Selective VPN tunnel?
 

Right now I use a VPN to connect to our corporate network. I would like to set the VPN to tunnel company data through the VPN tunnel, and everything else through the internet. Is this possible, say thorugh advanced routing table entries or something?

I know I can get a router that supports DD-WRT and set it up to do this with its built in PPTP client, but if there's a free way that would be better.

Ideas? Thanks!

What sort of VPN does your company use?

Cisco's VPN client (used by many companies) allows for this with the proper profile setting.

It's just the stock Windows Server VPN. I connect to it with the built in Windows VPN client.

The key point is that on Cisco VPN it can only be changed by the people controlling the VPN head-end. You can't just add a route or remove a route and influence the VPN in this way. It's highly likely that if the VPN is configured to send all traffic across the tunnel, the company is doing that intentionally to ensure that they can run the traffic through their content filters, URL scanning, etc. as they would if the user was in the office. In this situation it can be very difficult to overcome.

In that case it's somewhat easier. Do you have admin rights on your PC? If so, try the following:

1. From a command prompt (start / run / cmd) with the VPN not connected, type "route print". The first line should say 0.0.0.0, subnet mask 0.0.0.0 and the gateway IP will be the IP address of your home router

2. Connect the VPN and repeat the process. You'll see another 0.0.0.0 / 0.0.0.0 line has been added, with a different gateway address. Remember this

Do you know what IP address range your company servers are on? Try typing ping [hostname] for a few of them and see if there is a pattern. Assuming they all start with 10.2.x.x (adapt as necessary), do the following:

At the same command prompt, type "route delete 0.0.0.0 mask 0.0.0.0 [gateway address from step 2]

Then type "route add 10.2.0.0 mask 255.255.0.0 [gateway address from step 2]

Now see how it works. A good way to check is to browse to www.whatismyip.com before and after so you can see where your connection is seen as "originating" from.

Feel free to PM me if you need any more advice on this :)

A simple HOSTS file edit would yield this, try a google search on it, or if you can't find it I can try to find a brief on the setup. couple lines in the HOSTS file will do just what you want.

True. We have two profiles provided to us and we can choose whether to send all traffic or just company-specific traffic through the VPN.

Doing it with a route statement is the complicated way. In the advanced IP settings of the VPN connection check the box to enable split-tunneling. That will force all the corporate traffic across the VPN and everything else stays outside of it.

This is a security risk of sorts so it isn't always advisable, but it is very easy to do.

How would a hosts file solve this? It would only affect name resolution, not the path the data traffic follows to get to that host.

Interesting - hadn't tried the option before. So what route does it then advertise across the VPN - just the subnet that the VPN head-end is on?

Agreed. I can't see how this would work.

Ah yes, I thought I'd be using the trusty route add command.

Each of our locations has a different subnet on the 192.168.x.x scheme. The one I connect to is 192.168.134.0. I'm quite happy to just make a blanket route for all 192.168.0.0/16 addresses to go through VPN. The only thing is that our router here (a Linksys home router) allocates IPs on the 192.168.1.0/24 network. How do I add that route properly?

How would editing the hosts file help? Doesn't that just do IP pre-lookups?

If you add a route for the 192.168.1.0/24 that points at the default gateway (192.168.1.1)? in addition to the 192.168.0.0/16 route then this will be seen as a more specific route and should still work. Alternatively you could change it to 10.x.x.x to make things even easier.