VPN for remote share access but not web traffic?

[Velvis]

I setup a windows 10 client connecting to a Windows Server 2008 r2 VPN to map a network drive for a remote worker. Works great.

I was hoping to make it so only the mapped drive goes over the VPN, so web browsing is still local to the remote machine.

Still new to VPN usage.

Thanks for any tips or info.

 

[TAPtech]

It depends on the setup, but typically the VPN is only going to route traffic to the subnet of the VPN on the other end. So if the VPN is a router and the VPN is set to route traffic to LAN1... and that LAN1 has an IP of 192.168.10.0/24, then any requests the remote VPN connection makes on 192.168.1.0/24 will be sent over the VPN.

Easy way to test- do a speed test. If your speed gets chopped way down, and the download roughly matches the upload of the WAN connection of the VPN server... then you can say your traffic for that test is going through the VPN.

 

[Velvis]

It definitely is routing all traffic through the VPN as pulling up google news displays the news from the area the server is located in. I was trying to figure out how to keep web traffic local and just the shared drive mapping through the VPN or if its even possible.

 

[TAPtech]

Possible depending on the VPN server. Typically it's called "split VPN" or similar. Are you using the built-in server 2008 VPN or a router?

I glanced over your first post mentioning that it's a Windows 10 machine, so I'm guessing this is a client VPN setup. In that case, most VPN's will be tunneling all of the traffic. In my experience, typically setting up a site-to-site VPN you would not have all of the traffic sent, but just the proper subnets.

 

[Markverhyden]

Go to whatismyip.com or something similar to confirm how the web traffic is being handled. There is a setting in various VPN clients which tells it how to handle traffic. If you are using the built in Windoze client, right click, properties, if I remember correctly. One of the tabs will have that option.

 

[Pixelated Tech]

@TAPtech and @Markverhyden are on point.

He is looking for Split Tunneling. Internet access via client-side DNS while maintaining VPN connectivity.

Give this a whirl. I typically do this in a Cisco ASA but this works too:

https://www.informaticar.net/?p=1028

Let us know how you make out.

 

[Velvis]

@TAPtech and @Markverhyden are on point.

He is looking for Split Tunneling. Internet access via client-side DNS while maintaining VPN connectivity.

Give this a whirl. I typically do this in a Cisco ASA but this works too:

https://www.informaticar.net/?p=1028

Let us know how you make out.

Hi thanks for the info. Been doing some reading from that page you sent. I think what I need is inverse split tunneling. I don't need network connections to local devices (the remote worker is just a single laptop)

Either way I haven't figured it out. When I uncheck the remote dns I can't access the shared drive.


Sent from my iPhone using Tapatalk

 

[YeOldeStonecat]

It's not a DNS setting, it's a gateway setting. On most "VPN servers" you can control this via the policy (such as VPN appliances/routers)...but on Windows Server, I can't remember (because I stopped doing/exposing Windows Server VPN to the internet after the NT 4 server days...yikes!) where that setting in within RRAS (the service that drives VPN server on a windows server).

BUT...you can find that setting on the VPN dialer on the client.
Drill into the VPN adapter settings...the props of IP4, advanced tab...you'll see a radio button choice there for yonder gateway or not.

 

[HCHTech]

yonder gateway

Hahahahahah. Yonder gateway - That's awesome.

 

[Pixelated Tech]

It's not a DNS setting, it's a gateway setting. On most "VPN servers" you can control this via the policy (such as VPN appliances/routers)...but on Windows Server, I can't remember (because I stopped doing/exposing Windows Server VPN to the internet after the NT 4 server days...yikes!) where that setting in within RRAS (the service that drives VPN server on a windows server).

BUT...you can find that setting on the VPN dialer on the client.
Drill into the VPN adapter settings...the props of IP4, advanced tab...you'll see a radio button choice there for yonder gateway or not.

Yes, a gateway setting.

This is why I use a proper network appliance. Sonic walls come cheap for the common SOHO.

 

[Pixelated Tech]

Hi thanks for the info. Been doing some reading from that page you sent. I think what I need is inverse split tunneling. I don't need network connections to local devices (the remote worker is just a single laptop)

Either way I haven't figured it out. When I uncheck the remote dns I can't access the shared drive.


Sent from my iPhone using Tapatalk

Make sure you are changing the settings of the VPN adapter and uncheck "use default gateway on remote network." I would seriously consider getting a proper hardware vpn in place so you aren't exposing the server as mentioned above.

 

[Velvis]

I found the setting on the client VPN and I have unchecked the default gateway on remote network, but when I do that the shared drive no longer works.

Also as someone who doesn't know much about VPNs, why is using the Windows Server built in VPN less secure than a dedicated appliance?

 

[YeOldeStonecat]

With VPN adapters...you have issues with name resolution to be aware of. Either play with DNS on the VPN dial up adapter...plug in say an internal DNS server as one of them. Or map the drive via IP. Or play with the "poor mans WINS' and do the lmhosts file

As for security...it's a Windows Server authentication service that is frequently attacked. Versus a hardened linux appliance being the VPN server service. Not to mention, performance wise...a hardware VPN appliance, especially a dedicated VPN appliance, is so much faster.

 

[Pixelated Tech]

+1 for the security/performance advice @YeOldeStonecat.

 

[YeOldeStonecat]

+1 for the security/performance advice @YeOldeStonecat.

You getting spring weather hitting up your way yet?
I'll be up by Weirs Beach in July! Going up w/family first weekend...driving home Monday morning to work for a coupe of days, riding the Harley back up mid week for the remainder of that next weekend.

 

[Pixelated Tech]

You getting spring weather hitting up your way yet?
I'll be up by Weirs Beach in July! Going up w/family first weekend...driving home Monday morning to work for a coupe of days, riding the Harley back up mid week for the remainder of that next weekend.

Oh yes. I have about 300 miles in this season already. Ill be at Weirs at the same time! Hotel booked for Bike Week right on the water. Next week we are seeing 70+. Downside to the weather right now is the melting and basement flooding.

 

[YeOldeStonecat]

Oh yes. I have about 300 miles in this season already. Ill be at Weirs at the same time! Hotel booked for Bike Week right on the water. Next week we are seeing 70+. Downside to the weather right now is the melting and basement flooding.

Not doing bike week...I love New Hamp when there's more room. We'll be up there last week of July.
Used to go up there when I was a baby...could barely walk. My grandfather had a place in Laconia, on the town line with Gilford, right behind Laconia High School

 

[Markverhyden]

I found the setting on the client VPN and I have unchecked the default gateway on remote network, but when I do that the shared drive no longer works.

I just tested this with a W10 Pro, unchecking remote gateway. I can map a drive via IP no problem. Personally I always use IP's for this type of stuff on the LAN side.

 

[HCHTech]

Or play with the "poor mans WINS' and do the lmhosts file

I just dug this up last week for a quick fix! Had a two-site setup (w/VPN tunnel) where the remote site had installed a Synology with the same network name as a Synology on the local site - Nope, the network did not like that. No tech available at the second site so I used an lmhosts entry to map to the remote device until we could rename one of the two.