There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”.  It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.

There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN.  This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone.   It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site.  Or, consider an Internet Cafe’ where you are on the same local network as total strangers.   Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office.  Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers.  Everything can be hacked.  If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.

In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling.  Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why.  If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling.  It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so.   However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling.  To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”.   This will work on XP and earlier clients as well but the path to the adapters is slightly different.  Locate the VPN/PPP adapter, right click on it and choose properties.  In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network.  When checked, its default state, it forces all traffic through the remote site.  Un-checking allows access to the local network and gateway.

image

Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.

Comments on: "Access local and VPN network Simultaneously" (20)

  1. vizio e371vl said:

    Hi to every body, it’s my first pay a quick visit of this weblog; this
    blog contains remarkable and really good data for visitors.

  2. D Blair Elzinga said:

    You don’t need to use split tunneling to enable access to local devices, you just need to add the local devices to the windows routing tables so that it knows to access them when the VPN is active.

    See the windows “route” command – E.G. route -p add MASK 255.0.0.0 METRIC IF

    To help discover what you need to use, disconnect from your VPN, make sure you can connect to your local device, then run a “route print” show the current active routes and find your device. (generally in the IPv4 Route Table)

    It will also list the ‘Metric’ to use, and at the top of the listing is the “Interface List” which lists the network interfaces on your system. You’ll need to figure out which one to use. For example, I know my system has a gigabit network adapter and in the list I see a “Intel(R) Gigabit Network Connection” – bingo – that’s it. The first column is the interface id, 49 in my case.

    The “-p” option makes your configuration persistent – meaning that it will be there again next time you boot.

    SO, as an example, let’s say I want a local network share at 192.168.1.43 to be accessible to my machine while connected to the VPN, so I would add the route like so:

    route -p add 192.168.1.43 MASK 255.0.0.0 192.168.1.1 METRIC 15 IF 49

    Now if I run route print, I see this new route in the list of persistent routes for IPv4.

    I turn my VPN back on, and instead of the device ‘disappearing’ as it normally does, windows can still find it because it is in the persistent route list.

    • Good points Blair and I agree. Changing the default gateway option is much simpler for most users, though your method would be more secure as it restricts access to specific IP’s. If wanting to use the local connection for Internet, the default gateway is probably the better option, and neither method woks if you have a proper VPN client such as a Cisco.

      Thanks for the comments.

  3. Noblecoull said:

    You’ve ended my 4 day long hunt!
    God Bless you man. Have a nice day. Bye

  4. Thank you, I use a VPN just to access youtube without bandwidth restriction (war between google and my ISP) so privacy is not really an issue, this works like a charm!

  5. Laurie Newcombe said:

    “and neither method woks if you have a proper VPN client such as a Cisco.”… So what does one do in that case. I need internet access through my local gateway while running a VPN.

    • A “proper VPN” does not allow users to open security holes. In the case of a Cisco VPN only the VPN administrator can create a policy allowing “split tunneling”. You can do nothing from the client end. Sorry.

  6. Backlink Ping said:

    Good day! I coulod have sworn I’ve been to this site before but after looking at some of
    the posts I realized it’s new too me. Anyways, I’m certainly
    deliighted I discovered it and I’ll be book-marking it and checking back often!

  7. Looks like another site has ripped off your article:

  8. Kevin Burton said:

    I am having a hard time picking the device for D Blair Elzinga’s solution. I have a route print that looks like:

    ===========================================================================
    Interface List
    5…02 50 41 00 00 01 ……PANGP Virtual Ethernet Adapter
    7…3c 97 0e a7 7d 33 ……Intel(R) 82579LM Gigabit Network Connection
    9…6c 88 14 af 1e 25 ……Microsoft Wi-Fi Direct Virtual Adapter
    14…6c 88 14 af 1e 24 ……Intel(R) Centrino(R) Advanced-N 6205
    2…b8 76 3f ae b5 97 ……Bluetooth Device (Personal Area Network)
    1………………………Software Loopback Interface 1
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.23 40
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    192.168.1.0 255.255.255.0 On-link 192.168.1.23 296
    192.168.1.23 255.255.255.255 On-link 192.168.1.23 296
    192.168.1.255 255.255.255.255 On-link 192.168.1.23 296
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.1.23 296
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.1.23 296
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 331 ::1/128 On-link
    1 331 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None

    I would like to use interface 9 (Wi-Fi) but I keep getting an error that the mask I specify is incorrect

    …..
    Diagnostic Notes:
    Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
    Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
    The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.
    …..

    What am I missing?

    • It should probably look like:
      route add 192.168.1.0 mask 255.255.255.0 192.168.1.1 IF 9
      It may work Ok without the interface variable
      route add 192.168.1.0 mask 255.255.255.0 192.168.1.1

      • Ronald Kevin Burton said:

        Sorry that results in the same usage output with an error about the MASK.

      • Could you post an Ipconfig /all from the problematic P, without the VPN connected, and one with. Please leave actual IPs unless any are public IPs but they shouldn’t be.

      • Ronald Kevin Burton said:

        My computer crashed. Here is ipconfig for its replacement (doesn’t have Wi-Fi)

        Windows IP Configuration

        Host Name . . . . . . . . . . . . : BSOFT
        Primary Dns Suffix . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

        Ethernet adapter vEthernet (Default Switch):

        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
        Physical Address. . . . . . . . . : A2-15-3D-61-24-8D
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Link-local IPv6 Address . . . . . : fe80::21b5:f2b6:2612:10ac%20(Preferred)
        IPv4 Address. . . . . . . . . . . : 172.19.234.225(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.240
        Default Gateway . . . . . . . . . :
        DHCPv6 IAID . . . . . . . . . . . : 335549789
        DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
        fec0:0:0:ffff::2%1
        fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

        Ethernet adapter Ethernet:

        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
        Physical Address. . . . . . . . . : F4-4D-30-EA-6A-A7
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Link-local IPv6 Address . . . . . : fe80::8080:2035:7c55:9f77%9(Preferred)
        IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Lease Obtained. . . . . . . . . . : Wednesday, April 11, 2018 6:24:39 PM
        Lease Expires . . . . . . . . . . : Thursday, April 12, 2018 6:24:36 PM
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DHCPv6 IAID . . . . . . . . . . . : 99896624
        DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        NetBIOS over Tcpip. . . . . . . . : Enabled

        I still would like to connect via IF 9

        ===========================================================================
        Interface List
        20…a2 15 3d 61 24 8d ……Hyper-V Virtual Ethernet Adapter #2
        9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
        1………………………Software Loopback Interface 1
        ===========================================================================

        IPv4 Route Table
        ===========================================================================
        Active Routes:
        Network Destination Netmask Gateway Interface Metric
        0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.21 25
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
        127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
        172.19.234.224 255.255.255.240 On-link 172.19.234.225 271
        172.19.234.225 255.255.255.255 On-link 172.19.234.225 271
        172.19.234.239 255.255.255.255 On-link 172.19.234.225 271
        192.168.1.0 255.255.255.0 On-link 192.168.1.21 281
        192.168.1.21 255.255.255.255 On-link 192.168.1.21 281
        192.168.1.255 255.255.255.255 On-link 192.168.1.21 281
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0 240.0.0.0 On-link 192.168.1.21 281
        224.0.0.0 240.0.0.0 On-link 172.19.234.225 271
        255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
        255.255.255.255 255.255.255.255 On-link 192.168.1.21 281
        255.255.255.255 255.255.255.255 On-link 172.19.234.225 271
        ===========================================================================
        Persistent Routes:
        None

        IPv6 Route Table
        ===========================================================================
        Active Routes:
        If Metric Network Destination Gateway
        1 331 ::1/128 On-link
        9 281 fe80::/64 On-link
        20 271 fe80::/64 On-link
        20 271 fe80::21b5:f2b6:2612:10ac/128
        On-link
        9 281 fe80::8080:2035:7c55:9f77/128
        On-link
        1 331 ff00::/8 On-link
        9 281 ff00::/8 On-link
        20 271 ff00::/8 On-link
        ===========================================================================
        Persistent Routes:
        None

      • But IF 9 is not connected to any network, thus I am afraid you cannot define routes using it.

      • Ronald Kevin Burton said:

        You obviously know more about this than I. How do you know that there is no network connected?

        ===========================================================================
        Interface List
        20…a2 15 3d 61 24 8d ……Hyper-V Virtual Ethernet Adapter #2
        9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
        1………………………Software Loopback Interface 1
        ===========================================================================

      • Your IPconfig only shows connections for “Hyper-V Virtual Ethernet Adapter #2” and “Realtek PCIe GBE Family Controller”

      • Ronald Kevin Burton said:

        route:
        ===========================================================================
        Interface List
        10…a2 15 3d a4 7a 82 ……Hyper-V Virtual Ethernet Adapter
        19…00 15 5d 01 15 00 ……Hyper-V Virtual Ethernet Adapter #2
        9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
        1………………………Software Loopback Interface 1
        ===========================================================================

        So IF 9 is the Realtek PCIe GBE Family Controller

        ipconfig

        Ethernet adapter Ethernet:

        Connection-specific DNS Suffix . :
        Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
        Physical Address. . . . . . . . . : F4-4D-30-EA-6A-A7
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Link-local IPv6 Address . . . . . : fe80::8080:2035:7c55:9f77%9(Preferred)
        IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Lease Obtained. . . . . . . . . . : Friday, April 13, 2018 9:47:44 AM
        Lease Expires . . . . . . . . . . : Saturday, April 14, 2018 9:47:44 AM
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DHCPv6 IAID . . . . . . . . . . . : 99896624
        DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        NetBIOS over Tcpip. . . . . . . . : Enabled

        So from this I get that ‘route -p add 192.168.1.21 MASK 255.255.255.0 192.168.1.1 METRIC 281 IF 9’ SHOULD work. Right?

      • I am afraid not.
        Firstly I would leave out the -p until working. -p makes it permanent even upon reboot. If you need it you must use route delete to remove. Also if you have just the above ipconfig, you don’t need the interface (IF 9) most often you don’t need it anyway, nor the metric.
        Syntax is: route add subnet MASK subnet_mask interface_IP
        Thus if you wanted to create a route to a specific IP such as a printer 192.168.1.123 (assuming above ipconfig)
        route add 192.168.1.123 MASK 255.255.255.255 192.168.1.21
        Or to route all traffic to a specific subnet
        route add 192.168.1.0 MASK 255.255.255.0 192.168.1.21

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Tag Cloud