I’m sure that you’re using some VPN somewhere, and you’re having “trouble” with split tunneling and routing, right?
Well, I had. 😀
As I’m “here and there” most of the time, I’ve setup an “anchor” location (no, it’s not in the cloud… yet) which is always available via VPN, and which has few machines that I’m, more or less, using regularly. When I’m not there, I connect there via my precious Windows 10/11 laptop and work as I’m there locally. I know – you know what VPNs are used for… bear with me a bit longer. 😀
So, all good – I have a VPN client (Windows built-in), a VPN server and Internet connection, and I can work.
One thing that I like to have is Internet access which is not routed via my “anchor” location, so that “the work stuff” goes through VPN and “the fun stuff” not.
It’s really easy to set this up – in properties of your VPN connection, just untick the “Use default gateway on remote network” checkbox:
But then you’ll have an issue with connecting to “the work stuff” – your current default gateway doesn’t know where “the work stuff” network is and how to get there.
It needs a route.
No problem, it’s easy to add a route in Windows (my “the work stuff” network is 192.168.13.0/24 and my VPN gateway is 192.168.14.1, or publicly 141.138.55.154):
1 |
route add 192.168.13.0 mask 255.255.255.0 192.168.14.1 |
And now you have access to “the work stuff” network again! And Internet access works as it should (not via the “anchor” location)!
Great.
But then you disconnect. And reconnect. And route you’ve added is gone. So, you repeat the procedure. Or script it. Or…
What if I tell you there is actually a better way?
I’m not really sure in which release this came out, but now you have an updated set of PowerShell cmdlets in (Windows 10/11) (which is cool!). For this story, the one we’re interested the most is Add-VpnConnectionRoute.
“So, doest that mean that, with it, I can configure my VPN connection to always have the route I need, whenever I connect to VPN? No more adding routes manually?!”
Exactly.
If I use the discussed Add-VpnConnectionRoute on my existing VPN connection, I can add the route I need and it will be written in the connection configuration and made active when the tunnel comes up, while still using the split tunneling.
Let’s see:
- connected to “the work stuff” VPN and this is (part of) routing table prior the route configuration:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
C:\> route print =========================================================================== Interface List ... =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.12.1 192.168.12.247 35 ... 192.168.12.0 255.255.255.0 On-link 192.168.12.247 291 192.168.12.247 255.255.255.255 On-link 192.168.12.247 291 192.168.12.255 255.255.255.255 On-link 192.168.12.247 291 ... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.12.247 291 ... =========================================================================== Persistent Routes: None ... |
- adding route configuration:
1 |
Add-VpnConnectionRoute -ConnectionName "MyWorkStuff" -DestinationPrefix "192.168.13.0/24" -RouteMetric 1 |
- checking routes again:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
C:\> route print =========================================================================== Interface List ... =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.12.1 192.168.12.247 35 ... 141.138.55.154 255.255.255.255 192.168.12.1 192.168.12.247 36 ... 192.168.12.0 255.255.255.0 On-link 192.168.12.247 291 192.168.12.247 255.255.255.255 On-link 192.168.12.247 291 192.168.12.255 255.255.255.255 On-link 192.168.12.247 291 192.168.13.0 255.255.255.0 On-link 192.168.14.14 36 192.168.13.255 255.255.255.255 On-link 192.168.14.14 291 192.168.14.0 255.255.255.0 192.168.14.1 192.168.14.14 36 192.168.14.14 255.255.255.255 On-link 192.168.14.14 291 ... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.12.247 291 ... =========================================================================== Persistent Routes: None ... |
As you can see, I’ve got new routes in my route table (it would be the same by using route add command above) and now I can access “the work stuff” without any issue:
And if I disconnect and connect again – it still works! 😊
Hope it helps someone!
Cheers!
Imho the only workeable solution for windows without scripting.
It’s possible another client will use the gateway address (192.168.14.1) and when you reconnect your client can get another gateway address. (e.g. 192.168.14.2)
I assume that this method will always use the assigned VPN IP as destination address.
Not sure what you mean exactly – my client will always get the gateway address 192.168.14.1 and use it as a destination address. If I misunderstood, feel free to provide more information.