VPN split access anyone?

Forums › IT Pro and developers › VPN split access anyone?

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#114442 20-Feb-2013 08:32

I am playing with a SSTP VPN access and have a problem accessing the Internet while connected to the VPN.

The server won't route access to the Internet (and I don't want it to do it) which means that while connected to the VPN the client PC can access resources in the LAN but can't access the Internet. If I uncheck the advanced option in the IPv4 settings to not use the Gateway by default then I have Internet access but can't access the VPN resources.

Does anyone have a suggestion to fix this and have access to both resources while the VPN is connected? Something that wouldn't break things when the VPN is not active?

I am running the SSTP VPN server on a Windows Server 2012.

RunningMan

8953 posts

Uber Geek

#766177 20-Feb-2013 08:37

Were you using a Cisco SRP521? The current firmware has a VPN server in it that you could try instead, if this is at the same site.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#766178 20-Feb-2013 08:39

No, the servers are at the datacentre. I have a SRP521 but this is on my client side, so no use there.

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#766180 20-Feb-2013 08:39

Seems like you need to add a route for the LAN subnet on the other side of that VPN link on your own machine.

Something like (pseudo code):

ROUTE ADD 192.168.0.0/24

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#766181 20-Feb-2013 08:42

Yes, I guess would need to add a route to the VPN on my client. I will probably need to change some of the stuff on my server side too as the server LAN uses the same subnet as my client LAN, so I don't want to mess up the addresses.

Right, will have to work a bit on this...

kiwirock

685 posts

Ultimate Geek

#766199 20-Feb-2013 09:10

Yeah they won't work to well having the same subnet.

Another pet annoyance I've found with VPN's on Windows (at least XP and below, I don't have 7), that if your remote subnet is say 10.1.1.X/24 silly Windows still puts a route in for a /8 instead on the PPP/VPN interface based on the old class system. This is annoying especially when using say 10.0.0.X/24 as it'll put a route in for 10.X.X.X/8 instead and cause headaches if your local LAN is any address starting with 10 until you manually delete the route and put a /24 in.

edit: Was referring to the client side.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#766201 20-Feb-2013 09:11

Yes, later today I will change the Hyper-V Private Network configuration to a different subnet, reconfigure the VPN server, add a route to that and work from there...

magu

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#766202 20-Feb-2013 09:13

I've found using the 172.16.x.x range being extremely helpful to avoid such problems, especially when connecting to multiple VPN endpoints at the same time.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

kiwirock

685 posts

Ultimate Geek

#766215 20-Feb-2013 09:24

Yes those 172.16/12 addresses are handy, I use them on my WiFi subnets as chances are someone who connects doesn't use them.

I was using the commercial NAT reserved range for a while added not that long ago but switched back to 172 since IPv4 is now on the thin line.

freitasm

BDFL - Memuneh
79253 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#766270 20-Feb-2013 10:43

Ok, changed the range in the server side from 192.168.2.x to 192.168.10.x and changed option on VPN server configuration to "Enable this computer as a [x] IPv4 router (O) LAN routing only".

This fixed the issue with no need to add any new routes on the client side. I can now continue to access the Internet and have access to the LAN on the server side.