SurfingHamster
asked on
Create split tunnel on VPN server for local/remote access?
I have recently set up a VPN server at our organisation, which has a small number of users, and have since I've tried a number of configuration options to allow the clients both internet access and local network access through the connection.
Here are the current settings:
- Platform: Windows 2008 Server (using RRAS).
- Server address: 10.14.72.200
- Our network range is 10.14.72.0 to 10.14.72.255; currently using ranges 10.14.72.203 to 10.14.72.255 for VPN via the static pool.
- NIC adapter settings on the server (only one): 255.255.255.0 subnet; IP 10.14.72.200; DNS1 10.14.72.1 (router); DNS2 10.14.72.200 (local server with DNS).
Using the static pool disallows users from browsing the internet through the connection, with clients not being issued a default gateway (but they do get 4xDNS servers, two of which are external, and two of which are internal - 10.17.42.1 & .200); they are ordered external to internal.
I do not want to use the option of "use default gateway on remote host" for security reasons. Nor do I want to install a proxy server on the network or use variations of RDP.
At the moment I can only seem to get one option or another - when not using the static pool I am able to access the internet but have no local access with this turned on.
How can I route all internet traffic (i.e., anything outside of the 10.14.72.x range through an internet gateway (such as our router, 10.14.72.1).
Thanks!
Here are the current settings:
- Platform: Windows 2008 Server (using RRAS).
- Server address: 10.14.72.200
- Our network range is 10.14.72.0 to 10.14.72.255; currently using ranges 10.14.72.203 to 10.14.72.255 for VPN via the static pool.
- NIC adapter settings on the server (only one): 255.255.255.0 subnet; IP 10.14.72.200; DNS1 10.14.72.1 (router); DNS2 10.14.72.200 (local server with DNS).
Using the static pool disallows users from browsing the internet through the connection, with clients not being issued a default gateway (but they do get 4xDNS servers, two of which are external, and two of which are internal - 10.17.42.1 & .200); they are ordered external to internal.
I do not want to use the option of "use default gateway on remote host" for security reasons. Nor do I want to install a proxy server on the network or use variations of RDP.
At the moment I can only seem to get one option or another - when not using the static pool I am able to access the internet but have no local access with this turned on.
How can I route all internet traffic (i.e., anything outside of the 10.14.72.x range through an internet gateway (such as our router, 10.14.72.1).
Thanks!
for a remote client to have internet access and access resoureces behing the corporate lan, split-tunneling is needed. A windows vpn client connects to the rras vpn, a default route for the vpn connection is made and the existing route that pointed to the internet now has a higher metric. So the "use default gateway on the remote network" prevents the remote client from reaching the internet.
By unchecking "use default gateway on the remote network" the reverse happens, this default route to the vpn server is not created, and Internet hosts can now be reached. Split tunneling is a security risk, since internet traffic now can enter the remote host and a malicious user can potentially access the networks in the corporate lan.
This risk can be mitigated in the following ways:
Firewall enabled (with inbound and outbound ports open for vpn traffic)
Having internet access via a published intranet web browser using citrix,
use of ip packet filters by creating a remote access policy that will block inbound traffic to the vpn connection not sent from the vpn client and outbound traffic not destined for the vpn client. This is usually the default ra policy unless this has been altered.
IP routing on the vpn client computer is disabled (this is a registry key)
By unchecking "use default gateway on the remote network" the reverse happens, this default route to the vpn server is not created, and Internet hosts can now be reached. Split tunneling is a security risk, since internet traffic now can enter the remote host and a malicious user can potentially access the networks in the corporate lan.
This risk can be mitigated in the following ways:
Firewall enabled (with inbound and outbound ports open for vpn traffic)
Having internet access via a published intranet web browser using citrix,
use of ip packet filters by creating a remote access policy that will block inbound traffic to the vpn connection not sent from the vpn client and outbound traffic not destined for the vpn client. This is usually the default ra policy unless this has been altered.
IP routing on the vpn client computer is disabled (this is a registry key)
ASKER
Thanks for your response, but, as I stated, I don't wish to use this method. I want the client to access the corporate LAN AND make use of the remote Internet connection for IP ranges that fall outside of the 10.x.x.x range. All traffic should go through the VPN.
sorry for the misunderstanding. Have your tried assigning the vpn clients a different subnet, enabling ip routing in the vpn server and making sure this vpn ip pool subnet has a route to the internet routers? (as well as to allowed internal lan subnets)
ASKER
That's ok! Could you please give me an example of how this is done?
We are already on a subnet for our office. But could I use 192.168.1.1-255 for VPN clients? If so, how so I then use rras to route this to both our LAN and the net?
Thanks
We are already on a subnet for our office. But could I use 192.168.1.1-255 for VPN clients? If so, how so I then use rras to route this to both our LAN and the net?
Thanks
any subnet can be used for vpn clients as long as it is not the subnet of the internal lan, so routing can occur. I would not use 192.168.1./24 as almost every home router has this as the default network, and you will have routing issues. use something like 192.168.99.0 255.255.255.0. You have to make sure that your internet router has information about this route in its routing tables so these remote clients can send their traffic to this router and hence to the internet.
ie. ip route 192.168.99.0 255.255.255.0 [inside interface of your vpn server. Then in the vpn server, I would add a static route of this subnet pointing to the internet router.
Remember, all this traffic bound for the internet will be encrypted from the vpn client, then in plain text out to the internet, then in plain text back to your router, then encrypted back to the client. The thoroughput of your vpn will drop considerably depending on the amount of clients surfing the web and sending this traffic back to your vpn server.
ie. ip route 192.168.99.0 255.255.255.0 [inside interface of your vpn server. Then in the vpn server, I would add a static route of this subnet pointing to the internet router.
Remember, all this traffic bound for the internet will be encrypted from the vpn client, then in plain text out to the internet, then in plain text back to your router, then encrypted back to the client. The thoroughput of your vpn will drop considerably depending on the amount of clients surfing the web and sending this traffic back to your vpn server.
forgot to add, if you don't want to play around with static routes (no overhead, lowest metric) then under IP Routing in RRAS server go to general and select ospf. Just add the new networks of the vpn client pools such as 192.168.98.0 and it will advertise the networks. However, this can add significant overhead to the interface of the vpn server. Static routes have no overhead.
ASKER
OSPF isn't present in Windows Server 2008.
Can you please describe what settings exactly I need to enter in the static routing entry (all I get at the moment is "incorrect parameter").
Here's the info I need for the networks I've described above:
Destination:
Network Mask:
Gateway:
Metric:
I guess I will need two routes to connect the VPN client to both the local network and the internet gateway.
-----------------
Just to recap, here are the settings of the network as of now:
VPN client IP range: 192.168.99.0-255 (static pool)
VPN server IP: 10.17.42.200
VPN server NIC settings:
IP: 10.17.42.200
Subnet: 255.255.255.0
Default gateway: [empty]
DNS1: 10.17.42.1
DNS2: 10.17.42.200
routing-table.png
routing-table.png
client-settings.png
Can you please describe what settings exactly I need to enter in the static routing entry (all I get at the moment is "incorrect parameter").
Here's the info I need for the networks I've described above:
Destination:
Network Mask:
Gateway:
Metric:
I guess I will need two routes to connect the VPN client to both the local network and the internet gateway.
-----------------
Just to recap, here are the settings of the network as of now:
VPN client IP range: 192.168.99.0-255 (static pool)
VPN server IP: 10.17.42.200
VPN server NIC settings:
IP: 10.17.42.200
Subnet: 255.255.255.0
Default gateway: [empty]
DNS1: 10.17.42.1
DNS2: 10.17.42.200
routing-table.png
routing-table.png
client-settings.png
route add -p 192.168.99.0 mask 255.255.255.0 10.17.42.200 1
Is this not working?
The above is for windows command line. There should be a setting to add this is RRAS as well.
what is ip of your internet gateway router?
I have a route to make sure this subnet can get to that
Is this not working?
The above is for windows command line. There should be a setting to add this is RRAS as well.
what is ip of your internet gateway router?
I have a route to make sure this subnet can get to that
ASKER
I believe our gateway is 10.17.42.1 - at least, that's what one we use on client PCs. I'm unsure how many access points sit between us at the gateway.
See a routing table of a network client PC (attached).
routing.jpg
See a routing table of a network client PC (attached).
routing.jpg
ASKER
I've just been told that between the VPN server computer and the internet routers there are 3 ethernet switches and then a firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
please post your routing statements from firewall and switches, to make sure the vpn subnet can reach the internet
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER