We help IT Professionals succeed at work.

Create split tunnel on VPN server for local/remote access?

SurfingHamster
on
1,994 Views
Last Modified: 2012-05-08
I have recently set up a VPN server at our organisation, which has a small number of users, and have since I've tried a number of configuration options to allow the clients both internet access and local network access through the connection.

Here are the current settings:
- Platform: Windows 2008 Server (using RRAS).
- Server address: 10.14.72.200
- Our network range is 10.14.72.0 to 10.14.72.255; currently using ranges 10.14.72.203 to 10.14.72.255 for VPN via the static pool.
- NIC adapter settings on the server (only one): 255.255.255.0 subnet; IP 10.14.72.200; DNS1 10.14.72.1 (router); DNS2 10.14.72.200 (local server with DNS).

Using the static pool disallows users from browsing the internet through the connection, with clients not being issued a default gateway (but they do get 4xDNS servers, two of which are external, and two of which are internal - 10.17.42.1 & .200); they are ordered external to internal.

I do not want to use the option of "use default gateway on remote host" for security reasons. Nor do I want to install a proxy server on the network or use variations of RDP.

At the moment I can only seem to get one option or another - when not using the static pool I am able to access the internet but have no local access with this turned on.

How can I route all internet traffic (i.e., anything outside of the 10.14.72.x range through an internet gateway (such as our router, 10.14.72.1).

Thanks!
Comment
Watch Question

Author

Commented:
Increased points.

Commented:
for a remote client to have internet access and access resoureces behing the corporate lan, split-tunneling is needed. A windows vpn client connects to the rras vpn, a default route for the vpn connection is made and the existing route that pointed to the internet  now has a higher metric. So the "use default gateway on the remote network" prevents the remote client from reaching the internet.

By unchecking "use default gateway on the remote network" the reverse happens, this default route to the vpn server is not created, and Internet hosts can now be reached.  Split tunneling is a security risk, since internet traffic now can enter the remote host and a malicious user can potentially access the networks in the corporate lan.

This risk can be mitigated in the following ways:

Firewall enabled (with inbound and outbound ports open for vpn traffic)
Having internet access via a published intranet web browser using citrix,
use of ip packet filters by creating a remote access policy that will block inbound traffic to the vpn connection not sent from the vpn client and outbound traffic not destined for the vpn client. This is usually the default ra policy unless this has been altered.

IP routing on the vpn client computer is disabled (this is a registry key)


Author

Commented:
Thanks for your response, but, as I stated, I don't wish to use this method. I want the client to access the corporate LAN AND make use of the remote Internet connection for IP ranges that fall outside of the 10.x.x.x range. All traffic should go through the VPN.

Commented:
sorry for the misunderstanding. Have your tried assigning the vpn clients a different subnet, enabling ip routing in the vpn server and making sure this vpn ip pool subnet has a route to the internet routers? (as well as to allowed internal lan subnets)

Author

Commented:
That's ok! Could you please give me an example of how this is done?

We are already on a subnet for our office. But could I use 192.168.1.1-255 for VPN clients? If so, how so I then use rras to route this to both our LAN and the net?

Thanks

Commented:
any subnet can be used for vpn clients as long as it is not the subnet of the internal lan, so routing can occur. I would not use 192.168.1./24 as almost every home router has this as the default network, and you will have routing issues. use something like 192.168.99.0  255.255.255.0. You have to make sure that your internet router has information about this route in its routing tables so these remote clients can send their traffic to this router and hence to the internet.

ie. ip route 192.168.99.0 255.255.255.0  [inside interface of your vpn server. Then in the vpn server, I would add a static route of this subnet pointing to the internet router.
Remember, all this traffic bound for the internet will be encrypted from the vpn client, then in plain text out to the internet, then in plain text back to your router, then encrypted back to the client.  The thoroughput of your vpn will drop considerably depending on the amount of clients surfing the web and sending this traffic back to your vpn server.

Commented:
forgot to add, if you don't want to play around with static routes (no overhead, lowest metric) then under IP Routing in RRAS server go to general and select ospf. Just add the new networks of the vpn client pools such as 192.168.98.0 and it will advertise the networks. However, this can add significant overhead to the interface of the vpn server. Static routes have no overhead.

Author

Commented:
OSPF isn't present in Windows Server 2008.

Can you please describe what settings exactly I need to enter in the static routing entry (all I get at the moment is "incorrect parameter").

Here's the info I need for the networks I've described above:

Destination:
Network Mask:
Gateway:
Metric:


I guess I will need two routes to connect the VPN client to both the local network and the internet gateway.

-----------------

Just to recap, here are the settings of the network as of now:

VPN client IP range: 192.168.99.0-255 (static pool)
VPN server IP: 10.17.42.200

VPN server NIC settings:

IP: 10.17.42.200
Subnet: 255.255.255.0
Default gateway: [empty]
DNS1: 10.17.42.1
DNS2: 10.17.42.200
routing-table.png
routing-table.png
client-settings.png

Commented:
route add -p  192.168.99.0 mask 255.255.255.0 10.17.42.200   1

Is this not working?

The above is for windows command line. There should be a setting to add this is RRAS as well.

what is ip of your internet gateway router?
I have a route to make sure this subnet can get to that

Author

Commented:
I believe our gateway is 10.17.42.1 - at least, that's what one we use on client PCs. I'm unsure how many access points sit between us at the gateway.

See a routing table of a network client PC (attached).
routing.jpg

Author

Commented:
I've just been told that between the VPN server computer and the internet routers there are 3 ethernet switches and then a firewall.
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Commented:
please post your routing statements from firewall and switches, to make sure the vpn subnet can reach the internet
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.