3

Let's suppose we have this configuration:

configuration.

When I setup my VPN role in the Windows Server to allocate IPs to VPN clients from the range 192.168.1.10 to 192.168.1.20 everything works fine.

However, when I want to isolate the VPN clients in a different subnet (for example 192.168.2.0/24) then I don't know how to proceed. The connection to the VPN server works fine, my VPN client gets the address 192.168.2.2 for example, and is able to ping the server at 192.168.1.2, but can't see the other machines in 192.168.1.0/24 and can't reach the Internet though.

I know that I have to add some static route somewhere, but I don't really see where. Any pointer?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
infotic
  • 33
  • 1
  • 4
  • Share your configuration. What is the purpose for this isolation, if they should still see each other with supposedly unlimited connectivity? – Esa Jokinen Jun 05 '17 at 13:43
  • I want the VPN clients in the 192.168.2.0/24 subnet be able to access internet through the server's connection, but not to be able to "see" the network in the 192.168.1.0/24 subnet (which consists of several servers and printers that the VPN clients don't need any access to). – infotic Jun 05 '17 at 14:32

1 Answers1

2

You are missing the route in your router for 192.168.2.0/24. You VPN clients can get to your local LAN. The clients would be responding to their default gateway, since they do not know where 192.168.2.0/24 is. That would need to be in your router's routing table, so that it can forward that traffic back to your Windows VPN server.

As a general rule, every router needs to have a route added for any subnet that is not directly connected.

Cory Knutson
  • 1,876
  • 13
  • 20
  • I added a route in my router from 192.168.2.0/24 to the 192.168.1.2 server and now it works perfectly, thank you! However now the VPN clients in the 192.168.2.0/24 are able to see and ping the whole network, I want them to be able only to access Internet through 192.168.1.1 and not see my web server for example at 192.168.1.10 (or any other machine in this subnet). How can this be done? – infotic Jun 05 '17 at 18:16