Access local and VPN network Simultaneously
There are constantly questions in various forums; “how do I maintain internet access through my local router while connected to a VPN”, or “ how do I access my local TCP/IP printer while connected to a VPN”. It is pretty basic but for those that don’t understand I thought I would address this in a blog so that in future I can just provide a pointer.
There is a security feature in almost all VPN configurations that blocks all local network connections while connected to the corporate network, via a VPN. This is to provide some degree of security by preventing someone with malicious intent from reaching the corporate server using your PC/Laptop as a stepping stone. It basically isolates your device from the world around you so that Johnny playing video games in the next room cannot route traffic through your PC to the corporate site. Or, consider an Internet Cafe’ where you are on the same local network as total strangers. Either through the shared Wi-Fi connection, or even an “Ad Hoc” wireless connection, the person at the next table could conceivably route packets through your wireless device directly to head office. Granted, there are many security features in place, or at least there should be, such as firewalls and NTFS security permissions to protect your corporate data, similar to the security corridor from the 60’s & 70’s TV show Get Smart, but the more of these doors left open, the easier it is for hackers. Everything can be hacked. If you don’t believe me have a look at the following Ted Talks video by Avi Rubin; “All your devices can be hacked”.
In order to simultaneously access the local and remote VPN network you need to enable a feature called split-tunneling. Due the security reasons outlined above, I do not recommend enabling this, however in some cases it is necessary or perhaps you just wanted to know why. If you have an Enterprise VPN solution such as Cisco, Watchguard, Sonicwall, or others, as an end user cannot enable split-tunneling. It is managed by the VPN appliance and will require the administrator to configure and enable if they see a need to do so. However if you are using a Windows VPN client you can edit the configuration to allow split-tunneling. To do so open Control Panel, select Network and Sharing Center, and then choose “Change Adapter Settings”. This will work on XP and earlier clients as well but the path to the adapters is slightly different. Locate the VPN/PPP adapter, right click on it and choose properties. In the resulting window select Networking, highlight Internet Protocol Version 4 (TCP/IPv4) and click properties, click Advanced, and in the resulting window un-check “Use Default Gateway on remote network. When checked, its default state, it forces all traffic through the remote site. Un-checking allows access to the local network and gateway.
Again remember this is a security feature and should not be reconfigured unless necessary and you are aware of the risks.