Split Tunneling: How do I know which IP addresses should go to the VPN network?

2

I have setup my VPN client (VPNC Front End) to use split tunneling. After the VPN is connected, I have a script which adds the routes for all of the IP addresses that I know should be routed through the VPN.

Now and then, I bump into IP addresses which are not routed through the VPN and hence are not accessible from the outside either. Using a multi-threaded ping with all traffic forced over the VPN, I figure out the proper range of IP addresses which should be routed through the VPN. I then add those newly discovered routes to my script.

The above process is annoying. Is there an automated way I can know which IP addresses should be routed through the VPN?

I already have 10.0.0.0/255.0.0.0, 172.16.0.0/255.240.0.0 and 192.168.0.0/255.255.0.0 routed through the VPN. However, I find there are several other IP addresses which must be routed through the VPN in order to view the internal version of the site.

Nathan

Posted 2014-08-05T19:58:18.953

Reputation: 1 050

Answers

2

There is no magic way to discover what networks should be directed to your VPN connection or not.

There are VPN gateway that advertises networks that should be available in client network, but there may be other resources that are available but is not advertised.

The private IPv4 networks are usually in 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 networks, which you are already routing to your VPN connection.

If there are other private resources that you need access, you should ask your network administrator which networks should be routed through the VPN connection.

denisvm

Posted 2014-08-05T19:58:18.953

Reputation: 604

How do I query the VPN gateway for the networks that are available? – Nathan – 2014-08-05T21:57:15.880

On VPNC if the VPN gateway supplies the network list, it will add automatically the route, otherwise it will add your tunnel device as default route. You can also check the VPNC log for this info. – denisvm – 2014-08-05T22:37:21.483

How would a network administrator know which networks should be routed through the VPN connection? For a small company, this could easily be done via memory. For a large company, how would they look up the information? – Nathan – 2014-08-13T19:05:25.073

Well, it depends, firstly, this kind of information should be documented. It is recommended to allow only the traffic you need to pass through VPN tunnel, so the network administrator should know which routes needs to be published and which groups/users should have access to them. – denisvm – 2014-08-13T21:51:34.490

I checked the VPNC log. The gateway did not provide network configuration. It did provide the internal address, default domain, and DNS servers but no route information. – Nathan – 2014-08-14T17:29:06.513

@Nathan then you must ask your network administrator if you need to add more routes to pass through the VPN tunnel. Usually only private networks and corporate address are forwarded through VPN, but you may need restricted internet access that only your corporate firewall have access. There's simply no magic way to discover this. – denisvm – 2014-08-14T19:37:34.120

Asked: 2014-08-05T19:58:18.953

Viewed: 1 215 times

Active: 2014-08-05T21:56:02.767