Saturday, April 17, 2010

Do you want control on your Internet traffic while you're on VPN?

If you're like me, requiring to connect to corporate VPN to check stuff frequently when you are home; you might be getting annoyed of default VPN settings which routes all my internet traffic through VPN so that even my VoIP calls or Internet surfing traffic goes over company. This may cause poor performance for your normal Internet traffic as it has a longer (and possibly slower) path now. But what is worse is that you are limited with corporate network usage policies now, checked with firewalls, proxies and tools like websense.

Yeah, maybe you're lucky that the default settings of your VPN connection seperates corporate destined traffic from the rest automatically, but if not and if you do not want to have to make a choice between office and the rest, you need to alter the routing tables of Windows manually. It's simple actually and here are the steps for that.

Before connecting to VPN, I'm checking my routing tables:

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 ff dd 08 e7 3a ...... TAP VPN Adapter
0x4 ...00 ff 4d 14 1d 6d ...... Anchorfree HSS Adapter - Packet Scheduler Minipo
rt
0x10006 ...00 19 d2 37 cc 6f ...... Intel(R) PRO/Wireless 3945ABG Network Connec
tion
0x20007 ...00 17 a4 d2 57 7c ...... Broadcom NetXtreme Gigabit Ethernet
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       1
    65.54.166.122  255.255.255.255      192.168.1.1     192.168.1.3       1
    66.235.133.14  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.130.139  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.136.136  255.255.255.255      192.168.1.1     192.168.1.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       20
    207.38.101.11  255.255.255.255      192.168.1.1     192.168.1.3       1
    207.38.101.12  255.255.255.255      192.168.1.1     192.168.1.3       1
   208.92.236.184  255.255.255.255      192.168.1.1     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               4       1
  255.255.255.255  255.255.255.255      192.168.1.3               3       1
  255.255.255.255  255.255.255.255      192.168.1.3           10006       1
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Here we see my default gateway is 192.168.1.1, which is actually my DSL modem. Lets see what changes with VPN connection.

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 ff dd 08 e7 3a ...... TAP VPN Adapter
0x4 ...00 ff 4d 14 1d 6d ...... Anchorfree HSS Adapter - Packet Scheduler Minipo
rt
0x10006 ...00 19 d2 37 cc 6f ...... Intel(R) PRO/Wireless 3945ABG Network Connec
tion
0x20007 ...00 17 a4 d2 57 7c ...... Broadcom NetXtreme Gigabit Ethernet
0x90008 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       2
          0.0.0.0          0.0.0.0   192.168.112.45  192.168.112.45       1
    65.54.166.122  255.255.255.255      192.168.1.1     192.168.1.3       1
    66.235.133.14  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.136.136  255.255.255.255      192.168.1.1     192.168.1.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       20
   192.168.112.45  255.255.255.255        127.0.0.1       127.0.0.1       50
  192.168.112.255  255.255.255.255   192.168.112.45  192.168.112.45       50
    207.38.101.11  255.255.255.255      192.168.1.1     192.168.1.3       1
    207.38.101.12  255.255.255.255      192.168.1.1     192.168.1.3       1
   208.92.236.184  255.255.255.255      192.168.1.1     192.168.1.3       1
  212.252.168.241  255.255.255.255      192.168.1.1     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               3       1
  255.255.255.255  255.255.255.255      192.168.1.3           10006       1
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               4       1
  255.255.255.255  255.255.255.255   192.168.112.45  192.168.112.45       1
Default Gateway:    192.168.112.45
===========================================================================
Persistent Routes:
  None

C:\>ipconfig /all 
PPP adapter YYY VPN Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.112.45
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 10.1.2.1
        Primary WINS Server . . . . . . . : 10.1.2.1

Yes, I have a new interface (0x90008) and the default route is changed to my VPN assinged IP address (192.168.112.45).

When I check it, I can verify I can access the nodes on the corporate network but cannot access to any websites on Internet without using proxy (as it is like that in the company network). I can connect to Internet using corporate proxy, but they will block certain connections which they do not like, like VoIP etc.

To fix it, we'll change the default route back to my DSL modem and configure a route for nodes on the corporate network (which all are on 10.0.0.0/8 private network luckily).

C:\>route delete 0.0.0.0

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 ff dd 08 e7 3a ...... TAP VPN Adapter
0x4 ...00 ff 4d 14 1d 6d ...... Anchorfree HSS Adapter - Packet Scheduler Minipo
rt
0x10006 ...00 19 d2 37 cc 6f ...... Intel(R) PRO/Wireless 3945ABG Network Connec
tion
0x20007 ...00 17 a4 d2 57 7c ...... Broadcom NetXtreme Gigabit Ethernet
0x90008 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    65.54.166.122  255.255.255.255      192.168.1.1     192.168.1.3       1
    66.235.133.14  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.136.136  255.255.255.255      192.168.1.1     192.168.1.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       20
   192.168.112.45  255.255.255.255        127.0.0.1       127.0.0.1       50
  192.168.112.255  255.255.255.255   192.168.112.45  192.168.112.45       50
    207.38.101.11  255.255.255.255      192.168.1.1     192.168.1.3       1
    207.38.101.12  255.255.255.255      192.168.1.1     192.168.1.3       1
   208.92.236.184  255.255.255.255      192.168.1.1     192.168.1.3       1
  212.252.168.241  255.255.255.255      192.168.1.1     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               4       1
  255.255.255.255  255.255.255.255      192.168.1.3               3       1
  255.255.255.255  255.255.255.255      192.168.1.3           10006       1
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255   192.168.112.45  192.168.112.45       1
===========================================================================
Persistent Routes:
  None

C:\>route add 0.0.0.0  mask 0.0.0.0 192.168.1.1 if 0x20007

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 ff dd 08 e7 3a ...... TAP VPN Adapter
0x4 ...00 ff 4d 14 1d 6d ...... Anchorfree HSS Adapter - Packet Scheduler Minipo
rt
0x10006 ...00 19 d2 37 cc 6f ...... Intel(R) PRO/Wireless 3945ABG Network Connec
tion
0x20007 ...00 17 a4 d2 57 7c ...... Broadcom NetXtreme Gigabit Ethernet
0x90008 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       1
    65.54.166.122  255.255.255.255      192.168.1.1     192.168.1.3       1
    66.235.133.14  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.136.136  255.255.255.255      192.168.1.1     192.168.1.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       20
   192.168.112.45  255.255.255.255        127.0.0.1       127.0.0.1       50
  192.168.112.255  255.255.255.255   192.168.112.45  192.168.112.45       50
    207.38.101.11  255.255.255.255      192.168.1.1     192.168.1.3       1
    207.38.101.12  255.255.255.255      192.168.1.1     192.168.1.3       1
   208.92.236.184  255.255.255.255      192.168.1.1     192.168.1.3       1
  212.252.168.241  255.255.255.255      192.168.1.1     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               4       1
  255.255.255.255  255.255.255.255      192.168.1.3               3       1
  255.255.255.255  255.255.255.255      192.168.1.3           10006       1
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255   192.168.112.45  192.168.112.45       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

If I try to connect to Internet without proxy, I can see it works but I cannot connect to any node on corporate network. Yes, we need route for it.

C:\>route add 10.0.0.0 mask 255.0.0.0 192.168.112.45

C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 ff dd 08 e7 3a ...... TAP VPN Adapter
0x4 ...00 ff 4d 14 1d 6d ...... Anchorfree HSS Adapter - Packet Scheduler Minipo
rt
0x10006 ...00 19 d2 37 cc 6f ...... Intel(R) PRO/Wireless 3945ABG Network Connec
tion
0x20007 ...00 17 a4 d2 57 7c ...... Broadcom NetXtreme Gigabit Ethernet
0x90008 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       1
         10.0.0.0        255.0.0.0   192.168.112.45  192.168.112.45       1
    65.54.166.122  255.255.255.255      192.168.1.1     192.168.1.3       1
    66.235.133.14  255.255.255.255      192.168.1.1     192.168.1.3       1
   86.108.136.136  255.255.255.255      192.168.1.1     192.168.1.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       20
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       20
   192.168.112.45  255.255.255.255        127.0.0.1       127.0.0.1       50
  192.168.112.255  255.255.255.255   192.168.112.45  192.168.112.45       50
    207.38.101.11  255.255.255.255      192.168.1.1     192.168.1.3       1
    207.38.101.12  255.255.255.255      192.168.1.1     192.168.1.3       1
   208.92.236.184  255.255.255.255      192.168.1.1     192.168.1.3       1
  212.252.168.241  255.255.255.255      192.168.1.1     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               3       1
  255.255.255.255  255.255.255.255      192.168.1.3           10006       1
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255      192.168.1.3               4       1
  255.255.255.255  255.255.255.255   192.168.112.45  192.168.112.45       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Now my traffic for Internet goes directly from my DSL connection skipping VPN, which I can access nodes on corporate network.

No comments: