There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”. It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.
There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN. This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone. It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site. Or, consider an Internet Cafe’ where you are on the same local network as total strangers. Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office. Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers. Everything can be hacked. If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.
In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling. Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why. If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling. It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so. However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling. To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”. This will work on XP and earlier clients as well but the path to the adapters is slightly different. Locate the VPN/PPP adapter, right click on it and choose properties. In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network. When checked, its default state, it forces all traffic through the remote site. Un-checking allows access to the local network and gateway.
Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.
LAN-Tech Network Management 
Comments on: "Access local and VPN network Simultaneously" (29)
Hi to every body, it’s my first pay a quick visit of this weblog; this
blog contains remarkable and really good data for visitors.
You don’t need to use split tunneling to enable access to local devices, you just need to add the local devices to the windows routing tables so that it knows to access them when the VPN is active.
See the windows “route” command – E.G. route -p add MASK 255.0.0.0 METRIC IF
To help discover what you need to use, disconnect from your VPN, make sure you can connect to your local device, then run a “route print” show the current active routes and find your device. (generally in the IPv4 Route Table)
It will also list the ‘Metric’ to use, and at the top of the listing is the “Interface List” which lists the network interfaces on your system. You’ll need to figure out which one to use. For example, I know my system has a gigabit network adapter and in the list I see a “Intel(R) Gigabit Network Connection” – bingo – that’s it. The first column is the interface id, 49 in my case.
The “-p” option makes your configuration persistent – meaning that it will be there again next time you boot.
SO, as an example, let’s say I want a local network share at 192.168.1.43 to be accessible to my machine while connected to the VPN, so I would add the route like so:
route -p add 192.168.1.43 MASK 255.0.0.0 192.168.1.1 METRIC 15 IF 49
Now if I run route print, I see this new route in the list of persistent routes for IPv4.
I turn my VPN back on, and instead of the device ‘disappearing’ as it normally does, windows can still find it because it is in the persistent route list.
Good points Blair and I agree. Changing the default gateway option is much simpler for most users, though your method would be more secure as it restricts access to specific IP’s. If wanting to use the local connection for Internet, the default gateway is probably the better option, and neither method woks if you have a proper VPN client such as a Cisco.
Thanks for the comments.
Guys, I’m computer illiterate so I need to ask a couple questions. When you refer to Network interface on these instructions, do I use the shared router I’m connected to or the one that shows up for VPN service? When I connect to my VPN it shows I’m currently connected to 2 networks ( The network for the hotel I’m staying in plus the “Unidentified network – No internet connection”) which only appears when I have the VPN on. The weird part of this whole ordeal is that when I use my browser the VPN still works even though it sais no internet connection. The issue I’m having is when I launch a shortcut (My Poker Server) , it blocks it. Can you help? It was working fine until yesterday and know I get a blocked URL message. I’m in Saudi Arabia. Everything gets blocked.
Hi Troy. Network interface in that article refers to the network adapter on the local computer. I am afraid I cannot be certain as I do not know your configuration but if two network connections “”no internet connection” may mean you cannot access internet or resolve Internet names with one connection, probably one that connects to the corporate network or server. It may also indicate the presence of a proxy server that filters all traffic before reaching the Internet. If a blocked URL I cannot help. Many companies and countries block specific sites or types of sites, most often for your protection. To assist with bypassing this would be a disservice to the service provider.
Hi D Blair Elzinga,
I wonder why we have to use this big mask 255.0.0.0 instead of using a proper mask for our local network? It’s because no public IP begins with 192? When you connect to another network with subnet 192.168.2.0/24 and you have 192.168.1.0/24 you won’t be able to send traffic to VPN hosts because routing table will send them to your local gateway
You do not have to use a 255.0.0.0 mask. Use the appropriate mask for your network such as 255.255.255.0, as you suggested, to avoid subnet overlap.
route added and pinging working but not able to access network resources
If you can ping but not access resources it is likely the Windows firewall or you are using the same subnet at local and remote sites, such as both using 192.168.1.x VPNs require different subnets. When file and print sharing is enabled it creates a firewall exception to allow access from the local domain/subnet. You may have to edit the firewall to allow the other subnet or set to all.
You’ve ended my 4 day long hunt!
God Bless you man. Have a nice day. Bye
Thank you, I use a VPN just to access youtube without bandwidth restriction (war between google and my ISP) so privacy is not really an issue, this works like a charm!
“and neither method woks if you have a proper VPN client such as a Cisco.”… So what does one do in that case. I need internet access through my local gateway while running a VPN.
A “proper VPN” does not allow users to open security holes. In the case of a Cisco VPN only the VPN administrator can create a policy allowing “split tunneling”. You can do nothing from the client end. Sorry.
So there’s no hope for the Cisco VPN users sadly.
I use my work laptop at home through Cisco VPN and would like to access files on my Desktop through the network, thus far I have not found any solutions.
Thanks for the article nevertheless, very good info!
You need your system admin to configure spit tunneling. You cannot do so as you acknowledged. Unlikely they would be willing to do this as it increases risks to the corporate network. Thanks Adr.
Good day! I coulod have sworn I’ve been to this site before but after looking at some of
the posts I realized it’s new too me. Anyways, I’m certainly
deliighted I discovered it and I’ll be book-marking it and checking back often!
Looks like another site has ripped off your article:
Afraid it is far too common.
I am having a hard time picking the device for D Blair Elzinga’s solution. I have a route print that looks like:
===========================================================================
Interface List
5…02 50 41 00 00 01 ……PANGP Virtual Ethernet Adapter
7…3c 97 0e a7 7d 33 ……Intel(R) 82579LM Gigabit Network Connection
9…6c 88 14 af 1e 25 ……Microsoft Wi-Fi Direct Virtual Adapter
14…6c 88 14 af 1e 24 ……Intel(R) Centrino(R) Advanced-N 6205
2…b8 76 3f ae b5 97 ……Bluetooth Device (Personal Area Network)
1………………………Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.23 40
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.23 296
192.168.1.23 255.255.255.255 On-link 192.168.1.23 296
192.168.1.255 255.255.255.255 On-link 192.168.1.23 296
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.23 296
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.23 296
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
I would like to use interface 9 (Wi-Fi) but I keep getting an error that the mask I specify is incorrect
…..
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.
…..
What am I missing?
It should probably look like:
route add 192.168.1.0 mask 255.255.255.0 192.168.1.1 IF 9
It may work Ok without the interface variable
route add 192.168.1.0 mask 255.255.255.0 192.168.1.1
Sorry that results in the same usage output with an error about the MASK.
Could you post an Ipconfig /all from the problematic P, without the VPN connected, and one with. Please leave actual IPs unless any are public IPs but they shouldn’t be.
My computer crashed. Here is ipconfig for its replacement (doesn’t have Wi-Fi)
Windows IP Configuration
Host Name . . . . . . . . . . . . : BSOFT
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter vEthernet (Default Switch):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
Physical Address. . . . . . . . . : A2-15-3D-61-24-8D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::21b5:f2b6:2612:10ac%20(Preferred)
IPv4 Address. . . . . . . . . . . : 172.19.234.225(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 335549789
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : F4-4D-30-EA-6A-A7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8080:2035:7c55:9f77%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, April 11, 2018 6:24:39 PM
Lease Expires . . . . . . . . . . : Thursday, April 12, 2018 6:24:36 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 99896624
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
I still would like to connect via IF 9
===========================================================================
Interface List
20…a2 15 3d 61 24 8d ……Hyper-V Virtual Ethernet Adapter #2
9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
1………………………Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.21 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.19.234.224 255.255.255.240 On-link 172.19.234.225 271
172.19.234.225 255.255.255.255 On-link 172.19.234.225 271
172.19.234.239 255.255.255.255 On-link 172.19.234.225 271
192.168.1.0 255.255.255.0 On-link 192.168.1.21 281
192.168.1.21 255.255.255.255 On-link 192.168.1.21 281
192.168.1.255 255.255.255.255 On-link 192.168.1.21 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.21 281
224.0.0.0 240.0.0.0 On-link 172.19.234.225 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.21 281
255.255.255.255 255.255.255.255 On-link 172.19.234.225 271
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
9 281 fe80::/64 On-link
20 271 fe80::/64 On-link
20 271 fe80::21b5:f2b6:2612:10ac/128
On-link
9 281 fe80::8080:2035:7c55:9f77/128
On-link
1 331 ff00::/8 On-link
9 281 ff00::/8 On-link
20 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
But IF 9 is not connected to any network, thus I am afraid you cannot define routes using it.
You obviously know more about this than I. How do you know that there is no network connected?
===========================================================================
Interface List
20…a2 15 3d 61 24 8d ……Hyper-V Virtual Ethernet Adapter #2
9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
1………………………Software Loopback Interface 1
===========================================================================
Your IPconfig only shows connections for “Hyper-V Virtual Ethernet Adapter #2” and “Realtek PCIe GBE Family Controller”
route:
===========================================================================
Interface List
10…a2 15 3d a4 7a 82 ……Hyper-V Virtual Ethernet Adapter
19…00 15 5d 01 15 00 ……Hyper-V Virtual Ethernet Adapter #2
9…f4 4d 30 ea 6a a7 ……Realtek PCIe GBE Family Controller
1………………………Software Loopback Interface 1
===========================================================================
So IF 9 is the Realtek PCIe GBE Family Controller
ipconfig
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : F4-4D-30-EA-6A-A7
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8080:2035:7c55:9f77%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, April 13, 2018 9:47:44 AM
Lease Expires . . . . . . . . . . : Saturday, April 14, 2018 9:47:44 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 99896624
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-4C-71-91-F4-4D-30-EA-6A-A7
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
So from this I get that ‘route -p add 192.168.1.21 MASK 255.255.255.0 192.168.1.1 METRIC 281 IF 9’ SHOULD work. Right?
I am afraid not.
Firstly I would leave out the -p until working. -p makes it permanent even upon reboot. If you need it you must use route delete to remove. Also if you have just the above ipconfig, you don’t need the interface (IF 9) most often you don’t need it anyway, nor the metric.
Syntax is: route add subnet MASK subnet_mask interface_IP
Thus if you wanted to create a route to a specific IP such as a printer 192.168.1.123 (assuming above ipconfig)
route add 192.168.1.123 MASK 255.255.255.255 192.168.1.21
Or to route all traffic to a specific subnet
route add 192.168.1.0 MASK 255.255.255.0 192.168.1.21
Thank you so much for this post. it helps me to fix my problem. many Thanks