Access my home network printer while I am using VPN to connect to work

12

4

When I work from home, I am connected to the resources in my company via VPN. In my home network there is a network printer in the same local network.

The problem is that when I open VPN to my company, I cannot access my home network printer any more. So whenever I need to print, I have to disconnect VPN, print, reconnect the VPN. It's extremely annoying.

enter image description here

Is there any solution how to configure the stuff so I can access both the VPN and the home network printer at the same time?

While on VPN, I can normally print to the company printers and access public internet resources.

My network configuration (ipconfig) is like that:

Ethernet adapter Local Area Connection:

IPv4 Address. . . . . . . . . . . : a.b.c.d // my company IP address
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

Wireless LAN adapter Wi-Fi:

IPv4 Address. . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.138

And I can ping the local gateway 10.0.0.138, however I cannot ping my printer on 10.0.0.3. How is that possible?

Honza Zidek

Posted 2015-04-02T11:04:09.687

Reputation: 297

Answers

3

What's happening here is that the VPN client is setting your default gateway to the VPN server. This means that all your LAN-destined network traffic is routed through the VPN, and the VPN server will dump the traffic since it is for a private, non-routable subnet (likely 192.168.x.x).

All you need to do is update your routing tables to send LAN traffic to your typical local gateway (i.e. your router). You would probably need to do this every time you disconnected & reconnected the VPN.

You would use the 'route print' command to view routing tables after connecting to the VPN. You would expect to see the default gw (0.0.0.0) destination as your VPN endpoint.

Making this change could indeed bypass some security 'policy' the IT department is attempting to enforce. I would also advise contacting your IT dept. to see if there is any issue with manually modifying the configuration on the system. No point in getting in trouble for something so minor.

[EDIT - additional info as requested]

[DISCLAIMER: modifying routing tables can mess up your access to the Internet or other networks. Changing settings related to a corporate VPN may violate company policy and result in disciplinary action. You've been warned, etc.]

After connecting to the VPN, confirm routing to your printer by running tracert MY_PRINTER_IP. If the routing hops go through the VPN endpoint, you've confirmed traffic for the printer is being routed there, and this is the issue.

route print would display existing routing tables, where you would expect to see the 0.0.0.0 (default gw) entry being directed to the VPN endpoint.

You would use the route ADD command to add an appropriate routing command for your printer. For example, to add an entry for just a single IP that you want to keep on the LAN, you could use:

route ADD MY_PRINTER_IP MASK 255.255.255.255 MY_LAN_ROUTER_IP

You may need to adjust metric on the route to ensure it is chosen first, although a more specific route generally always takes precedence. Repeating the tracert after the change should verify if routing has been updated and is working as expected. If all is good, you could add the routing rule as a static one with a '-p' flag on the ADD command, otherwise the rule is temporary and will be discarded on reboot. The VPN client may also nuke & rewrite all routing rules every time it is connected.

jlehtinen

Posted 2015-04-02T11:04:09.687

Reputation: 241

1I tried this with a Juniper VPN and it failed. What I don't understand is why the network route to the local network isn't being obeyed. The VPN uses 10.x.x.x and the local network (and printer) use 192.x.x.x. Thus, the network route to 192.x.x.x should be obeyed before the default route. No gateway at all should be needed. Default route/gateway should only be used for Internet traffic. The 192.x.x.x is still there, but ALL traffic is routed to 10.x.x.x. WTF? – Evan Langlois – 2016-12-08T03:00:47.533

Thanks a lot for your tip. What actually helped me, was route DELETE 192.168.0.0, route DELETE 192.168.1.0 and route DELETE 192.168.1.17 - removing all the local address lines added to the routing table by the VPN. – Honza Zidek – 2020-02-20T07:58:09.640

4

Although it may be possible to achieve this, using Split Tunnelling, it will almost certainly break your terms and conditions of use for the work network. In extreme cases, you could lose you job over things like that.

Remember that a VPN provides a secure link from your local machine or network to the remote LOCAL Area Network. This means that your machine behaves as though it were directly connected to the work LAN.

So allowing other local facilities to work is a security issue.

Your best bet is a direct (USB) connection to your computer from the printer.

UPDATE:

You could make your printer public by exposing it's interface via your router. But don't forget that, while on the VPN, it is most likely that your Internet access goes via the corporate firewall & gateway so printer ports are almost certainly blocked there. Again, allowing printing to the Internet is a massive security hole.

It is also possible to have a local printer on the VPN but only if your VPN endpoint is in your router rather than your PC (unlikely) making your local network part of the corporate network. Of course, in that case, you wouldn't need to do anything else since the printer would now be visible to the PC. This is unlikely to be allowed by your work, again because it opens up many opportunities for security issues.

Sorry but the most likely best bet is still to physically connect your PC to the printer the old fashioned way!

Julian Knight

Posted 2015-04-02T11:04:09.687

Reputation: 13 389

Well, the printer doesn't mean a threat I think. Most probably there would not be malicious programs running on my network which would break in the company servers... – Honza Zidek – 2015-04-02T11:39:40.953

Once the VPN allows split tunnelling other things might be connected via your local network. Effectively you are bridging the networks. Since your work as no way of maintaining control, it most certainly IS a serious threat and many organisations have been compromised like this. – Julian Knight – 2015-04-02T11:41:21.543

Whether or not you can split tunnel depends on the type of VPN, how it is set up and how your local PC and local network is set up. I don't have many answers there I'm afraid since I'm more on the enterprise side and we don't allow split tunnelling. Ever. – Julian Knight – 2015-04-02T11:43:05.180

please add a small paragraph to your answer what the Split Tunneling is. – Honza Zidek – 2015-04-02T11:45:00.330

And as I can access public resources from within our company network, I am searching for a way of making my home printer visible from my company network (of course together with effective access control). – Honza Zidek – 2015-04-02T11:48:26.927

Wikipedia defines it better than I could. – Julian Knight – 2015-04-02T11:56:19.893

I read the http://en.wikipedia.org/wiki/Split_tunneling#Disadvantages as you recommended. "Users bypass gateway level security that might be in place within the company infrastructure" - it does not sound like any extra new threat - we are allowed to connect to public internet with our company laptops. So according to wikipedia it sounds like we are not protected by company firewall, but not like a security hole for the company network.

– Honza Zidek – 2015-04-02T12:06:49.270

I would be very surprised if you were not accessing the Internet via a firewall. Indeed, if that were the case, I'd almost certainly look for a new job since the IT department would be criminally negligent! You might want to start by asking them for a solution rather than trying to bypass the corporate security. – Julian Knight – 2015-04-02T12:11:32.770

--Julian, are you misreading my question on purpose??? I am not "trying to bypass the corporate security", I am searching for a solution of my practical problem. Instead of blaming me like that, could you think more about the technical as well as "legal" way of doing this? – Honza Zidek – 2015-04-02T12:15:44.077

Sorry, thought you got the message. I'm not blaming you, just saying you shouldn't do it. I've given the technical solution, a direct connection. Anything involving your VPN needs to come from your IT department not us. – Julian Knight – 2015-04-02T12:16:56.833

There is not one LAN per computer. There is one LAN per network interface. So this should not be happening at all. You should still be able to reach machines on your home network; that you can't is an intentional decision by corporate IT and needs to be taken up with them. – Michael Hampton – 2015-04-02T14:54:18.817

@MichaelHampton, I'm afraid you SHOULDN'T be able to reach the other networks. You generally can't even without a VPN unless you bridge the interfaces. The whole point of a VPN of the kind the OP is talking about is to extend the remote network to your PC, allowing local networks to be bridged into the remote, hopefully secure, network is a major security flaw. – Julian Knight – 2015-04-02T15:01:13.263

@JulianKnight I never said anything about bridging a local network to the VPN. Doing that would be quite stupid. – Michael Hampton – 2015-04-02T15:02:37.857

Indeed but I'm afraid you implied it. Any corporate VPN should prevent traffic on other networks while connected. – Julian Knight – 2015-04-02T15:10:56.390

How is it possible, that I can ping the local gateway 10.0.0.138, however I cannot ping my printer on 10.0.0.3. The same subnet, the same mask. – Honza Zidek – 2015-04-02T15:14:18.460

You can ping the gateway because that is the router that takes the traffic from your PC to the outside world. If you couldn't contact it, routing would be difficult. – Julian Knight – 2015-04-02T15:24:14.993

1

I have the same problem when working from home. My work provided a docking station that I can connect to the printer through USB so as long as I'm docked at my home desk I can easily print.

When I want to print and I'm not docked, I'm able to email the document to my HP computer through a specific email address that was given to me in the set-up process. Those seem to be the only "safe" solutions besides putting everything I want to print in a "to print" folder on my desktop and waiting to print them until I disconnect from VPN. (my VPN is very finicky and connecting/disconnecting multiple times has locked me out of my network before so I try to disconnect as minimaly as possible)

Stephanie

Posted 2015-04-02T11:04:09.687

Reputation: 11

0

Install the printer using it's IP address. Windows allows you to do this under advanced printer options. Then your PC should still be able to locate the printer whether it is logged on to your local internet connection or to your VPN.

user662733

Posted 2015-04-02T11:04:09.687

Reputation: 1

2Did you try this? Without specific settings (like the default gateway), I'd be surprised to see a computer that is connected to a VPN to be also connected to computers in the local network. (And if the local network is visible, then I wonder if anything special is needed to get a printer working.) – Arjan – 2016-11-11T13:02:04.040

-1

One way I was able to work around this without messing with routings or changing subnets was install the printer on another local PC at home, share the printer, install that shared printer on the laptop used for VPN. Set that shared printer as the default and then the printing worked successfully.

(This work around requires another computer to be on your local network)

Shane

Posted 2015-04-02T11:04:09.687

Reputation: 1

-1

Some modern printers can support two or more connection types at once (e.g. Samsung C3010dw): e.g., Ethernet and USB. If the printer is close enough to the local computer, you can create two logical printers (one for the network connection and one for the USB connection) for the printer. The USB printer can be used while vpn connection is active (or not), but remain available (via the Ethernet connection) to other computers on the local network.

In theory, though I have not tested, the IOGEAR GUWH104KIT can be used for the USB connection if distance is an issue or you can add additional GUWH104 receivers if you need to connect via USB to multiple computers.

VernonX

Posted 2015-04-02T11:04:09.687

Reputation: 1

Asked: 2015-04-02T11:04:09.687

Viewed: 67 425 times

Active: 2019-09-16T16:33:29.523