Client VPN split tunneling?

SOLVED
jon1
Here to help

Client VPN split tunneling?

Hello,

 

Is it possible for a Client VPN user to use split tunneling with their connection to a MX device?

 

Thanks, Jon

1 ACCEPTED SOLUTION
RyanB
Meraki Employee

Hi Jon,

 

It is possible through the settings on the VPN connection on the client side. 

In Windows the setting is unchecking "use default gateway on remote network"

In Mac the setting is unchecking "send all traffic over VPN connection"

 

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

 

However when you uncheck this, the VPN Client will only want to route traffic destined for the Client VPN subnet to the MX. This means you'll need to setup static routes on the VPN client for other subnets you want to go over the VPN tunnel.

 

In Windows: 

route ADD 192.168.35.0 MASK 255.255.255.0 192.168.0.2
route ADD (SUBNET) MASK (SUBNET MASK) (GATEWAY)

 

In Mac: 

 

route -n add 192.168.35.0/24 192.168.0.2
route -n add (SUBNET)/(MASK) (GATEWAY)

 

View solution in original post

25 REPLIES 25
jon1
Here to help

RyanB
Meraki Employee

Hi Jon,

 

It is possible through the settings on the VPN connection on the client side. 

In Windows the setting is unchecking "use default gateway on remote network"

In Mac the setting is unchecking "send all traffic over VPN connection"

 

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

 

However when you uncheck this, the VPN Client will only want to route traffic destined for the Client VPN subnet to the MX. This means you'll need to setup static routes on the VPN client for other subnets you want to go over the VPN tunnel.

 

In Windows: 

route ADD 192.168.35.0 MASK 255.255.255.0 192.168.0.2
route ADD (SUBNET) MASK (SUBNET MASK) (GATEWAY)

 

In Mac: 

 

route -n add 192.168.35.0/24 192.168.0.2
route -n add (SUBNET)/(MASK) (GATEWAY)

 

AhmadShoaib
Conversationalist

Thanks for these information . Is there any configuration document to have Client VPN split tunneling for Android and IPhone or any other smartphones . 

or can you recommend any App to do this split tunneling.

Also interested in this. Require split tunnel functionality on android 

I find this not very satisfying as I don't want to manually enroll routes on every single client, no matter if it is possible by scripting or not.

 

Will there be a solution for the routes to be pushed by the VPN DHCP Server via L2TP? It should be possible with DHCP option 121 / 249.

Would using a 3rd party DNS service like Google Cloud DNS solve this? https://cloud.google.com/dns/

When connecting to the VPN you need a local DHCP Server issuing an IP and via DHCP options push the routes that are activated in the Meraki dashboard, so split tunnelling is possible. I don't see how a cloud based DNS would help in that case?

That's what I thought too, but reading further into the Google Cloud DNS and it says this:

 

When to use Cloud DNS

DNS is a hierarchical distributed database that lets you store IP addresses and other data, and look them up by name. Google Cloud DNS lets you publish your zones and records in the DNS without the burden of managing your own DNS servers and software.

 

It also mentions Split horizon DNS and lists the ability to manage domain resolution to public IP and domain resolution to internal (private) IP.

 

Link: https://cloud.google.com/dns/docs/overview

 

 

That sure is a nice feature for certain cases, but DNS resolution is not the problem with split tunneling, but the static routing is. As long as the client doens't know that for example 172.0.0.0/8 should go through the tunnel (which Meraki advises to put manually in the routing table of the client) it will try to use the standard interface and not the VPN device and thus fail to reach the host within the 172.0.0.0/8 network.

One sure can activate the the VPN device to be the standard gateway, but then ALL traffic will go through VPN which (for us) is not desirable. We only want to have business traffic going through the VPN tunnel and the rest of the (private) traffic go through the users private connection.

Hey DSchn, ahh so cloud DNS won't work then. So, to achieve split tunnels for local and public domain routing with Meraki equipment, you either have to have your own on-prem DNS server or make the DNS settings manually on the clients?

DNS doesn't have to do anything with VPN at all, at least not regarding split tunneling/routing.

KMNEP
Getting noticed

can we automate the routes needed to add into client station and push it from meraki??

PhilipDAth
Kind of a big deal

>can we automate the routes needed to add into client station and push it from meraki??

 

Push from Meraki, no.

Automate via AD group policy, yes.

PhilipDAth
Kind of a big deal

Annoying this functionality is actually natively available in Windows - but is not exposed in the GUI.

 

I have put up a web page on how to configure this with Powershell.  The advantage of this is that the setting "stick" and you don't need to manipulate the route table.

 

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

PhilipDAth,

 

Thanks for the link. I'm using the VPN setup script and it is working great. 

Questions:

1) If I use Meraki cloud authentication do I need the -DNSSuffix "[insert domain name]"? What is this for?

 

2) Meraki's documentation says to select "Require encryption (disconnect if server declines). Your script uses 

-EncryptionLevel Optional. If I change it to -EncryptionLevel Required, I get an error saying / The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP do not support
Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect.

 

Should I be worried about using the Optional encryption level?

 

Thanks, Jon1

PhilipDAth
Kind of a big deal

>If I use Meraki cloud authentication do I need the -DNSSuffix "[insert domain name]"? What is this for?

 

If you go "ping host", windows will append the DNS suffix to the host name to form a FQDN. If you are using Active Directory and want to be able to access hosts using just their name then you'll need this.  Otherwise you wont need it.

 

>2) Meraki's documentation says to select "Require encryption

 

An IPSec VPN is bought up first, and then L2TP runs over it.  Everything is encrypted, regardless of the option chosen.

The PowerShell script is working on Windows 10 machines. Win 7 doesn't recognize the add-vpnconnection command. Do I need to add a module to PowerShell? I am running as Administrator. Or is there a different script for Win 7 machines?

 

Thanks, jon1

PhilipDAth
Kind of a big deal

You might need to update the version of Powershell you are using - or the OS.  🙂

This is fantastic, thanks so much. 

So, every time we need to have new routes, we need to run a new script. This seems not possible for end-users who are not much technically sound.

is there any development that the routes be pushed from meraki??

PhilipDAth
Kind of a big deal

>So, every time we need to have new routes, we need to run a new script.

 

Yes.  Hence why many people deploy this via group policy.  Then you can update all the user machines easily.

GIdenJoe
Kind of a big deal

You should use the powershell command Add-VpnConnectionRoute.

 

If you add a bunch of VpnConnectionRoutes to an already defined VpnConnection those routes will only be added when the VPN is dialed.

The script from ifm.net.nz is a great way to set up a split tunnel.  I have tested it manually and it works but when I try to use the script I get the error “Unable to remove existing outdated instance(s)........  Any suggestions?

PhilipDAth
Kind of a big deal

Have you already for a VPN connection with the same name as you are trying to create?

 

Are you running it from an Administrative PowerShell?

I did create one manually with the same name but have deleted it to run the script.

 

Yes, I am running it from an administrative PowerShell?

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels