Bypass VPN for regular traffic

IMG_1380 For as many places as I’ve been where they use VPNs, I’ve yet to find one that is set up correctly.  I suppose there is a good reason for this, but I consider the problem to be mostly microsoft’s fault.

I mean, wouldn’t you assume that if it were possible to use your regular connection for all of the network traffic EXCEPT for the traffic that needs to go through the VPN, that is what you would want?  But no.  microsoft sets it up so that ALL of your traffic goes through the VPN connection.

What this means is that getting a connection to a search engine in order to look for a solution to a problem will take about twice as long as it should since your traffic first has to go to the VPN server and then out to the search engine.

Here’s how you fix it:

In Vista:

Go into the Control Panel and click the “Network and Sharing Center” icon.

On the left panel of the resulting screen you should see a link, “Manage network connections.”  Click it.

The next screen will have icons for all of your connections.  There should be one for your VPN.  Right-click it and select “Properties” from the menu.

In the “Properties” screen, click the “Networking” tab and then select “Internet Protocol Version 4″ and click the “Properties” button.

Click the “Advanced” button.  This will bring up a new window where you can un-check “Use default gateway on remote network.”

OK out to save everything.

In XP:

Go into the Control Panel and  click “Network Connections”

Right click the icon for the VPN and select “Properties” from the menu.

In the “Properties” screen, click the “Networking” tab and select “Internet Protocol” from the list and click the “Properties” button.

On the window that pops up, click the “Advanced” button.

Un-check the “Use default gateway on remote network” check box.

What this does:

Now the only traffic that will go to the VPN is traffic bound for the VPN on the same subnet as the subnet the VPN connection is on.

If you need other traffic to also go through the VPN, you’ll need to play with the routing tables.


Other places talking about VPNs

Update on the VPN Issue – If there’s any kind of interest in a formal review of the Netgear SSL VPN device, I’ll be happy to type it out, but in a nutshell, if you’re dealing with a small office of users, and you want a firewall with VPN capabilities, …

Should VPN be this hard? – Not a problem, as the Cisco security appliance we bought supports VPN. And configuring the Cisco IPSec VPN was quite simple. I was pretty happy when, with just an hour of looking at the documentation and fiddling with the configuration, …

Easy VPN-Setup on the iPhone, secure browsing on public networks – I’ve just set up my iPhone to make a VPN connection to my home servers via PPTP. No, this protocol is not unsecure. It’sa long lasting urban myth, so don’t mail me with some crap about it. I’ve chosen a strong password and that’s it. …

Related Post

4 Responses to “Bypass VPN for regular traffic”

  • Not to be a dicknerdweenie or anything, but if you don’t run all your computer’s network traffic over the VPN, then your computer becomes an attack vector into the network into which you’re VPN-ing. That’s why the default configuration is to run all traffic over the VPN. Any company that permits you to bypass the VPN for external traffic isn’t serious about their network security.

  • Dave:

    I’ll be the first to admit that I’m not a network admin. So, help me out here…

    What is the difference between doing what I’ve said and disconnecting from VPN doing my stuff and then reconnecting other than:

    1) My way is less of a hassle and
    2) There less immediate impact on the network.

    If the computer doesn’t have it’s own virus detection etc. I would expect the security issues to be about the same.

    And, just for information sake, how would a network admin force all traffic through the hosting network?

  • paul:

    I just did this and yes, you are right, it does default through the remote gateway. i think the issue is segmenting the networks. someone smarter than me will have to explain all that.

  • Hi, thanks very much for the link to Standalone Sysadmin!

    I agree that an unsecured machine is a security vector, but anytime you have a machine outside of the confines of your network connecting inside logically, it’s an attack vector.

    Network security is always a trade off between security and usability.