internet Protocol Version 4 (TCP/IPv4) –> Advanced … , you will see this:
(This window may look a bit different on XP or other versions of Windows. This Windows 7)
If you read up on this issue on various blogs, most will suggest to uncheck the “Use Default Gateway on Remote Network”. Though this is a good start, you may notice that when you uncheck this, and reconnect to your VPN, you will not be able to reach any of your end devices on the remote network.
The reason for this, is that there is no route from your local LAN to your remote VPN network.
you can check this by typing: route print, and you will notice that 192.168.1.0 is nowhere to be found in the route list.
To fix this, we have to add the route. Because routes are usually volatile, you may find it useful to create a persistent route which won’t go away between reboots.
There is a small problem with this. The route command requires you to add the Interface (IF) index number, and if the interface number is not included, then it will be automatically populated with the index number of the interface that corresponds with the destination network’s gateway.
Another problem, is that the interface number for the PPTP connection will constantly be changing upon each connection. Here’s how to get it to work correctly:
ROUTE -p ADD 192.168.1.0 MASK 255.255.255.0 10.10.10.1 METRIC 10
What you have done now, is create a persistent route, (which you can find in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes) that adds the ability to use both networks, the VPN gateway to reach local resources on the local network, and your own ISP, for all other traffic.
If you want to know whether this worked, attempt to check your public IP (i.e: http://whatismyip.com before and after making this change (while connected to the VPN). Before the change, your public IP will be the same one as the public IP of the remote network connection. After the change, your public IP will be the same one your ISP assigned to you for your home connection.
If at any point you would like to remove that persistent connections at any point, you can do the following:
reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes /va /f