Bypass VPN for regular traffic

IMG_1380 For as many places as I’ve been where they use VPNs, I’ve yet to find one that is set up correctly.  I suppose there is a good reason for this, but I consider the problem to be mostly Microsoft’s fault.

I mean, wouldn’t you assume that if it were possible to use your regular connection for all of the network traffic EXCEPT for the traffic that needs to go through the VPN, that is what you would want?  But no.  Microsoft sets it up so that ALL of your traffic goes through the VPN connection.

What this means is that getting a connection to a search engine in order to look for a solution to a problem will take about twice as long as it should since your traffic first has to go to the VPN server and then out to the search engine.

Here’s how you fix it:

In Vista:

Go into the Control Panel and click the “Network and Sharing Center” icon.

On the left panel of the resulting screen you should see a link, “Manage network connections.”  Click it.

The next screen will have icons for all of your connections.  There should be one for your VPN.  Right-click it and select “Properties” from the menu.

In the “Properties” screen, click the “Networking” tab and then select “Internet Protocol Version 4″ and click the “Properties” button.

Click the “Advanced” button.  This will bring up a new window where you can un-check “Use default gateway on remote network.”

OK out to save everything.

In XP:

Go into the Control Panel and  click “Network Connections”

Right click the icon for the VPN and select “Properties” from the menu.

In the “Properties” screen, click the “Networking” tab and select “Internet Protocol” from the list and click the “Properties” button.

On the window that pops up, click the “Advanced” button.

Un-check the “Use default gateway on remote network” check box.

What this does:

Now the only traffic that will go to the VPN is traffic bound for the VPN on the same subnet as the subnet the VPN connection is on.

If you need other traffic to also go through the VPN, you’ll need to play with the routing tables.


Other places talking about VPNs

Update on the VPN Issue – If there’s any kind of interest in a formal review of the Netgear SSL VPN device, I’ll be happy to type it out, but in a nutshell, if you’re dealing with a small office of users, and you want a firewall with VPN capabilities, …

Should VPN be this hard? – Not a problem, as the Cisco security appliance we bought supports VPN. And configuring the Cisco IPSec VPN was quite simple. I was pretty happy when, with just an hour of looking at the documentation and fiddling with the configuration, …

Easy VPN-Setup on the iPhone, secure browsing on public networks – I’ve just set up my iPhone to make a VPN connection to my home servers via PPTP. No, this protocol is not unsecure. It’sa long lasting urban myth, so don’t mail me with some crap about it. I’ve chosen a strong password and that’s it. …

Related Post

  • Upgrading Vista 32 bit to Windows 7 64bitUpgrading Vista 32 bit to Windows 7 64bit Since I own an MSDN subscription, I was able to get my hands on a copy of Windows 7 last Thursday. I didn’t actually install it until this past Sunday because Sunday is the only day I don’t need...
  • Tab Control ActiveTabIndex Lost on PostbackTab Control ActiveTabIndex Lost on Postback I just got off the phone with a client who is using the MS-AJAX TabControl in one of his applications and any time he causes a postback, the tab resets to the first tab. If you've never seen the p...
  • Access a control by ID From Within a Databound ControlAccess a control by ID From Within a Databound Control Databound controls are at once very easy and very frustrating.  If you just need to do some simple databinding that gets a list of items on the screen and you need the ability to edit those ...
  • The Dangers of cookieless=”AutoDetect”The Dangers of cookieless=”AutoDetect” One of the cool new features that Microsoft added to ASP.NET in 2.0 is the ability to have cookieless sessions and cookieless authentication. However, before you turn this feature on, you need to ...
  • Embedding Google Search Appliance Results in ASP.NETEmbedding Google Search Appliance Results in ASP.NET Several of the projects I’m involved with use the Google Search Appliance for their search engine.  For each of these projects, we’ve wanted to integrate the results on an ASPX page so that...
  • David Coletta

    Not to be a dicknerdweenie or anything, but if you don’t run all your computer’s network traffic over the VPN, then your computer becomes an attack vector into the network into which you’re VPN-ing. That’s why the default configuration is to run all traffic over the VPN. Any company that permits you to bypass the VPN for external traffic isn’t serious about their network security.

  • Dave

    I’ll be the first to admit that I’m not a network admin. So, help me out here…

    What is the difference between doing what I’ve said and disconnecting from VPN doing my stuff and then reconnecting other than:

    1) My way is less of a hassle and
    2) There less immediate impact on the network.

    If the computer doesn’t have it’s own virus detection etc. I would expect the security issues to be about the same.

    And, just for information sake, how would a network admin force all traffic through the hosting network?

  • paul

    I just did this and yes, you are right, it does default through the remote gateway. i think the issue is segmenting the networks. someone smarter than me will have to explain all that.

  • Matt Simmons

    Hi, thanks very much for the link to Standalone Sysadmin!

    I agree that an unsecured machine is a security vector, but anytime you have a machine outside of the confines of your network connecting inside logically, it’s an attack vector.

    Network security is always a trade off between security and usability.