2

By default the windows vpn client has this checked in the advanced tcp/ip settings: Use default gateway on remote network...

I do not want to use the default remote gateway... (the clients internet access uses the company network when it is like this) how can I set up the win 2008 RRAS server to not give out this gateway, or disable this? can I make a special dhcp scope (with no gateway defined) and tie incoming pptp connections to it? are there any other methods? -- without doing anything to the client... I want to be able to just leave it checked--

Thanks!

Scott Kramer
  • 255
  • 3
  • 6
  • 15

4 Answers4

5

The settings you're looking to change are client-side only, unfortunately. Unlike, say, OpenVPN, where you "push" configuration information from the VPN server to the client, in the Microsoft VPN client the "Use default gateway on remote network" option is set client-side only.

The Connection Manager Administation Kit (CMAK) will let you build an EXE that can be run on clients to setup the VPN connection with all the parameters you want.

Some frustration may come from the unfortunate method by which the client receives a route to the remote network. When the "Use default gateway on remote network" option is disabled, the client receives a route to the remote network based on the "classful" IP address of the VPN server (this changes in Windows 7, but I don't have details of the change handy). If you're just doing a VPN into a little "/24" network numbered "192.168.x.x", then this will work out fine.

If you have a more complex topology, though, this will give you fits. The CMAK is supposed to give you a way to run a script on the client after the VPN comes up, and to modify the client's routing table, but I've never actually gotten that functionality to work on Windows XP SP2-based client computers. I'd love to hear from somebody who has.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I'm familiar with CMAK, but want to avoid it... plus need a different one for 64-bit machines – Scott Kramer Oct 06 '09 at 20:16
  • i'm surprised the better default setting isn't with this unchecked... (maybe it doesn't do what it says it does) but I know the users web browsing goes out their pipe, and any connection to company servers through the vpn works fine... same for winxp,v,7 – Scott Kramer Oct 06 '09 at 20:19
  • You'll have to take the default selection up with Microsoft. I'd agree that, in my experience, I prefer the default being to *not* use the default gateway on the remote network. Having said that, CMAK is your only "supported" way to change this client-side setting. There isn't a server-side way to do what you want w/o using some different VPN server. – Evan Anderson Oct 07 '09 at 04:27
1

AFAIK, the connection has to have a gateway, or else there's no way it can send traffic over that interface to anything except the VPN server at the other end.

Also AFAIK there's no way around this except to manually disable the connection (even a PowerShell script won't be any good, even if it has the functionality there's too many unknown variables in locating the connection).

Worth noting that without this open, name resolution won't work either unless your local DNS has the VPN IP's in it.

I feel your pain though.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 1
    I work with PPTP connetions on Windows with the "Use default gateway on remote network" option disabled daily. I can get DNS via the VPN, and can access remote resources fine. The remove VPN server will populate the client with a single route to the network the VPN server itself is attached to when the client connects with ths option disabled. When accessing a remote network that's a simple "class C" this is just fine. For more complicated networks (VPN server at a site that is a "hub" of a "hub and spoke" network) I run a scrpt to add addt'l routes after I connect. – Evan Anderson Oct 06 '09 at 15:21
  • the connection still works fine with it unchecked... that is how I want it to work!! but I am tired of disabling it for every person all the time. their own internet traffic goes out their own pipe – Scott Kramer Oct 06 '09 at 20:14
0

The reason it is enabled by default is as it is the most secure option. Your client could pose a security risk if they get hacked from the internet, there might not be much to secure your network...

http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

Mr Shoubs
  • 363
  • 2
  • 9
  • 32
  • i understand, but when they surf the web, stream video etc, it eats up the companies bandwidth, basically all their internet traffic is routed through the vpn this way – Scott Kramer Dec 08 '09 at 19:32
-1

I block such traffic with site router. 1st assign static pool of IPs to the VPN PPTP server, then in the router block all outbound traffic with source ip in that ip pool.

boo9
  • 11
  • 3