I was playing with split tunnel last spring.  I added a route statement in Windows 10 using the ID of the VPN connector and the subnet of the hosts on the other side of the VPN.

Traffic bound for the internet or my lan did not use the route statement, but traffic bound for the remote network did.

Thanks DHAnderson. Three questions:

1. Was your route statement persistent? That is, did you do a

    route -p add 0.0.0.0 mask 0.0.0.0. <Remote host MX address> if <nn> 

    where  nn was the interface out of the route print list?

2. Did you also use the set-vpnconnectionroute command?

3. Did you use the set-vpnconnection command with the -splittunneling $true statement?

If you correctly added the VPN-ConnectionRoute then when you dial the VPN you could to route print in cmd and you should see the destination via your VPN adapter.

Also you can verify if your route has been added by issuing this in powershell;

(Get-VPNconnection -name "nameofyourvpn").Routes

If the route is shown in last command and in route print after dial, then you probably have not allowed the VPN subnet access to the internal net on your regular firewall rules.

We just use the netsh command  - replace ConnectionName with whatever you named the connection and 127.0.0.1 with whatever subnet you want to go out over the vpn.

For split tunnel vpn client config we have also found that changing the metric on the vpn connection to 1 or 2, you can usually get DNS queries to still go over the VPN (if that is desired) - assuming the dns server is on the subnet you are adding the route for.

I've tried your suggestion earlier, but it doesn't appear to be persistent upon a machine reboot. How do you make it persistent?

If you use the Add-VpnConnectionRoute cmdlet it should really add those routes to the VpnConnection and thus always installing it in your pc's routing table when you dial the VPN.

I have an example on my own pc here:

Step 1: verification of the VpnConnection object itself:

PS C:\Users\yyyyyy> Get-VpnConnection -Name "EXAMPLE"

Name                  : EXAMPLE
ServerAddress         : EXAMPLE-xxxxxxxx.dynamic-m.com
AllUserConnection     : False
Guid                  : {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
TunnelType            : L2tp
AuthenticationMethod  : {Pap}
EncryptionLevel       : Optional
L2tpIPsecAuth         : Psk
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0

Important here is that SplitTunneling is True.

Step 2: Verify if the VpnConnectionRoute is present in your configuration:

PS C:\Users\yyyyyy> (Get-VpnConnection -Name "EXAMPLE").Routes

DestinationPrefix     : 10.100.5.0/24
InterfaceIndex        :
InterfaceAlias        : EXAMPLE
AddressFamily         : IPv4
NextHop               : 0.0.0.0
Publish               : 0
RouteMetric           : 1
PolicyStore           :

As you can see I have only added one /24 network.

Step 3: Dial the VPN

Step 4: Verify the network adapter and your IP on the VPN:

PS C:\Users\yyyyyy> ipconfig

Windows IP Configuration

PPP adapter EXAMPLE:

Connection-specific DNS Suffix .  :
IPv4 Address. . . . . . . . . . . : 10.100.15.6
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Step 5: Verify windows routing table

PS C:\Users\yyyyyy> route print
===========================================================================
Interface List

107...........................EXAMPLE
32...xx xx xx xx xx xx ......Intel(R) Dual Band Wireless-AC 7265
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0         0.0.0.0           192.168.101.X   192.168.101.XX   35
10.100.5.0      255.255.255.0     On-link         10.100.15.6      26
10.100.5.255    255.255.255.255   On-link         10.100.15.6      281
10.100.15.6     255.255.255.255   On-link         10.100.15.6      281
81.165.XXX.XX   255.255.255.255   192.168.101.X   192.168.101.XX   36
192.168.101.0   255.255.255.0     On-link         192.168.101.XX   291
192.168.101.XX  255.255.255.255   On-link         192.168.101.XX   291
192.168.101.255 255.255.255.255   On-link         192.168.101.XX   291
===========================================================================
Persistent Routes:
None

Here you can clearly see the 10.100.5.0/24 network being available through the VPN adapter at 10.100.15.6.
Also the 81.165.xxx.xx address references the Internet IP of the MX I'm connected to.

the tunnel has to be connected, and the cmd prompt run as admin.  It has always persisted for us.

Great tool, but this doesn't seem to create a persistent route to the new VPN adapter when it's connected. What else do I need to add to get this to be persistent on every reboot? I've tried using the add-vpnconnectionroute command, but the Next Hop shows 0.0.0.0, not the gateway to the remote LAN gateway.

Thank you for the tool! I tried using it and had a bit of hit or miss success. If I setup the VPN using only full tunnel it returns success and creates the VPN profile. As soon as I add in the exceptions to exclude some traffic (such as Teams related traffic) I get the following error message. 

Unable to create [name of VPN] profile: A general error occurred that is not covered by a more specific error code.