Thursday, July 31, 2014

windows 8.1 - How can I control which traffic goes through a VPN?



My work just changed policies about how we can connect from home -- previously, I could ssh into a gateway and then ssh into whatever internal machines I needed to use. Now, however, I have to use a VPN to connect in and then I can just ssh directly to whichever machines I need.



That's cool, but I don't want all of my traffic to go through the VPN for a variety of reasons. It is using the Cisco AnyConnect Mobility Client and I looked through the settings I could find but can't find anything about how to select which traffic goes through the VPN and which goes through my regular internet connection.




Can I set it up on an application level -- like always route Firefox through internet but Chrome through the VPN? Or can I set it up for port traffic -- set only my SSH traffic to go through my VPN and leave everything else through my regular internet?


Answer



Here is a great document on manually configuring a split tunnel on the system's side (if it's possible). You can control where your Windows PC sends it's traffic by creating routing rules on your system, and specifically controlling the interfaces that traffic to certain IP ranges leaves through. This is probably the best way to accomplish your goal without involving the IT department of your company, and it will ensure all your regular traffic leaves your home internet connection regardless of browser used. This may not work depending on the IT admin's configuration of the AnyConnect software, but it's general policy to configure it for split-tunnel. See here.




Differences in Client Split Tunneling Behavior for Traffic within the Subnet



The AnyConnect client and the legacy Cisco VPN client (the IPsec/IKEv1 client) behave differently when passing traffic to sites within the same subnet as the IP address assigned by the ASA. With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all traffic destined to 10.0.0.0/8, regardless of the split tunneling policy.



By contrast, the legacy Cisco VPN client only passes traffic to addresses specified by the split-tunneling policy, regardless of the subnet assigned to the client.




Therefore, use a netmask for the assigned IP address that properly references the expected local subnet




Here's the doc:
https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN



This could be used to check what the software is doing when a connection is established, and possibly to manually configure a split tunnel.



I'll add the steps here, in case the link ever gets broken.




1) On the network adaptor created by the VPN software, under IPv4, Advanced, make sure "Use default gateway on remote network" is unchecked.



2) In a command window, type: route print



3) Look for the VPN Interface in the list, and note it's ID (a number like 12). You can then add specific routes by typing:



route add  mask  0.0.0.0 IF  -p



eg.



route add 10.10.10.0 mask 255.255.255.0 0.0.0.0 IF 12 -p


Here is another question that asks the same question. Good luck!


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...