VPN question

[blobster21]

Hi,

We recently dropped teamviewer at work, in favor of the embedded vpn features in Windows 10.

So far i have been able to connect to my work place, create network drives and connect to RDP sessions.

Unfortunately there's a downside to it : I can't surf anymore locally, as long as the VPN connection is connected. Firefox / Edge / IE stay stuck.

Do you have any idea on how i should set my computer in order to have access to both local (192.168.1.0/24) and distant (10.10.10.0/32) networks, without loosing internet browsing ability ?

Thanks in advance for your help.

 

[Sasqui]

I'm subscribing to this. When I am connected to work via VPN at home, all in/out traffic goes through the VPN tunnel, including browsers, which are slow (and monitored lol)

 

[blobster21]

Hey @Sasqui, we're in the same boat it seems.

At least your answer helped me put some words on the symptoms, and i came up with this answer which seems to work :

• Open Network Connections
• Select VPN connection
• Properties
• TCP/IP - properties
• Advanced
• On General tab uncheck "Use default gateway..."
• OK-OK-OK
  
  http://superuser.com/questions/368065/stop-vpn-being-used-on-internet-traffic-on-win-7

 

[Sasqui]

Hey @Sasqui, we're in the same boat it seems.

At least your answer helped me put some words on the symptoms, and i came up with this answer which seems to work :

Huh, I was going to write specifically TCP/IP, and there it is. We use SonicWall VPN, so I do not know if that is an option, I'll check over the weekend.

 

[Kursah]

Hi,

We recently dropped teamviewer at work, in favor of the embedded vpn features in Windows 10.

So far i have been able to connect to my work place, create network drives and connect to RDP sessions.

Unfortunately there's a downside to it : I can't surf anymore locally, as long as the VPN connection is connected. Firefox / Edge / IE stay stuck.

Do you have any idea on how i should set my computer in order to have access to both local (192.168.1.0/24) and distant (10.10.10.0/32) networks, without loosing internet browsing ability ?

Thanks in advance for your help.

How are you connecting to the VPN, is it setup to route all traffic through the tunnel? Is it properly routing port 80 and 443 traffic through the tunnel and not blocking it on the other end's gateway?

How is the VPN setup at your office?
PPTP? L2TP? IPSec? OpenVPN?

I prefer OpenVPN, makes life easy...can host it on Windows Server, Linux, and many routers can host an OpenVPN server as well. You can have local traffic for shared drives, network maps, work and then route Internet traffic through your local ISP connection so you don't lose speed.

Depending on what you're doing, you might want all traffic traversing the VPN tunnel. But it sounds like you might have something set to force traffic through that connection. There is a setting in Windows VPN client that can help with this, but really this should be managed from the VPN server-side not the VPN client-side.

You can uncheck "Use Remote Gateway" option in Advnaced TCP/IP settings under your VPN's configuration from Network and Sharing Center.

I'm assuming you have a Windows Server VPN server or hopefully an OpenVPN server. If you are allowed to manage it, I could possibly help you get it configured to allow local web traffic and VPN traversed LAN traffic. Ensuring correct DNS server's so that LAN and NETBIOS are functioning. Take some work, but is worth the effort when a VPN is the way to go.

If your place of work is using PPTP for VPN services, go back to TeamViewer, even with recent hacks...it's more secure than PPTP. More-so even if you use 2FA, and monitor login from the web UI account information page.

 

[blobster21]

Thanks for your argumented answer.

The distant broadband connection is only half the one i'm using at home, it's only redeeming points are static IP and symetric bandwith. Transferring 80/443 traffic to it would be a dumb move.

I'm not even sure what we're using at work for VPN server, but i suspect it is an embedded feature in our fortinet hardware firewall (i could be wrong though).

 

[Kursah]

The MSP I work for is ditching TeamViewer as well, even though we haven't had any issues had implemented 2FA. But with the recent hacks and TeamViewer's denial of issue with their service or software, my bosses are no longer confident in them...I'm assuming your IT director is in the same spot. TeamViewer made remote sessions easy, and used AES256/SHA256/RSA3096 iirc.

Fortinet should be able to host a decent VPN tunnel, I have more experience with PFSense, SonicWall, Cisco and DD-WRT for hosting VPN tunnels. You might have your boss consider an OpenVPN server though...even if hosted by a VM within the network.

Many road-warrior-style VPN setups (computer connecting to VPN from the field) are setup to not pass Internet traffic, but then I see many that are...it really depends on what the company requires and needs, and who is setting it up. Windows Server VPN can use PPTP, L2TP, IPSec with IKEv2... IPSec is the way to go. But higher level of encryption requires more resources to handle both client and server-side. That's why many folks go PPTP, it's super light on resources because it is very low-level security-wise.

2012R2 can do a fine job hosting a VPN server, and if you guys are on a domain, and you use your domain credentials to authenticate against the VPN tunnel, it could very well be hosted on your 2012R2 DC or server that relies on its AD database. I am pretty sure Fortinet can push this kind of traffic to the server as well for authentication, similar to wireless networks using RADIUS.

I prefer IPSEc and OpenVPN all day long, and if you have PFSense or a free Linux server, OpenVPN is pretty damn easy to setup and manage, has excellent security options, user management options, etc. But IPSec, especially integrated with Windows is secure and useful and easier for remote users to just use the built-in VPN client found in 7, 8 and 10.

 

[blobster21]

I will make sure to discuss the point thoroughly on monday, and i will use your recommendations, should any concerns arise.

We should use an hardened VPN protocol, not just PTPP, it's a fact. Generalizing the use of VPN on our campus would also be awesome, we could indeed couple our AD and the fortinet to authenticate our 200 teachers, god know they would love to use this feature at home. It's ambitious, and we could aim higher than the actual 3 accounts my workmates and i are using.

 

[Kursah]

Keep us posted! I think you're on a good track to getting things sorted.

 

[slozomby]

on the sonicwall vpn client the option you are looking for is split tunnels. enable that and you're internet traffic routes locally rather than across the vpn.
the sonicwall admin can disable that feature if they feel it necessary or they just don't like you.

 

[Sasqui]

on the sonicwall vpn client the option you are looking for is split tunnels. enable that and you're internet traffic routes locally rather than across the vpn.
the sonicwall admin can disable that feature if they feel it necessary or they just don't like you.

I suspect it's the latter, lol. Actually, I'll ask our IT guy if he'll change that for me. He probably will though I don't know if there will be any unintended consequences... he may already know.