PPTP VPN and Local LAN Routing

Typically when you VPN into a Network, all traffic including internet traffic gets routed to that VPN Network. This is of course unnecessary and mostly undesirable for reasons such as

  • The connection becomes slow with the longer route.
    • If you are routing through a Home (ISP) Network, the upload speeds in the Home Network are usually tiny and all your internet downloads are peaked at your Home internet upload speeds.
    • If the two networks are geographically in different locations you may doing a round trip for each access.
  • It changes your browsing privacy which may or may not be desirable.
    • You appear to be using internet from the VPN'd in network
    • You browsing privacy is now encrypted on the 1st network (if connection is encrypted) but visible on the 2nd VPN'd in network

To allow regular traffic to go through the default ISP connection and only those that need to access the resource behind the VPN, go through the VPN Network, the following routing adjustments are required as one way to make it happen.


The setup is as follows

  • ASUS (Home) Router RT-AC66U, which has built in PPTP VPN Server.
  • Windows 7 Desktop

This should work with a different router as well as the changes are mostly on the Windows side.



On the ASUS router, setup a default configuration as PPTP VPN Server.


On the VPN setup on Windows is where you will need to change the default slightly. The steps for setting up VPN itself are the standard steps as below:

  • Control Panel → Set up a connection or network
  • Connect to a workplace
  • Set-up New Connection
  • Use my Internet connection (VPN)
  • Under “Connect to a Workplace Dialogue Box”
    • Enter the Internet Address - public IP address of the connection
    • Destination Name (e.g. Home VPN)
    • Enter User name and Password
    • Hit connect

You will connect now, but at this time you would have all traffic routing via the “Home VPN”.

Network Configuration

To start routing traffic as we had desired above the following changes are required. Once the basic network is setup, make the below changes to the New Network (called “Home VPN”) below:

Click on:
“Home VPN” → Properties → Networking → TCP/IPv4 → Properties → Advanced → “Uncheck” Use default gateway on remote network

Reconnect to the “Home VPN” Network for the changes to take effect.

Change ROUTE

Since we Unchecked, “Use default gateway”, there is no gateway at all to access the Remote Network we have VPN'd into. If you Check the “Use default gateway”, this would have resulted in a gateway setting that causes all traffic to use this gateway. We need to now ADD a new route, just to access the resources behind the VPN. Issue the following command (as administrator) in the Windows Command Window to effect this: (Actually don't just run the command below yet! There are some parameters that will be different on your Windows client).

route ADD MASK IF 59

The few parameters would be different based on your individual settings

  • is the Remote Network address (starting address) - This is the Local LAN address of the Remote Network
  • The 2nd is the Network mask and indicates that any access to goes through this route. Most Home users and routers have a slash 24 subnet.
  • is the PPP Adapter IP address. You get that address by issuing a ipconfig in your Windows client and noting the Adapter IP.
  • 59, is the “Interface Number” you can get from the “Interface List”, by doing a route PRINT command for the specific PPP Interface.

See the “To Filter for both IPconfig & Interface output” Section below on how to get these numbers.

ipconfig output

To find out your PPP Adapter IP Address:

PPP adapter Home VPN:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
Interface list output

To find out the VPN Adapter Interface Number:

C:\Users\someuser>route PRINT
Interface List
 59...........................Home VPN
To Filter for both IPconfig & Interface output

Use the below commands to display just the required items that go into the route command. This assumes your VPN connection is called “Home VPN”.

route PRINT | findstr "Home VPN"
netsh interface ip show addresses "Home VPN" | findstr "IP"

Below is the (Typical) Route Table after adding the new route. The gateway shown below is which will be different based on what your local network gateway is.

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     20         On-link    276         On-link    276         On-link    276
  aaa.bbb.ccc.ddd     21         On-link    306         On-link    306         On-link    306         On-link     11         On-link    266     11         On-link    266         On-link    276         On-link    276         On-link    276         On-link    306         On-link    276         On-link    276         On-link    266         On-link    306         On-link    276         On-link    276         On-link    266
Persistent Routes:

The specific line that was included in the route after adding the new route is:         On-link     11

Route validation

Validate route by doing a Trace Route (tracert) to an IP address in the Remote Network and to an Internet address. In the specific IP/Route added above, a ping to google for example goes through the original route

tracert google.com
Tracing route to google.com []
over a maximum of 30 hops:

  1     1 ms     1 ms     3 ms

And a trace route to an address in the remote network does not go through the 10 dot route but instead directly as below:


Tracing route to ubuntu01 []
over a maximum of 30 hops:

  1    98 ms   102 ms   100 ms  router.asus.com []
  2   104 ms   108 ms   105 ms  ubuntu01 []

Trace complete.

Notice that it even got hold of the server name ubuntu01 from the remote network DNS. This can be router specific.


If the VPN connection is re-established, the new route will have to be re-added.

What else?

I was hoping changing the Metric for the VPN connection would work, and there is an option to define Metric when defining the VPN connection. However, for whatever reason, the metric was not being honored. Comments on that are appreciated as it would avoid the need to add a route manually. Also, any other ways to automate the route addition would be great.

Batch script

Below is a batch script to perform the above function. Note the hard-coding of the address space, the VPN connection address and the name of the VPN (Home VPN). The two rem statements can soft code this, but I have not tested this against all possibilities, hence the hard-coding. Run this script as administrator.

FOR /F "tokens=*" %%a in ('"route PRINT | findstr "Home VPN""') do SET HVPN=%%a
rem for /f "tokens=1,2,3,4 delims=/ " %a in ('"route PRINT | findstr """') do set net1=%a&set mask1=%b&set ip1=%d
rem route ADD %net1% MASK %mask1% %ip1% IF %INTNUM%

VPN into a network with same IP range

When you have to VPN into another network that has the same IP as the current LAN, then you will need to do some route deletes to route all traffic via the VPN. Assume both networks are on network. In that case a typical route print may give the following output after connecting to the VPN. In this scenarios we don't “Uncheck” Use default gateway on remote network. We allow the default setting to take the route via VPN since we need all connections to only go through the VPN and none of the connections to go through the local network.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         On-link     26
      aa.bb.cc.dd   4251

To delete just the 1st line (of route) so that all traffic goes via the VPN (aa.bb.cc.dd address via do the following

route delete mask

The new route will now show that all traffice goes through which is the VPN network gateway.

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         On-link     26
      aa.bb.cc.dd   4251

QR Code
QR Code tech:pptp_vpn_routing (generated for current page)