0

Following this question, I was pointed out to this page, where it suggests using the

 route ADD <destination_network> MASK <subnet_mask> <gateway_ip> <metric_cost>

command to "Add a Static TCP/IP Route to the Windows Routing Table". However, I don't know how to use this command to exclude certain software (e.g., Skype for Business, Microsoft Teams, Microsoft Outlook, Citrix CVViewer ...) and certain websites from the VPN connection. I would appreciate it if you could help me know how to do it on a Windows machine where I don't have admin privileges.

My environment is Windows 10 version 1803 and my VPN software appears to be F5

Foad
  • 101
  • 3

1 Answers1

1

Routing works based on the destination IP address, it doesn't care or even know which application is trying to reach it.

You can add routes to specific target IP addresses or networks, but you will need to know which destination a software will try to reach; otherwise there is no way to do what you are asking.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • I don't know what the routes and a target IP are. Any Idea how I can find the destination a software (e.g., Skype for Business) tries to reach? – Foad Feb 04 '21 at 11:32
  • 1
    It depends on the software. Also, if the software connects to a cloud service, the destination IP ranges can vary wildly. Last but not least, a comunications software such a S4B or Teams will establish peer-to-peer connections to the people you are talking with, which can really be anywhere. – Massimo Feb 04 '21 at 11:55
  • 1
    It would be a lot easier to do the opposite and only use the VPN connection for traffic you actually want to go there (such as traffic directed to your company network) and use your Internet connection fof everything else. This is called split-tunneling. However, you can only do that if the VPN software allows it. You should really ask your network admin. – Massimo Feb 04 '21 at 11:58
  • Maybe I can create something like a white list instead? Because there are a few software and some network drives on my system that requires the VPN connection. Is it possible to find the IP addresses they communicate with and put them through the VPN? – Foad Feb 04 '21 at 11:59
  • Well, I work at a consortium with more than 20K employees. things are really slow here. Usually, I can solve my problems better than the IT department. – Foad Feb 04 '21 at 12:01
  • 1
    Yes, it's possible, but you have to control the VPN configuration; VPNs can work in two ways: either they send *all* your traffic through the tunnel (which seems to be your case), or they only handle the traffic directed to your company network and leave everything else alone. This is part of the VPN configuration, which is usually handled centrally by the VPN server to which you connect. – Massimo Feb 04 '21 at 12:03
  • 1
    F5 supports split-tunneling: https://support.f5.com/csp/article/K55104964. But it needs to be configured on the firewall, you can't do that from the client side. – Massimo Feb 04 '21 at 12:07
  • OK, so you think most probably it can't be done in my case? I mean there is not much I can do without the network admins or admin privileges on my machine. – Foad Feb 04 '21 at 12:12
  • 1
    If you don't even have admin privileges on your machine, there is *nothing* you can do. Even if this could be managed by manually altering the routing table (which I doubt), you would still need admin rights to do that. – Massimo Feb 04 '21 at 12:13