Connecting to VPN and Internet at the same time
May 27, 2006 7:52 AM Subscribe
VPN on Windows 2000: I need to connect to both the VPN and the Internet at the same time. I need some IP addresses to go through the VPN, and others to go through my router's gateway.
I need to access the following IP addresses through the VPN:
192.168.10.*, 192.168.20.*, 222.111.55.111
And I want to access everything else through my router's gateway (192.168.1.254).
I tried unchecking the "Use default gateway on remote network" option on the advanced TCP/IP setting of the VPN connection, but after I do that I can't access anything on the VPN.
I need to access the following IP addresses through the VPN:
192.168.10.*, 192.168.20.*, 222.111.55.111
And I want to access everything else through my router's gateway (192.168.1.254).
I tried unchecking the "Use default gateway on remote network" option on the advanced TCP/IP setting of the VPN connection, but after I do that I can't access anything on the VPN.
This is generally a "server" side configuration, defined by the policy applied.
posted by iamabot at 8:13 AM on May 27, 2006
posted by iamabot at 8:13 AM on May 27, 2006
Response by poster: iamabot, I can't touch anything in the VPN configuration, it needs to be a solution on the Windows client side.
posted by Sharcho at 8:14 AM on May 27, 2006
posted by Sharcho at 8:14 AM on May 27, 2006
Best answer: Why not purchase a hardware VPN endpoint (Linksys BEFSX41 or Watchguard SOHO6 among others), install it on the same network as the win2k PC and then add static routes to/through it to your windows box? For extra security and easier testing you could add a second NIC to the windows machine and plug it directly into the internal interface of the hardware VPN endpoint . . .
Example:
(assuming network of 192.168.1.0/24 with a .1 gateway, VPN box with 2 interfaces)
- Install 2nd NIC into PC with a DIFFERENT IP range (in this case 192.168.2.0/24 would work, make the new NIC 192.168.2.2)
- Install VPN hardware client. Outside interface goes on 192.168.1.x LAN and connects to local router, inside on 192.168.2.x LAN (should be 192.168.2.1 for this example) and wires directly into your new NIC card.
- Configure hardware VPN client to connect to your VPN server
- Configure windows box to route to your networks of interest throught the hardware VPN client. For each network that you want to route via the VPN, add a static route in windows with the following command:
route ADD x.x.x.x MASK y.y.y.y 192.168.2.1 METRIC 20
where x.x.x.x is the remote network base and y.y.y.y is the remote network subnet mask
That should be it - you may have to futz with the metric value or add an interface reference to your static route statements depending on what you already have in your PC. There is help available for the command by just typing 'route' in a command window on win2k/xp.
posted by datacenter refugee at 8:38 AM on May 27, 2006
Example:
(assuming network of 192.168.1.0/24 with a .1 gateway, VPN box with 2 interfaces)
- Install 2nd NIC into PC with a DIFFERENT IP range (in this case 192.168.2.0/24 would work, make the new NIC 192.168.2.2)
- Install VPN hardware client. Outside interface goes on 192.168.1.x LAN and connects to local router, inside on 192.168.2.x LAN (should be 192.168.2.1 for this example) and wires directly into your new NIC card.
- Configure hardware VPN client to connect to your VPN server
- Configure windows box to route to your networks of interest throught the hardware VPN client. For each network that you want to route via the VPN, add a static route in windows with the following command:
route ADD x.x.x.x MASK y.y.y.y 192.168.2.1 METRIC 20
where x.x.x.x is the remote network base and y.y.y.y is the remote network subnet mask
That should be it - you may have to futz with the metric value or add an interface reference to your static route statements depending on what you already have in your PC. There is help available for the command by just typing 'route' in a command window on win2k/xp.
posted by datacenter refugee at 8:38 AM on May 27, 2006
The easiest solution is often to use two different browsers, such as IE for the VPN and FireFox for the rest. Just set one to go through the firewall of the VPN server and the other to access the internet directly.
posted by caddis at 8:46 AM on May 27, 2006
posted by caddis at 8:46 AM on May 27, 2006
I installed VirtualPC and use one of it's sessions for VPN access and the parent workstation for everything else.
posted by purephase at 9:47 AM on May 27, 2006
posted by purephase at 9:47 AM on May 27, 2006
Response by poster: datacenter refugee, I just wrote down the appropriate route commands (but I need to do it everytime I connect), and now it works. No extra hardware required.
posted by Sharcho at 10:18 AM on May 27, 2006
posted by Sharcho at 10:18 AM on May 27, 2006
Best answer: I wrote a batch file to automate this:
posted by Sharcho at 10:29 AM on May 27, 2006
rasdial /disconnect
rasdial /disconnect
rasdial /disconnect
rasdial "My VPN Connection" "MYDOMAIN\myusername" *
route add 192.168.1.0 mask 255.255.255.0 10.10.222.33 metric 1
route add 192.168.2.0 mask 255.255.255.0 10.10.222.33 metric 1
route add 192.168.3.0 mask 255.255.255.0 10.10.222.33 metric 1
route add 222.111.55.111 mask 255.255.255.255 10.10.222.33 metric 1
posted by Sharcho at 10:29 AM on May 27, 2006
Aren't there security considerations against split-tunneling? It's a routing policy decision usually made at the corporate edge to prevent horrible outcomes from spoofed sites.
posted by Coax at 10:58 AM on May 27, 2006
posted by Coax at 10:58 AM on May 27, 2006
Response by poster: Coax, I'll keep in mind the security considerations, but it's a necessary evil, otherwise I can't get anything done. I would have to disconnect from the VPN every time I browse a web page or check my E-mail since the current VPN policy doesn't allow Internet access. Even if it did it would be dog slow.
posted by Sharcho at 11:56 AM on May 27, 2006
posted by Sharcho at 11:56 AM on May 27, 2006
Well, depending on the vpn client and type there is very little you can do if there isn't a split tunnel policy defined. For example cisco VPN client software installed a shim between your TCP stack and the application layer that prevents any traffic from traversing, or not in this case unless explicitly defined by policy.
If you're using the built in pptp client in XP you can script some route changes in a batch file and run them when/after you connect to tweak the local routing table to your needs.
What you are describing is generally why I don't allow PPTP and require folks to use a VPN client to connect to networks that I manage.
Split-tunneling does have security considerations and if you are going to define a policy for it you should make sure that your client dmz is restricted appropriatelly.
posted by iamabot at 1:54 PM on May 27, 2006
If you're using the built in pptp client in XP you can script some route changes in a batch file and run them when/after you connect to tweak the local routing table to your needs.
What you are describing is generally why I don't allow PPTP and require folks to use a VPN client to connect to networks that I manage.
Split-tunneling does have security considerations and if you are going to define a policy for it you should make sure that your client dmz is restricted appropriatelly.
posted by iamabot at 1:54 PM on May 27, 2006
« Older Daily MT blog post for del.icio.us links with one... | Any (lab) test? We're so discreet, we even use... Newer »
This thread is closed to new comments.
posted by iamabot at 8:10 AM on May 27, 2006