1

Consider the following PowerShell command:

Add-VpnConnectionRoute -ConnectionName "SomeConnection" -DestinationPrefix 10.0.0.0/16 -AllUserConnection

After executing this command, whenever the VPN SomeConnection is connected to, Windows will automatically add an IP route for 10.0.0.0/16, and will automatically remove the route upon disconnection.

I'm seeking some insight into how this works, and I would like to find out where this information is saved in Windows. In other words, where does Windows store the instruction that "When connecting to VPN SomeConnection, add a route for 10.0.0.0/16"?

Opening up the system phonebook in notepad (C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk) I see lots of settings, but nowhere is the text 10.0.0.0. So it doesn't appeared to be stored in there with the rest of the settings. This means it's either in some other system file, or somewhere in the registry.

Anyone know where that might be?

Keith Stein
  • 203
  • 1
  • 8
  • 16

2 Answers2

3

Did some playing around with this earlier with the powershell command "Add-VpnConnectionRoute" and looking at the changes to the rasphone.pbk file. I managed to discover that each route entry is 72 Hex characters in length whether its IPv4 or IPv6. Each line is no longer than 136 characters (including the "Route=") and they are wrapped together:

172.16.0.0/12
NumRoutes=1
Routes=01000000020000000C000000AC1000000000000000000000000000000000000000000000

172.16.0.0/12 & 192.168.0.0/16
NumRoutes=2
Routes=01000000020000000C000000AC1000000000000000000000000000000000000000000000010000000200000010000000C0A80000000000000000000000000000
Routes=0000000000000000

172.16.0.0/12, 192.168.0.0/16 & 10.0.0.0/8
NumRoutes=3
Routes=01000000020000000C000000AC1000000000000000000000000000000000000000000000010000000200000010000000C0A80000000000000000000000000000
Routes=00000000000000000100000002000000080000000A0000000000000000000000000000000000000000000000


2001:2001:2001:2001::/64
NumRoutes=1
Routes=010000001700000040000000200120012001200100000000000000000000000000000000


  Ver?     IPv4   prefix ln address
01000000 02000000 0C000000 AC100000 0000000000000000000000000000000000000000 = 172.16.0.0/12
01000000 02000000 10000000 C0A80000 0000000000000000000000000000000000000000 = 192.168.0.0/16
01000000 02000000 08000000 0A000000 0000000000000000000000000000000000000000 = 10.0.0.0/8

  Ver?     IPv6   prefix ln address
01000000 17000000 40000000 20012001200120010000000000000000 0000000000000000 = 2001:2001:2001:2001::/64

I push the VPN settings out via a GPO preference along with an .ini file update to set "DisableIKENameEkuCheck", "IpNBTFlags" & (currently) "IpPrioritizeRemote" in the rasphone.pbk file. I'd like to disable "Use default gateway on remote network" and add static routes for split tunnelling.

Andy B
  • 31
  • 2
2

They are in the pbk file.

NumRoutes stores the number of routes, and Routes represents the routes data, however this is not documented to my knowledge so it can change at any time.

From a pbk file:

[...]
NumRoutes=1
Routes=0A00000002000000180000000A0006000000000000000000000000000000000000000000
[...]
Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • Any idea what format that data is in? – Keith Stein Jan 27 '21 at 16:07
  • 1
    I added a second route and NumRoutes is now `2`. I don't know why you want to look in the file because the best way to retrieve routes is to use supported APIs, for example with this powershell command: `(Get-VpnConnection -Name Test -AllUserConnection).Routes` – Swisstone Jan 27 '21 at 17:45
  • You are right, I must have made a mistake, I deleted my old comment as it was incorrect. I'm aware of that API, but I'm interested in how the data is stored. Each route seems to be stored in a string of 74 characters, any idea what format that is or how to read it? – Keith Stein Jan 27 '21 at 18:18
  • No, i've not reverse engineered the format. – Swisstone Jan 27 '21 at 20:09
  • If anyone else is wondering about the format, it seems to be a bunch of hex numbers squished together, with two hex characters for each octet. Adding a route for `10.11.12.13/32` produces `0100000002000000200000000A0B0C0D0000000000000000000000000000000000000000`. The substring `0A0B0C0D` is `10111213` translated into hex (each octet individually, not as a whole number). And the `20` before that is `32` (the mask) in hex. The other portions are presumably other parts of the route, like the metric. But this is as much as I need to know. – Keith Stein Jan 27 '21 at 20:24