<< Banned From Slashdot | Home | On Hiring Bloggers and Open So... >>

Route Around The Default Gateway On The Remote Network

Steve Harman digs in and solves a longtime mystery for me regarding VPN connections and default gateways on remote networks.

Most clients we have require that we connect to their network via VPN. Nothing new about that of course. But some clients require that we check the Use default gateway on remote network option when setting up the VPN.

That effectively shuts down my ability to access resources on my local network as all traffic gets routed through the remote network.

VPN Dialog. Shows the Use Default Gateway on Remote Network Checkbox

Fortunately, Steve didn’t give up like I did. He persisted and, following up on a tip by Jon Galloway, figured out how to configure Routing Tables to achieve what he needed.

This so beats my twine and wire MacGuyver solution of simply setting up Remote Desktop to another machine that is then connected to the VPN.

With persistence and problem solving skills like that, a company would be lucky to hire Steve. So we did this past month!

What others have said

Requesting Gravatar... Michael K. Campbell Jan 27, 2007 8:11 AM
# re: Route Around The Default Gateway On The Remote Network
Interesting. I've seen this approach before back when I worked at Altiris... but it always seemed a bit kludge-y.

My solution has just been to fire up a VM on either VMware WorkStation or VMware Server (MS VPC or Virtual Server would work equally well), and put all of my VPN connections/needs on that box (or copies of it - sometimes VPN software doesn't play nicely with others).

I find that that gives me a near seamless way of interacting with clients while allowing me to check email, google for answers, etc... Plus it provides an extra layer/level of protection should my box get compromised... as thieves would then have to log in to my VM as well to be able to attempt to fire up a connection into one of my client's networks. (Not sure how much of a hinderance that would be... but it's a nice bonus).
Requesting Gravatar... Steve Harman Jan 27, 2007 9:34 AM
# re: Route Around The Default Gateway On The Remote Network
@Michael: Actually, using a specialized VM image was one of the solutions that both Phil and Jon suggested... but being the stubborn guy that I am, I wasn't happy with having to setup my devlopment environment(s) inside the VM just to do a little work.

But hey... to each, his own!
Requesting Gravatar... Haacked Jan 27, 2007 10:58 AM
# re: Route Around The Default Gateway On The Remote Network
Yeah, I like the VM Solution, but it can take a long while to get installed and Steve is in a hurry.

However, probably not a bad idea to set up a VM in your spare time so you have an image ready for whatever may crop up. I think I'll do that myself.
Requesting Gravatar... Carlos Jan 29, 2007 11:40 AM
# re: Route Around The Default Gateway On The Remote Network
Actually, this could be a security risk to the network that you are connecting to. This is what is referred to as a Split Tunnel or Split Horizon VPN and is usually frowned upon by security administrators.

The theory here is that your Internet connection could be a possible attack vector into their network. There are many, many, examples of this. Just google split tunnel vpn security and you'll see why this is a bad idea in general.

Here are some links:

http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html

http://www.isaserver.org/tutorials/2004fixipsectunnel.html

http://www142.nortelnetworks.com/bvdoc/contivity/doc_html/315899A00/chapte7a.htm
Requesting Gravatar... Michael Jan 25, 2008 7:02 AM
# re: Route Around The Default Gateway On The Remote Network
See http://technet.microsoft.com/en-us/library/bb878117.aspx

What do you have to say?

(will show your gravatar)
Please add 7 and 2 and type the answer here: