Solved

VPN: How do I redirect  regular TCP traffic to decongest VPN tunnel

Posted on 2012-12-26
15
745 Views
Last Modified: 2013-01-17
environment:
windows 7 shared folder
vpn server router: Asus rt-n16
bandwidth: 35d 5u
clients: Xp, Vista, Win 7
Issue: TCP traffic suffocate the VPN turnnel
please help me redirect the traffic to regular browsing and the vpn clients traffic to the tunnel.
0
Comment
Question by:Forinsight
15 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38723727
This is done via routing tables.  You need to make sure that the routing tables are setup so that the default route goes directly to the Internet and that traffic to any IP address that must go over the VPN tunnel is routed over the VPN tunnel.

What type of VPN do you use?  Does it require a VPN client?  If so, typically the IP routes are setup by the group that manages the VPN client settings.
0
 

Author Comment

by:Forinsight
ID: 38724021
thank you for your reply.

i use asus rt-n16 vpn router as my vpn router and the windows vpn clients: xp, vista, win 7.
vpn clients are configured by windows native vpn connection. once connected to the router vpn server, windows 7 workgroup shared folders are accessed: big file for intuit tax proseries.

please provide a framework or links that i can do this properly with specific network routing for asus router vpn server and windows OSes.
0
 
LVL 39

Expert Comment

by:footech
ID: 38727827
In the properties of your VPN connection, go to the Advanced Properties of TCP/IP, uncheck the box for "Use default gateway on remote network".
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38728057
Native Windows VPN likes to exclude outside internet traffic, so if the above suggestions do not work, consider using a split tunnel client on the workstations. I use NCP Secure Entry (www.ncp-e.com) and it works fine giving me (and my clients) outside internet while keep tunnel traffic to the necessary activity. I use NCP with IPsec VPN, although it is supposed to work with PPTP VPN.

... Thinkpads_User
0
 

Author Comment

by:Forinsight
ID: 38728175
footech
it did not make any difference but just slightly slower.

thinkpads_user
still working on your suggestion.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38728518
Do you know if you have multiple subnets at your work place? Or wherever the VPN server is at.

Do you know if your IP address on the \ VPN is within the same subnet as the hosts you need to access over the VPN?

If there is a single subnet and your computer is on that subnet when connected to the VPN then footech's suggestion should work.

If there are multiple subnets or you are not on the same subnet as all other hosts then you need setup the routes needed after you connect to the VPN tunnel.  A script could be written, I did this for my work VPN.
0
 

Author Comment

by:Forinsight
ID: 38731219
of course, there are multiple subnets. as many as there are vpn client going through vpn server.

but, the vpn server isolates the connection to the regular LAN by dispensing dhcp ip's of different range for all vpn clients within the same subnet on the host.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 57

Expert Comment

by:giltjr
ID: 38731343
Just because there are multiple clients does not mean there are multiple subnets.  Different VPN servers work differently and can be setup differently.  I have seen some where all VPN clients and all servers were on the same subnet.


On your "regular LAN" do you have a single subnet or multiple subnets that you need to communicate with over the VPN connection?
0
 

Author Comment

by:Forinsight
ID: 38732120
giltjr
nope. i'm in a workgroup. all peers have different subnets of networks. they have different subnet masks. but if you mean one network with multiple subnets then, NO.

sorry... but why are you asking this question? is this relevant to our issue? please don't confuse me. kindly explain.

thinkpads_user
i experimented ncp gmbh. it's a very secured vpn client.but when it would not connect not matter what, i began to wonder if it's compatible. NO!!! as specified above my vpn server is asus vpn router rt-n16. it's not compatible as it was not one of those listed.

do you have another recommendation?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38732279
Yes, it is VERY relevant.  Say you only have a single IP subnet that you need to communicate with, what you can do is uncheck the "Use default gateway on remote network" as footech suggested.

Then with a simple Windows cmd file you define the needed routes that MUST go over the VPN tunnel.  However, in order to do this you must know:

1) Is there a single IP subnets on the other end of the tunnel or multiple IP subnets?
2) What the IP subnet or subnets are.
3) What the IP subnet is that gets assigned to you when you connect to the VPN server.

Do you know the above?
0
 
LVL 27

Expert Comment

by:Steve
ID: 38732612
Hi Forinsight,

To confirm: you have multiple Windows clients independatly dialling into a VPN held remotely.

If NON-VPN traffic is causing VPN issues, its normally because of one of the following two causes:

a) Wrong Default gateway
b) DNS being directed via VPN
c) bandwidth of line is not high enough to support a VPN in addition to the normal traffic.


footech said:

In the properties of your VPN connection, go to the Advanced Properties of TCP/IP, uncheck the box for "Use default gateway on remote network".

So that's 'a' out of the way. If you have this setting enabled it forces ALL internet traffic through the VPN. This does seem to match your description of the symptoms so may be worth revisiting.

If you are sure this is not the issue, check into your DNS settings when connected to the VPN as this may be an issue. Shouldnt normally cause as much traffic as you seem to be describing, but it's worth a try.

Alternitavely, you mention the bandwidth at your end, but dont mention the bandwidth at the server end. If the upload speed at the server's end isnt good enough you'll probbaly find the VPN runs like a dog.
0
 

Author Comment

by:Forinsight
ID: 38732830
giltjr
thank you for detailed explanation and the breadth of your vpn knowledge. to make it simple let's say that no matter how many subnets connect to the vpn server, they are stripped of their native ip's and  then  dispensed with an ip that falls within the ip pool for the network behind the router.  that's why vpn clients can connect to the vpn server and the LAN, where the shared folders are, behind the router.

but i don't like to go that route ie. routing cmd file etc,. testing the thinkpads_user recommendation of ncp secured vpn client where i can split the tunnel, i h've found the  ways (just from the manual and configuring the software although failed to hit the vpn gateway) where i could decongest the tunnel.  the only problem is that it is not compatible with my vpn server. do you know of any secured vpn client (free if possible) that can split the tunnel?
0
 

Author Comment

by:Forinsight
ID: 38732857
totallytonto
i'll give you a reply soon.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38732887
" to make it simple let's say that no matter how many subnets connect to the vpn server, they are stripped of their native ip's and  then  dispensed with an ip that falls within the ip pool for the network behind the router. "

I think you are looking at this from the wrong side.  Here is what I am talking about:

YourSite <------ VPN -----> OtherSite <----- OtherSite Network -----> Servers at OtherSite

How many subnets are there at your Work?  I am assuming that you are connecting to your work.  The VPN server at the other site is not going to NAT the Ip addresses of the servers at the other site.  You are going to access those servers using their real IP addresses, at least typically this is done.


The route command I am talking about will setup a split tunnel.  But you need to know what IP addresses at the "OtherSite" you are going to access so that the routing table can be updated/changed to route the proper addresses over the tunnel and everything else over the Internet.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now