Comments on: Connecting to VPN and Internet at the same time

Question: Connecting to VPN and Internet at the same time

Sharcho — Sat, 27 May 2006 07:52:50 -0800

VPN on Windows 2000: I need to connect to both the VPN and the Internet at the same time. I need some IP addresses to go through the VPN, and others to go through my router's gateway.

I need to access the following IP addresses through the VPN:
192.168.10.*, 192.168.20.*, 222.111.55.111
And I want to access everything else through my router's gateway (192.168.1.254).

I tried unchecking the "Use default gateway on remote network" option on the advanced TCP/IP setting of the VPN connection, but after I do that I can't access anything on the VPN.

By: iamabot

iamabot — Sat, 27 May 2006 08:10:40 -0800

You're talking abot split-tunnel. Depending on the VPN solution you implement this is either easy, or a total pain in the rear to implement. Cisco VPN 3000's support this with some extended configuration, as do Cisco PIX devices.

By: iamabot

iamabot — Sat, 27 May 2006 08:13:27 -0800

This is generally a "server" side configuration, defined by the policy applied.

By: Sharcho

Sharcho — Sat, 27 May 2006 08:14:55 -0800

iamabot, I can't touch anything in the VPN configuration, it needs to be a solution on the Windows client side.

By: datacenter refugee

datacenter refugee — Sat, 27 May 2006 08:38:42 -0800

Why not purchase a hardware VPN endpoint (Linksys BEFSX41 or Watchguard SOHO6 among others), install it on the same network as the win2k PC and then add static routes to/through it to your windows box? For extra security and easier testing you could add a second NIC to the windows machine and plug it directly into the internal interface of the hardware VPN endpoint . . .

Example:
(assuming network of 192.168.1.0/24 with a .1 gateway, VPN box with 2 interfaces)
- Install 2nd NIC into PC with a DIFFERENT IP range (in this case 192.168.2.0/24 would work, make the new NIC 192.168.2.2)
- Install VPN hardware client. Outside interface goes on 192.168.1.x LAN and connects to local router, inside on 192.168.2.x LAN (should be 192.168.2.1 for this example) and wires directly into your new NIC card.
- Configure hardware VPN client to connect to your VPN server
- Configure windows box to route to your networks of interest throught the hardware VPN client. For each network that you want to route via the VPN, add a static route in windows with the following command:

route ADD x.x.x.x MASK y.y.y.y 192.168.2.1 METRIC 20
where x.x.x.x is the remote network base and y.y.y.y is the remote network subnet mask

That should be it - you may have to futz with the metric value or add an interface reference to your static route statements depending on what you already have in your PC. There is help available for the command by just typing 'route' in a command window on win2k/xp.

By: caddis

caddis — Sat, 27 May 2006 08:46:43 -0800

The easiest solution is often to use two different browsers, such as IE for the VPN and FireFox for the rest. Just set one to go through the firewall of the VPN server and the other to access the internet directly.

By: purephase

purephase — Sat, 27 May 2006 09:47:41 -0800

I installed VirtualPC and use one of it's sessions for VPN access and the parent workstation for everything else.

By: Sharcho

Sharcho — Sat, 27 May 2006 10:18:43 -0800

datacenter refugee, I just wrote down the appropriate route commands (but I need to do it everytime I connect), and now it works. No extra hardware required.

By: Sharcho

Sharcho — Sat, 27 May 2006 10:29:32 -0800

I wrote a batch file to automate this:



rasdial /disconnect

rasdial /disconnect

rasdial /disconnect

rasdial "My VPN Connection" "MYDOMAIN\myusername" *

route add 192.168.1.0 mask 255.255.255.0 10.10.222.33 metric 1

route add 192.168.2.0 mask 255.255.255.0 10.10.222.33 metric 1

route add 192.168.3.0 mask 255.255.255.0 10.10.222.33 metric 1

route add 222.111.55.111 mask 255.255.255.255 10.10.222.33 metric 1

By: Coax

Coax — Sat, 27 May 2006 10:58:16 -0800

Aren't there security considerations against split-tunneling? It's a routing policy decision usually made at the corporate edge to prevent horrible outcomes from spoofed sites.

By: Sharcho

Sharcho — Sat, 27 May 2006 11:56:31 -0800

Coax, I'll keep in mind the security considerations, but it's a necessary evil, otherwise I can't get anything done. I would have to disconnect from the VPN every time I browse a web page or check my E-mail since the current VPN policy doesn't allow Internet access. Even if it did it would be dog slow.

By: iamabot

iamabot — Sat, 27 May 2006 13:54:02 -0800

Well, depending on the vpn client and type there is very little you can do if there isn't a split tunnel policy defined. For example cisco VPN client software installed a shim between your TCP stack and the application layer that prevents any traffic from traversing, or not in this case unless explicitly defined by policy.

If you're using the built in pptp client in XP you can script some route changes in a batch file and run them when/after you connect to tweak the local routing table to your needs.

What you are describing is generally why I don't allow PPTP and require folks to use a VPN client to connect to networks that I manage.

Split-tunneling does have security considerations and if you are going to define a policy for it you should make sure that your client dmz is restricted appropriatelly.