PPTP VPN and Local LAN Routing
Typically when you VPN into a Network, all traffic including internet traffic gets routed to that VPN Network. This is of course unnecessary and mostly undesirable for reasons such as
- The connection becomes slow with the longer route.
- If you are routing through a Home (ISP) Network, the upload speeds in the Home Network are usually tiny and all your internet downloads are peaked at your Home internet upload speeds.
- If the two networks are geographically in different locations you may doing a round trip for each access.
- It changes your browsing privacy which may or may not be desirable.
- You appear to be using internet from the VPN'd in network
- You browsing privacy is now encrypted on the 1st network (if connection is encrypted) but visible on the 2nd VPN'd in network
To allow regular traffic to go through the default ISP connection and only those that need to access the resource behind the VPN, go through the VPN Network, the following routing adjustments are required as one way to make it happen.
Setup
The setup is as follows
- ASUS (Home) Router RT-AC66U, which has built in PPTP VPN Server.
- Windows 7 Desktop
This should work with a different router as well as the changes are mostly on the Windows side.
Configuration
Router
On the ASUS router, setup a default configuration as PPTP VPN Server.
Windows
On the VPN setup on Windows is where you will need to change the default slightly. The steps for setting up VPN itself are the standard steps as below:
- Control Panel → Set up a connection or network
- Connect to a workplace
- Set-up New Connection
- Use my Internet connection (VPN)
- Under “Connect to a Workplace Dialogue Box”
- Enter the Internet Address - public IP address of the connection
- Destination Name (e.g. Home VPN)
- Enter User name and Password
- Hit connect
You will connect now, but at this time you would have all traffic routing via the “Home VPN”.
Network Configuration
To start routing traffic as we had desired above the following changes are required. Once the basic network is setup, make the below changes to the New Network (called “Home VPN”) below:
Click on:
“Home VPN” → Properties → Networking → TCP/IPv4 → Properties → Advanced → “Uncheck” Use default gateway on remote network
Reconnect to the “Home VPN” Network for the changes to take effect.
Change ROUTE
Since we Unchecked, “Use default gateway”, there is no gateway at all to access the Remote Network we have VPN'd into. If you Check the “Use default gateway”, this would have resulted in a gateway setting that causes all traffic to use this gateway. We need to now ADD a new route, just to access the resources behind the VPN. Issue the following command (as administrator) in the Windows Command Window to effect this: (Actually don't just run the command below yet! There are some parameters that will be different on your Windows client).
route ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.2 IF 59
The few parameters would be different based on your individual settings
- 192.168.1.0 is the Remote Network address (starting address) - This is the Local LAN address of the Remote Network
- The 2nd is the Network mask and indicates that any access to 192.168.1.0/24 goes through this route. Most Home users and routers have a slash 24 subnet.
- 192.168.10.2 is the PPP Adapter IP address. You get that address by issuing a
ipconfig
in your Windows client and noting the Adapter IP. - 59, is the “Interface Number” you can get from the “Interface List”, by doing a
route PRINT
command for the specific PPP Interface.
See the “To Filter for both IPconfig & Interface output” Section below on how to get these numbers.
ipconfig output
To find out your PPP Adapter IP Address:
PPP adapter Home VPN: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.10.2 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . :
Interface list output
To find out the VPN Adapter Interface Number:
C:\Users\someuser>route PRINT =========================================================================== Interface List 59...........................Home VPN ... ...
To Filter for both IPconfig & Interface output
Use the below commands to display just the required items that go into the route
command. This assumes your VPN connection is called “Home VPN”.
route PRINT | findstr "Home VPN" netsh interface ip show addresses "Home VPN" | findstr "IP"
Full ROUTE
Below is the (Typical) Route Table after adding the new route. The gateway shown below is 10.10.101.1 which will be different based on what your local network gateway is.
IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.10.101.1 10.10.101.157 20 10.10.101.0 255.255.255.0 On-link 10.10.101.157 276 10.10.101.157 255.255.255.255 On-link 10.10.101.157 276 10.10.101.255 255.255.255.255 On-link 10.10.101.157 276 aaa.bbb.ccc.ddd 255.255.255.255 10.10.101.1 10.10.101.157 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.10.2 11 192.168.1.255 255.255.255.255 On-link 192.168.10.2 266 192.168.10.0 255.255.255.0 192.168.1.1 192.168.10.2 11 192.168.10.2 255.255.255.255 On-link 192.168.10.2 266 192.168.56.0 255.255.255.0 On-link 192.168.56.1 276 192.168.56.1 255.255.255.255 On-link 192.168.56.1 276 192.168.56.255 255.255.255.255 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 10.10.101.157 276 224.0.0.0 240.0.0.0 On-link 192.168.10.2 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.56.1 276 255.255.255.255 255.255.255.255 On-link 10.10.101.157 276 255.255.255.255 255.255.255.255 On-link 192.168.10.2 266 =========================================================================== Persistent Routes: None
The specific line that was included in the route after adding the new route is:
192.168.1.0 255.255.255.0 On-link 192.168.10.2 11
Route validation
Validate route by doing a Trace Route (tracert) to an IP address in the Remote Network and to an Internet address. In the specific IP/Route added above, a ping to google for example goes through the original route
tracert google.com Tracing route to google.com [74.125.227.169] over a maximum of 30 hops: 1 1 ms 1 ms 3 ms 10.10.101.3 ...
And a trace route to an address in the remote network does not go through the 10 dot route but instead directly as below:
tracert 192.168.1.100 Tracing route to ubuntu01 [192.168.1.100] over a maximum of 30 hops: 1 98 ms 102 ms 100 ms router.asus.com [192.168.1.1] 2 104 ms 108 ms 105 ms ubuntu01 [192.168.1.100] Trace complete.
Notice that it even got hold of the server name ubuntu01
from the remote network DNS. This can be router specific.
Reconnection
If the VPN connection is re-established, the new route will have to be re-added.
What else?
I was hoping changing the Metric for the VPN connection would work, and there is an option to define Metric when defining the VPN connection. However, for whatever reason, the metric was not being honored. Comments on that are appreciated as it would avoid the need to add a route manually. Also, any other ways to automate the route addition would be great.
Batch script
Below is a batch script to perform the above function. Note the hard-coding of the 192.168.1.0
address space, the 192.168.10.2
VPN connection address and the name of the VPN (Home VPN). The two rem statements can soft code this, but I have not tested this against all possibilities, hence the hard-coding. Run this script as administrator.
FOR /F "tokens=*" %%a in ('"route PRINT | findstr "Home VPN""') do SET HVPN=%%a SET INTNUM=%HVPN:~0,2% rem for /f "tokens=1,2,3,4 delims=/ " %a in ('"route PRINT | findstr "192.168.1.0""') do set net1=%a&set mask1=%b&set ip1=%d rem route ADD %net1% MASK %mask1% %ip1% IF %INTNUM% route ADD 192.168.1.0 MASK 255.255.255.0 192.168.10.2 IF %INTNUM% pause
VPN into a network with same IP range
When you have to VPN into another network that has the same IP as the current LAN, then you will need to do some route deletes to route all traffic via the VPN. Assume both networks are on 192.168.1.1/24 network. In that case a typical route print
may give the following output after connecting to the VPN. In this scenarios we don't “Uncheck” Use default gateway on remote network. We allow the default setting to take the route via VPN since we need all connections to only go through the VPN and none of the connections to go through the local network.
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.138 4250 0.0.0.0 0.0.0.0 On-link 192.168.10.3 26 aa.bb.cc.dd 255.255.255.255 192.168.1.1 192.168.1.138 4251 etc.
To delete just the 1st line (of route) so that all traffic goes via the VPN (aa.bb.cc.dd address via 192.168.10.3) do the following
route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1
The new route will now show that all traffice goes through 192.168.10.3 which is the VPN network gateway.
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 On-link 192.168.10.3 26 aa.bb.cc.dd 255.255.255.255 192.168.1.1 192.168.1.138 4251 etc.