5

I'm not very familiar with networking really, so go easy on me!

I need help enabling Split Tunnelling for client connections to my newly created VPN server. I've un-ticked the Use Default Gateway on the Remote Network option under the IPV4 properties of the connection, and whilst I can connect to the VPN, I am unable to see any of my shared files on the network. After doing some digging, I've read a lot about Windows 7/8 (I'm on 8) messing up the routing tables it builds for the connections, and sending all traffic, including that destined for my VPN server's IP address, down my local network's gateway, the practical upshot of which, I am told, is that I cannot see my files. I've experimented with Add Route, to specify a route to my VPN server with the server's gateway, but every time I connect to the VPN (with Use Default Gateway disabled), it just seems to create a new route with my local network's gateway again. I can enable Use Default Gateway, but this means that I am unable to access the internet whilst I'm an accessing my files, which is really not ideal. As requested, route print and ipconfig outputs from the two connection states.

route print whilst not connected:

===========================================================================
Interface List
13...e0 91 f5 45 01 a3 ......NETGEAR WNA3100 N300 Wireless USB Adapter
12...bc 5f f4 4a ba 58 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
0.0.0.0                    0.0.0.0      192.168.0.1    192.168.0.111    281
127.0.0.0                255.0.0.0         On-link         127.0.0.1    306
127.0.0.1          255.255.255.255         On-link         127.0.0.1    306
127.255.255.255    255.255.255.255         On-link         127.0.0.1    306
192.168.0.0          255.255.255.0         On-link     192.168.0.111    281
192.168.0.111      255.255.255.255         On-link     192.168.0.111    281
192.168.0.255      255.255.255.255         On-link     192.168.0.111    281
224.0.0.0                240.0.0.0         On-link         127.0.0.1    306
224.0.0.0                240.0.0.0         On-link     192.168.0.111    281
255.255.255.255    255.255.255.255         On-link         127.0.0.1    306
255.255.255.255    255.255.255.255         On-link     192.168.0.111    281
===========================================================================
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
0.0.0.0                  0.0.0.0      192.168.0.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
15    306 ::/0                     On-link
1     306 ::1/128                  On-link
15    306 2001::/32                On-link
15    306 2001:0:9d38:6ab8:1847:37dc:3f57:ff90/128
                                On-link
13    281 fe80::/64                On-link
15    306 fe80::/64                On-link
15    306 fe80::1847:37dc:3f57:ff90/128
                                On-link
13    281 fe80::1985:4157:1301:d268/128
                                On-link
1     306 ff00::/8                 On-link
15    306 ff00::/8                 On-link
13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

ipconfig output when not connected:

Windows IP Configuration


Wireless LAN adapter WiFi:

Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::1985:4157:1301:d268%13
IPv4 Address. . . . . . . . . . . : 192.168.0.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{9AB5BE37-2DEA-4436-86CD-B9296315C1B1}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix  . :
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:cc2:1398:3f57:ff90
Link-local IPv6 Address . . . . . : fe80::cc2:1398:3f57:ff90%15
Default Gateway . . . . . . . . . : ::

route print output while connected:

===========================================================================
Interface List
28...........................Greendale VPN
13...e0 91 f5 45 01 a3 ......NETGEAR WNA3100 N300 Wireless USB Adapter
12...bc 5f f4 4a ba 58 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
0.0.0.0                    0.0.0.0      192.168.0.1    192.168.0.111    281
10.0.0.0                 255.0.0.0         10.1.0.1         10.1.0.5     21
10.1.0.5           255.255.255.255         On-link          10.1.0.5    276
86.129.242.71      255.255.255.255      192.168.0.1    192.168.0.111     26
127.0.0.0                255.0.0.0         On-link         127.0.0.1    306
127.0.0.1          255.255.255.255         On-link         127.0.0.1    306
127.255.255.255    255.255.255.255         On-link         127.0.0.1    306
192.168.0.0          255.255.255.0         On-link     192.168.0.111    281
192.168.0.111      255.255.255.255         On-link     192.168.0.111    281
192.168.0.255      255.255.255.255         On-link     192.168.0.111    281
224.0.0.0                240.0.0.0         On-link         127.0.0.1    306
224.0.0.0                240.0.0.0         On-link     192.168.0.111    281
224.0.0.0                240.0.0.0         On-link          10.1.0.5    276
255.255.255.255    255.255.255.255         On-link         127.0.0.1    306
255.255.255.255    255.255.255.255         On-link     192.168.0.111    281
255.255.255.255    255.255.255.255         On-link          10.1.0.5    276
===========================================================================
Persistent Routes:
Network Address          Netmask  Gateway Address  Metric
0.0.0.0                  0.0.0.0      192.168.0.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
15    306 ::/0                     On-link
1    306 ::1/128                  On-link
15    306 2001::/32                On-link
15    306 2001:0:4137:9e76:cc2:1398:3f57:ff90/128
                                On-link
13    281 fe80::/64                On-link
15    306 fe80::/64                On-link
15    306 fe80::cc2:1398:3f57:ff90/128
                                On-link
13    281 fe80::1985:4157:1301:d268/128
                                On-link
1    306 ff00::/8                 On-link
15    306 ff00::/8                 On-link
13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

ipconfig output while connected:

Windows IP Configuration

PPP adapter Greendale VPN:

Connection-specific DNS Suffix  . :
IPv4 Address. . . . . . . . . . . : 10.1.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Wireless LAN adapter WiFi:

Connection-specific DNS Suffix  . :
Link-local IPv6 Address . . . . . : fe80::1985:4157:1301:d268%13
IPv4 Address. . . . . . . . . . . : 192.168.0.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

Ethernet adapter Ethernet:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Tunnel adapter isatap.{9AB5BE37-2DEA-4436-86CD-B9296315C1B1}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix  . :
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:cc2:1398:3f57:ff90
Link-local IPv6 Address . . . . . : fe80::cc2:1398:3f57:ff90%15
Default Gateway . . . . . . . . . : ::

Tunnel adapter isatap.{1B17315F-3193-4F06-B126-64D880540683}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :

Where 192.168.0.1 is my local router through which I'm connected to the internet, 192.168.0.11 is my client computer's address on this local network, 86.129.242.71 is my VPN server, 10.1.0.1 - 10.1.0.10 is my IP range for VPN clients and 10.1.0.1 is the default gateway on that server. It's also worth noting that that the IP I'm connecting to, 86.129.242.71, is not static and will change, at the whim of my ISP!

Is there anything that I'm missing to help me enable this Split Tunnelling feature? If anyone could explain to me how this routing table works and maybe how to force a connection to take a specific route (and what that specific route should be), that would be amazing.

You'll have to forgive my lack of understanding on these subjects, I'm not really a network person, but I am trying to learn! I've searched all over for a solution to this problem, but I've never been able to find a solution that seems to work, so any help is greatly, enormously appreciated!

Thanks, Danwise

Danwise
  • 53
  • 1
  • 1
  • 4
  • Can you post the output of "route print" and "ipconfig" while you ARE connected to the vpn? – Grant Mar 08 '13 at 11:54
  • There you go, I've edited the question with those two outputs, I'm interested by the `PPP adapter Greendale VPN` entry in ipconfig whilst connected, as it has no default gateway listed, would this be correct? If not, how would I rectify it (whilst still enabling split tunnelling)? - Danwise – Danwise Mar 08 '13 at 12:47
  • That all looks correct for a split tunnel vpn. How are you trying to access your files? What is the IP address of the computer they are on? Can you ping that IP while on the VPN? – Grant Mar 08 '13 at 14:43
  • The IP for the computer hosting the files is 192.168.1.84 (local IP on the network I'm VPN'ing into), I'm trying to access the files through windows explorer, for instance `\\192.168.1.84\Music`, I'm unable to ping that machine when connected to the VPN. The remote access server is showing the client as connected within the routing and remote access management console as well. I guess it's also worth noting, the VPN IP that I'm using, `86.129.242.71` is not static, so any solution that arises should probably take that into account hahaha – Danwise Mar 08 '13 at 15:14

1 Answers1

3

The VPN addresses given out are in the 10.1.0.0/24 range. The local LAN is in 192.168.0.0/24. The remote LAN is 192.168.1.0/24.

You are in pretty good shape since there is no overlap there. What you are missing is a route to 192.168.1.0/24. When you try to connect to that subnet, it goes out your default gateway (local internet connection) since there is no specific route for it.

Without using split tunnel, it works, because your default gateway is the remote server, and it knows how to get to 192.168.1.0/24. With split tunnel, you need to specify that that traffic needs to go over the VPN.

There are two ways to fix that:

  • Change the VPN on the server side to bridge to the LAN, and hand out 192.168.1.0/24 addresses. Since this doesn't require any changes on the client side, it's probably the easiest if you have many clients.
  • Add a specific route to 192.168.1.0/24 using 10.1.0.1 as the gateway - this needs to be added on every client. Some VPN clients have a configuration setting to add routes every time you connect. Some do not, in which case you'd have to readd it every time you connect.

Open an administrator command prompt and type:

route add 192.168.1.0 mask 255.255.255.0 10.1.0.1

If there are other subnets on the remote network you want to access, do the same for those as well.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • I've just tried adding that route to the client, to no avail, still not seeing my shared files nor can I ping the file server, although seeing as I'm currently the only client on this VPN, I'm not averse to this solution. How would I go about making the VPN server bridge to the LAN and hand out those IP addresses to clients? I'm using Server 2012 Datacenter (was free with MSDNAA!), but it seems to behave the same as Server 2008 in all respects. Thanks for your continued help with this, it's massively appreciated :) – Danwise Mar 08 '13 at 15:43
  • Actually, it's worth noting, the router on the server end of the connection doles out IP's in the range `192.168.1.64/253`, not `192.168.1.0/24` – Danwise Mar 08 '13 at 16:03
  • Actually, I've cracked it! It was the Add Route option that worked, just seemingly needed to add it specifying the interface as the client IP address as given by the VPN, so in this case `10.1.0.10`, rather than the local LAN IP address of the client that it was being given by default, `192.168.0.11`. Thankyou so much for the help, I presume this solution will not be affected by the changing public IP of the VPN server? Is there a chance you could explain why this specific interface needed to be used? Thankyou again! – Danwise Mar 08 '13 at 16:21
  • The public IP address won't affect anything (though you'll need to know it, or use dynamic DNS when trying to connect). – Grant Mar 08 '13 at 16:26
  • Cool, yeah I'm looking at a DynDns subscription, although also the possibility of writing a service that will run on the server, regularly checking the public IP and then emailing me whenever it changes, not exactly sure how possible this'll be but it should be a fun experiment in being a cheap ass hahaha – Danwise Mar 08 '13 at 16:34
  • There are lots of free dynamic DNS providers. The list of ones DNS-O-Matic supports should get you started: http://www.dnsomatic.com/wiki/supportedservices – Grant Mar 08 '13 at 17:15
  • Cheers, I'll have a look at that, cause DynDNS isn't exactly expensive, but it'd be good to find a free alternative, just for the sake of this VPN – Danwise Mar 09 '13 at 12:54
  • I actually setup 2 or 3 providers in case one breaks or goes down. – Grant Mar 09 '13 at 13:42