There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”.  It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.

There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN.  This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone.   It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site.  Or, consider an Internet Cafe’ where you are on the same local network as total strangers.   Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office.  Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers.  Everything can be hacked.  If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.

In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling.  Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why.  If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling.  It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so.   However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling.  To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”.   This will work on XP and earlier clients as well but the path to the adapters is slightly different.  Locate the VPN/PPP adapter, right click on it and choose properties.  In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network.  When checked, its default state, it forces all traffic through the remote site.  Un-checking allows access to the local network and gateway.


Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.

Comments on: "Access local and VPN network Simultaneously" (10)

  1. vizio e371vl said:

    Hi to every body, it’s my first pay a quick visit of this weblog; this
    blog contains remarkable and really good data for visitors.

  2. D Blair Elzinga said:

    You don’t need to use split tunneling to enable access to local devices, you just need to add the local devices to the windows routing tables so that it knows to access them when the VPN is active.

    See the windows “route” command – E.G. route -p add MASK METRIC IF

    To help discover what you need to use, disconnect from your VPN, make sure you can connect to your local device, then run a “route print” show the current active routes and find your device. (generally in the IPv4 Route Table)

    It will also list the ‘Metric’ to use, and at the top of the listing is the “Interface List” which lists the network interfaces on your system. You’ll need to figure out which one to use. For example, I know my system has a gigabit network adapter and in the list I see a “Intel(R) Gigabit Network Connection” – bingo – that’s it. The first column is the interface id, 49 in my case.

    The “-p” option makes your configuration persistent – meaning that it will be there again next time you boot.

    SO, as an example, let’s say I want a local network share at to be accessible to my machine while connected to the VPN, so I would add the route like so:

    route -p add MASK METRIC 15 IF 49

    Now if I run route print, I see this new route in the list of persistent routes for IPv4.

    I turn my VPN back on, and instead of the device ‘disappearing’ as it normally does, windows can still find it because it is in the persistent route list.

    • Good points Blair and I agree. Changing the default gateway option is much simpler for most users, though your method would be more secure as it restricts access to specific IP’s. If wanting to use the local connection for Internet, the default gateway is probably the better option, and neither method woks if you have a proper VPN client such as a Cisco.

      Thanks for the comments.

  3. Noblecoull said:

    You’ve ended my 4 day long hunt!
    God Bless you man. Have a nice day. Bye

  4. Thank you, I use a VPN just to access youtube without bandwidth restriction (war between google and my ISP) so privacy is not really an issue, this works like a charm!

  5. Laurie Newcombe said:

    “and neither method woks if you have a proper VPN client such as a Cisco.”… So what does one do in that case. I need internet access through my local gateway while running a VPN.

    • A “proper VPN” does not allow users to open security holes. In the case of a Cisco VPN only the VPN administrator can create a policy allowing “split tunneling”. You can do nothing from the client end. Sorry.

  6. Backlink Ping said:

    Good day! I coulod have sworn I’ve been to this site before but after looking at some of
    the posts I realized it’s new too me. Anyways, I’m certainly
    deliighted I discovered it and I’ll be book-marking it and checking back often!

  7. Looks like another site has ripped off your article:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud