Sign in with
Sign up | Sign in
Your question

Need Help with VPN Configuration + allow internet for VPN user

Last response: in Networking
Share
April 15, 2014 8:36:32 PM

I have just setup a TP-Link VPN router with Comcast cable. The vpn is for outside users to connect to the network resources by pptp vpn connection using their windows vpn client.

Here is my issue. There is a setting in the VPN Router that allows enabling / disabling VPN client to Internet. In other words, if client is connected successfully to VPN, if the setting was enabled, it will allow the client to browse on the internet thru the client hence using the LAN's internet bandwidth which can bog down the network.

On the other hand, if I disable it, then the client is only connected to VPN & LAN and has no internet connection.
As I searched online, I found there was a flag in windows VPN client (Use Remote Gateway) and unchecking it would take care of the issue. Sure indeed unchecking it gives user their local internet connection and allows them to connect to the VPN however the user is unable to access any remote LAN resource nor is he able to ping anything.

I am sure there must be some way to leave that flag unchecked (use remote gateway) and perhaps add some static route or something either on the router or the VPN client that will allow VPN user to connect to VPN but at teh same time maintain internet connection (not at cost of the remote LAN)
April 15, 2014 8:53:06 PM

It depends on the VPN, sometime the VPN itself can set these options it is called split tunnel. Many times you can get it install a list of routes that go into the tunnel. Most time you disable split tunnel for security reasons when you can not trust the machine connecting since someone could bypass any firewall rules and leave the internal network completely exposed. Split tunnel is disabled most the time by default but I don't know about pptp since I do not use it since it is not considered a secure form of vpn.

To do this on the client side it depends what Ip you are being assigned by the VPN and what the IP of remote lan is. If the VPN assigns you ip out of the remote lan space that should just work. If not then you need to put in a static routes.

ROUTE PRINT should give you a good idea what routes are being send where. You can for most vpn just do a route add for the subnet.

If split tunnel is not allowed pretty much any messing with the route command will disconnect the vpn.
m
1
l
!