PPTP VPN and Local LAN Routing

Typically when you VPN into a Network, all traffic including internet traffic gets routed to that VPN Network. This is of course unnecessary and mostly undesirable for reasons such as

• The connection becomes slow with the longer route.
  • If you are routing through a Home (ISP) Network, the upload speeds in the Home Network are usually tiny and all your internet downloads are peaked at your Home internet upload speeds.
  • If the two networks are geographically in different locations you may doing a round trip for each access.
• It changes your browsing privacy which may or may not be desirable.
  • You appear to be using internet from the VPN'd in network
  • You browsing privacy is now encrypted on the 1st network (if connection is encrypted) but visible on the 2nd VPN'd in network

To allow regular traffic to go through the default ISP connection and only those that need to access the resource behind the VPN, go through the VPN Network, the following routing adjustments are required as one way to make it happen.

The setup is as follows

• ASUS (Home) Router RT-AC66U, which has built in PPTP VPN Server.
• Windows 7 Desktop

This should work with a different router as well as the changes are mostly on the Windows side.

On the ASUS router, setup a default configuration as PPTP VPN Server.

On the VPN setup on Windows is where you will need to change the default slightly. The steps for setting up VPN itself are the standard steps as below:

• Control Panel → Set up a connection or network
• Connect to a workplace
• Set-up New Connection
• Use my Internet connection (VPN)
• Under “Connect to a Workplace Dialogue Box”
  • Enter the Internet Address - public IP address of the connection
  • Destination Name (e.g. Home VPN)
  • Enter User name and Password
  • Hit connect

You will connect now, but at this time you would have all traffic routing via the “Home VPN”.

To start routing traffic as we had desired above the following changes are required. Once the basic network is setup, make the below changes to the New Network (called “Home VPN”) below:

Click on:
“Home VPN” → Properties → Networking → TCP/IPv4 → Properties → Advanced → “Uncheck” Use default gateway on remote network

Reconnect to the “Home VPN” Network for the changes to take effect.

Since we Unchecked, “Use default gateway”, there is no gateway at all to access the Remote Network we have VPN'd into. If you Check the “Use default gateway”, this would have resulted in a gateway setting that causes all traffic to use this gateway. We need to now ADD a new route, just to access the resources behind the VPN. Issue the following command (as administrator) in the Windows Command Window to effect this: (Actually don't just run the command below yet! There are some parameters that will be different on your Windows client).

route ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.2 IF 59

The few parameters would be different based on your individual settings

• 192.168.1.0 is the Remote Network address (starting address) - This is the Local LAN address of the Remote Network
• The 2nd is the Network mask and indicates that any access to 192.168.1.0/24 goes through this route. Most Home users and routers have a slash 24 subnet.
• 192.168.10.2 is the PPP Adapter IP address. You get that address by issuing a ipconfig in your Windows client and noting the Adapter IP.
• 59, is the “Interface Number” you can get from the “Interface List”, by doing a route PRINT command for the specific PPP Interface.

See the “To Filter for both IPconfig & Interface output” Section below on how to get these numbers.

To find out your PPP Adapter IP Address:

PPP adapter Home VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.10.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

To find out the VPN Adapter Interface Number:

C:\Users\someuser>route PRINT
===========================================================================
Interface List
 59...........................Home VPN
 ...
 ...

Use the below commands to display just the required items that go into the route command. This assumes your VPN connection is called “Home VPN”.

route PRINT | findstr "Home VPN"
netsh interface ip show addresses "Home VPN" | findstr "IP"

Below is the (Typical) Route Table after adding the new route. The gateway shown below is 10.10.101.1 which will be different based on what your local network gateway is.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.10.101.1    10.10.101.157     20
      10.10.101.0    255.255.255.0         On-link     10.10.101.157    276
    10.10.101.157  255.255.255.255         On-link     10.10.101.157    276
    10.10.101.255  255.255.255.255         On-link     10.10.101.157    276
  aaa.bbb.ccc.ddd  255.255.255.255      10.10.101.1    10.10.101.157     21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.10.2     11
    192.168.1.255  255.255.255.255         On-link      192.168.10.2    266
     192.168.10.0    255.255.255.0      192.168.1.1     192.168.10.2     11
     192.168.10.2  255.255.255.255         On-link      192.168.10.2    266
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link     10.10.101.157    276
        224.0.0.0        240.0.0.0         On-link      192.168.10.2    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255         On-link     10.10.101.157    276
  255.255.255.255  255.255.255.255         On-link      192.168.10.2    266
===========================================================================
Persistent Routes:
  None

The specific line that was included in the route after adding the new route is:

      192.168.1.0    255.255.255.0         On-link      192.168.10.2     11

Validate route by doing a Trace Route (tracert) to an IP address in the Remote Network and to an Internet address. In the specific IP/Route added above, a ping to google for example goes through the original route

tracert google.com
Tracing route to google.com [74.125.227.169]
over a maximum of 30 hops:

  1     1 ms     1 ms     3 ms  10.10.101.3
  ...

And a trace route to an address in the remote network does not go through the 10 dot route but instead directly as below:

tracert 192.168.1.100

Tracing route to ubuntu01 [192.168.1.100]
over a maximum of 30 hops:

  1    98 ms   102 ms   100 ms  router.asus.com [192.168.1.1]
  2   104 ms   108 ms   105 ms  ubuntu01 [192.168.1.100]

Trace complete.

Notice that it even got hold of the server name ubuntu01 from the remote network DNS. This can be router specific.

If the VPN connection is re-established, the new route will have to be re-added.

I was hoping changing the Metric for the VPN connection would work, and there is an option to define Metric when defining the VPN connection. However, for whatever reason, the metric was not being honored. Comments on that are appreciated as it would avoid the need to add a route manually. Also, any other ways to automate the route addition would be great.

Below is a batch script to perform the above function. Note the hard-coding of the 192.168.1.0 address space, the 192.168.10.2 VPN connection address and the name of the VPN (Home VPN). The two rem statements can soft code this, but I have not tested this against all possibilities, hence the hard-coding. Run this script as administrator.

FOR /F "tokens=*" %%a in ('"route PRINT | findstr "Home VPN""') do SET HVPN=%%a
SET INTNUM=%HVPN:~0,2%
rem for /f "tokens=1,2,3,4 delims=/ " %a in ('"route PRINT | findstr "192.168.1.0""') do set net1=%a&set mask1=%b&set ip1=%d
rem route ADD %net1% MASK %mask1% %ip1% IF %INTNUM%
route ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.2 IF %INTNUM%
pause

When you have to VPN into another network that has the same IP as the current LAN, then you will need to do some route deletes to route all traffic via the VPN. Assume both networks are on 192.168.1.1/24 network. In that case a typical route print may give the following output after connecting to the VPN. In this scenarios we don't “Uncheck” Use default gateway on remote network. We allow the default setting to take the route via VPN since we need all connections to only go through the VPN and none of the connections to go through the local network.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.138   4250
          0.0.0.0          0.0.0.0         On-link      192.168.10.3     26
      aa.bb.cc.dd  255.255.255.255      192.168.1.1    192.168.1.138   4251
etc.

To delete just the 1st line (of route) so that all traffic goes via the VPN (aa.bb.cc.dd address via 192.168.10.3) do the following

route delete 0.0.0.0 mask 0.0.0.0  192.168.1.1

The new route will now show that all traffice goes through 192.168.10.3 which is the VPN network gateway.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         On-link      192.168.10.3     26
      aa.bb.cc.dd  255.255.255.255      192.168.1.1    192.168.1.138   4251
etc.