No internet over PPTP VPN

[alexs7]

Hi, we have recently set up a VPN at a client's office using a D-Link VPN router. The office has a Server 2k3 machine for DNS/ active dir. Although you can successfuly establish a connection, join the domain remotely, browse network drives; you have no internet! I have been told (quite vaguely though) the solution to this is to write a batch file to point the client to the proper gateway on the network. Because when you connect, ipconfig tells you that you are your own gateway (local IP=gateway IP). If I disable the Use Default Gateway option in the Win XP PPTP client, I get internet (through my own connection) but can no longer see the network.

If someone has knowledge as to how to write the batch file, or another solution, I would really appreciate it.

Thanks in advance,

-Alex

 

[pmf71]

Here is the info you need to route internet traffic through your regular gateway, and network traffic over your MS vpn:

route add 0.0.0.0 mask 0.0.0.0 [your own gateway IP] metric 1

route add [your remote network subnet a.b.c.0] mask 255.255.255.0 [your staticly assigned VPN client IP address] metric 1

example in which case your own network has IP's in the range of 10.0.0.1 - 10.0.0.254 and your remote network has a range of 192.168.1.1 - 192.168.1.254, and your local internet gateway is 10.0.0.1 and the static assigned vpn IP (and also gateway) is 192.168.1.200:

route add 0.0.0.0 mask 0.0.0.0 10.0.0.1 metric 1
route add 192.168.1.0 mask 255.255.255.0 192.168.1.200 metric 1

And make sure USE DEFAULT GATEWAY is checked.

 

[alexs7]

I can't seem to get it to work. Perhaps a little bit of extra info might help....

The VPN router has a virtual IP of 192.168.2.1 (but the gateway is 192.168.1.1) and assigns IPs in the 192.168.2.XXX range, so ipconfig gives following:

DNS Suffix : *none*
IP: 192.168.2.20
subnet: 255.255.255.255
gateway: 192.168.2.20

Would this solution only work when the client has a static ip?

-Alex

 

[pmf71]

can you give me ip info on both adapters on your client (VPN + LAN)?

then i can make the correct routes for you to copy/paste.

 

[alexs7]

Here's all the ipconfig info from windows while connected to VPN. The last group is VPN.

Windows IP Configuration

Host Name . . . . . . . . . . . . : alex-desktop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI
Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-0E-A6-8D-52-DB
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ASUS 802.11b Network Adapter
Physical Address. . . . . . . . . : 00-0E-A6-AA-89-E1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

PPP adapter Earthlink:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 68.166.131.243
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 68.166.131.243
DNS Servers . . . . . . . . . . . : 207.69.188.186
207.69.188.185
NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter greenstreet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.22
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.2.22
DNS Servers . . . . . . . . . . . : 192.168.1.102

 

[pmf71]

as you first said your ip was 192.168.2.20, by now it's become 192.168.2.22, so that means you're getting a new IP (and gateway) everytime you connect. see if you can reserve an ip address for each vpn connection (check your VPN router settings) , so that your vpn ip becomes static.

2ndly, you're hooked directly to the internet , presumably through an adsl USB modem( if i am correct about this, want my advice? buy an ethernet modem/router, if you like also with a WiFi Accespoint. Safer than direct connection. Much easier also for internet sharing.

try these static routes after connecting to vpn:

route add 0.0.0.0 mask 0.0.0.0 68.166.131.243 metric 1
route add 192.168.2.0 mask 255.255.255.0 192.168.2.22 metric 1 (last IP: fill in your current IP given at that moment)

Also check if your internet and default gateway IP's are static, if they change everytime you connect , your static route must also change every time.

 

[alexs7]

Thanks for the help. Do you think I can use %1 as a variable for dynamic IPs?

 

[pmf71]

maybe. I have no idea because i've never had much use for variables, and so i have haven't got any experience with them.

Did the static routes do the trick for you?

 

[pgerth]

Are you sure your VPN client is set to allow split routing? If not then you'll only be able to access resources local to the host site. This is a security feature not a fault.
--p

 

[pmf71]

It is possible, i use pptp vpn with the MS dial-up client and these routes worked for me, although the values for me are different.

 

[pgerth]

I just downloaded the manual and coudn't find an option for split tunneling. This is a policy rule that prevents you haveing a connection to the internet at the same time that you are connected to the VPN protected network. Its a security feature to prevent your remote machine acting as a router between the 'net and the private network therefore neutralizing your firewalls that you spent all your $$ on. You'll find this on most VPN servers and "real" clients.

---p

 

[pmf71]

For the standard users that is a wise decision, i agree, but the option should always be there for advanced users who know what they are doing. I myself use VPN a lot, both MS vpn client and Kerio Winroute Firewall proprietary VPN.

The MS client indeed by default routes all WAN and internet traffic through the tunnel, but by deleting the default route on the client and adding your own routes, you can easily bypass this.

The kerio vpn client automatically routes only WAN traffic through the tunnel, and internet traffic through the local internet gateway, the split tunneling as you referred to. But Kerio Winroute Firewall has SPI that also checks vpn traffic. So any packets not originating from the client itself are blocked by default.

But as far as MS VPN is concerned, you are right. Split tunneling can pose a security risk.

 

[alexs7]

Thanks guys for all the input. For the time being, we have resorted to using remote connection to a computer on the network. It's actually faster for the kind of software clients have to run and saves them the time to download megs and megs of data. The scripting hasn't been working, and in any case, client's ISP IPs are never static.
As for security, since we've eliminated actual data and file transfer over internet, I think it's pretty secure. Thanks for pointing out the risk with split tunneling though. Perhaps in the future, as need for VPN grows on the network, we will add a dedicated VPN server running a program such as Kerio or something similar.

Thanks again,
-Alex