0

Well this is the dilemma, I want remote clients to connect to my network and only route local access through the VPN. This is split tunneling, the client uses its internet connection for all other internet requests and the VPN tunnel to my network for local requests.

There's a couple of issues that arise: split tunneling in Windows is achieved by unticking an option which reads "Use default gateway on remote network" in the TCP/IP settings of the client VPN connection. At any point the user can tick it and route all his internet traffic through my network eating away at my bandwidth and being cloaked by my IP address. This is unacceptable.

Issue number 2 is that if the client is split tunneling, he becomes a gateway between the internet and my network, this is also unacceptable.

My questions are: how does one achieve split tunneling serverside? And is the latter issue a valid con worthy of worry?

Any thoughts would be appreciated!

Theveloper
  • 164
  • 2
  • 11

1 Answers1

1

There are several things you can do to prevent this. The first, and probably the easiest would be to just set firewall rules on your VPN server to disallow any traffic that's not destined for your local subnets. With those rules in place, any "internet-bound" traffic will just get dropped.

If you don't have the option to make firewall changes, then you can configure your outside NAT box to just refuse to perform its NAT duties for your VPN client subnet.

Regarding "Issue Number 2". How exactly will the client "become a gateway between the internet and your network"? Routing rules would need to be put in place for that to happen.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • My configuration is both VPN and NAT (RRAS) are hosted on the same Windows Server 2008 R2 server, can this be achieved on a per user / user group basis? I want admins to have full routing access. – Theveloper Mar 22 '12 at 03:57
  • You should still be able to create the necessary firewall rules in that situation. – EEAA Mar 22 '12 at 03:57
  • Is the user/group segmentation possible? Sorry, I'm new to the whole spiel :) – Theveloper Mar 22 '12 at 03:58
  • Which user/group segmentation? You don't mention anything about that in your question. – EEAA Mar 22 '12 at 03:59
  • I edited my first reply the same time you answered. I want admins to be able to choose whether they want to split tunnel or not. In other words enforce split tunneling on regular clients and keep functionality of routing for elevated users. – Theveloper Mar 22 '12 at 04:01
  • Oh, I have no idea. I know nothing about the advanced capabilites of Windows RRAS. I use pfSense for routing, firewalling, and VPN, and what you're looking to do would be a piece of cake on pfSense. – EEAA Mar 22 '12 at 04:04
  • @Theveloper pfSense is an appliance! Your criticism makes little sense: it is "only for BSD" in the same sense that Cisco routing is "only for IOS." Think of it as a complete box to add to your network, on dedicated or virtual hardware. It is not a "feature" to install on an existing server. – Skyhawk Oct 17 '13 at 13:26
  • I'm certain I meant something else by that, but it was a long time ago so I don't really know what I meant. – Theveloper Oct 18 '13 at 16:51