VPN: Does all traffic get routed through the VPN when I am logged in?

22

8

If I log into a slow VPN with only a 15k/s connection, when I try to go to kernel.org or some other site to download something, is everything getting routed through that other network? (so my max speed for all downloads is 15k/s?) Or are only the DNS requests getting routed and I can still get my normal download speeds I would have been able to before logging into the router?

Jarvin

Posted 2010-04-30T02:12:06.270

Reputation: 6 712

Answers

24

It depends on the vpn configuration. To check how it is in your case check your default gateway:

Windows (in command prompt):

route print

Linux (in console)

netstat -nr

Look for network destination 0.0.0.0 (win) or default (linux). If it set to your local subnet gateway - not entire traffic is going through vpn. Any other case - all traffic through vpn.

kyrisu

Posted 2010-04-30T02:12:06.270

Reputation: 1 405

2netstat -nr seems to work for OS X too. – Boy Baukema – 2011-10-10T18:54:41.803

8

On Windows, the default configuration is to send all traffic down the VPN connection (the tunnel), even if it is destined for sites external to the private network. Opening a VPN session without sending all traffic through the VPN tunnel is called "split tunneling" and while possible, carries security risks. With split tunneling, the remote machine is simultaneously connected directly to the Internet and to the private network, so any security breach in the remote machine is a security breach in the private network. IOW, a compromised remote machine provides a path into the private network that bypasses the private network's firewall. This doesn't happen when all traffic from the remote machine is sent via the VPN tunnel.

Fred

Posted 2010-04-30T02:12:06.270

Reputation: 1 205

3This threat possibility is true of any OS, not just Windows. For clarity. – JoelAZ – 2014-10-25T06:03:18.453

4

If your using Windows Networking to connect to VPN, go to the connection properties, select the networking tab, select TCP/IP properties, click Advanced, un-check "Use default gateway on remote network" to stop all network trafic (that doesn't involve to remote network, i.e. web browsing) from going through the VPN.

Robert Durgin

Posted 2010-04-30T02:12:06.270

Reputation: 141

2

I use corporate Aventail VPN, with same "trouble".

All network traffic/control goes true several network Filter drivers, like in my case "Packet Scheduler Miniport", "Odyssey Network Agent Miniport", "McAfee NDIS Filter Miniport", etc. And to addition there is an "Aventail VPN Filter" driver under hidden devices in Non-Plug and Play drivers section, could be found in Device Manager.

Seems to me Aventail VPN Filter's aim is to sniff all network traffic and forward trough the VPN tunnel/connection/interface.

Just disable it, than you will get back the control on route table. At last you can add default gateway to your home network, and a persistant route to the corporate network.

Wikipedia about Filter Driver: Filter drivers are optional drivers that add value to or modify the behavior of a device and may be non-device drivers. A filter driver can also service one or more devices. Upper level filter drivers sit above the primary driver for the device (the function driver), while lower level filter drivers sit below the function driver and above the bus driver.

Krisztián Sugár

Posted 2010-04-30T02:12:06.270

Reputation: 21

1

It depends on the VPN, your operating system, the client, etc. For instance, a SonicWall VPN will only route data for which it is set up for.

Your operating system routes also need to be set up for the routes to work. If you provide your VPN software, we might be able to assist more.

Derek Belrose

Posted 2010-04-30T02:12:06.270

Reputation: 11

-1

Here is my script for dialling HyperRas/Aventail and setting back default gateway to the original local network.

@echo off
::Your VPN network parameters
set _vpnnetwork=10.0.0.0
set _vpnmask=255.0.0.0

::GET Current Default Gateway IP
for /f "tokens=3" %%G IN ('route print 0.0.0.0^| find "Default Gateway"') DO (set _originalgw=%%G)

::Dialling
ngdial HyperRas -gui -prompt -status -icon

::Wait for Hyperras background config / sleep emulation for about 10 sec
::198.18.0.0/15 reserved for Network Interconnect Device Benchmark Testing [RFC5735]
ping 198.18.0.1 -w 10000 -n 1

::GET New RAS Default Gateway IP
for /f "tokens=3" %%G IN ('route print 0.0.0.0^| find "Default Gateway"') DO (set _rasgw=%%G)

::Set RAS route to corporate network
route add %_vpnnetwork% mask %_vpnmask% %_rasgw%

::Set Default Gateway to original
route add 0.0.0.0 mask 0.0.0.0 %_originalgw%

Krisztián Sugár

Posted 2010-04-30T02:12:06.270

Reputation: 21

1This doesn't answer the question. – James Mertz – 2012-11-04T19:31:46.857