Win10 Split Tunneling and Add-VPNConnectionRoute - Command Accepted But Doesn't Route Correctly


Win10 Split Tunneling and Add-VPNConnectionRoute - Command Accepted But Doesn't Route Correctly

I've set up VPN Connections on our remote Win10 Pro machines. I am able to connect via our Meraki MX64 without problem. When I check the "Use default gateway on remote network" box I'm able to successfully connect to our LAN based hosts. When I uncheck that box, I can successfully connect to the VPN but am unable to reach any local LAN host. I successfully ran the following command in an Administrator Powershell screen to add a VPN connection route:


add-vpnconnectionroute -ConnectionName "<Our VPN Connection>" -DestinationPrefix


That command seems to work, as when I run get-VPNConnection it shows all correct information and SplitTunnel as true.


The problem is that I'm unable to reach any of my local LAN hosts after doing this.


I don't want to use a netsh command, which after a reboot is no longer persistent. When I try a route -p add I too can't get to my local LAN hosts.



Kind of a big deal

And FWIW, the remote PC's ip address is 192.168.1.x.

Head in the Cloud

I was playing with split tunnel last spring.  I added a route statement in Windows 10 using the ID of the VPN connector and the subnet of the hosts on the other side of the VPN.


Traffic bound for the internet or my lan did not use the route statement, but traffic bound for the remote network did.

Dave Anderson

Thanks DHAnderson. Three questions:


1. Was your route statement persistent? That is, did you do a


    route -p add mask <Remote host MX address> if <nn> 


    where  nn was the interface out of the route print list?


2. Did you also use the set-vpnconnectionroute command?


3. Did you use the set-vpnconnection command with the -splittunneling $true statement?


Kind of a big deal

If you correctly added the VPN-ConnectionRoute then when you dial the VPN you could to route print in cmd and you should see the destination via your VPN adapter.


Also you can verify if your route has been added by issuing this in powershell;

(Get-VPNconnection -name "nameofyourvpn").Routes

If the route is shown in last command and in route print after dial, then you probably have not allowed the VPN subnet access to the internal net on your regular firewall rules.

Kind of a big deal

We just use the netsh command  - replace ConnectionName with whatever you named the connection and with whatever subnet you want to go out over the vpn.

netsh interface ipv4 add route "CONNECTIONNAME"


For split tunnel vpn client config we have also found that changing the metric on the vpn connection to 1 or 2, you can usually get DNS queries to still go over the VPN (if that is desired) - assuming the dns server is on the subnet you are adding the route for.


I've tried your suggestion earlier, but it doesn't appear to be persistent upon a machine reboot. How do you make it persistent?

Kind of a big deal

If you use the Add-VpnConnectionRoute cmdlet it should really add those routes to the VpnConnection and thus always installing it in your pc's routing table when you dial the VPN.

I have an example on my own pc here:

Step 1: verification of the VpnConnection object itself:

PS C:\Users\yyyyyy> Get-VpnConnection -Name "EXAMPLE"

Name                  : EXAMPLE
ServerAddress         :
AllUserConnection     : False
Guid                  : {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
TunnelType            : L2tp
AuthenticationMethod  : {Pap}
EncryptionLevel       : Optional
L2tpIPsecAuth         : Psk
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0

Important here is that SplitTunneling is True.

Step 2: Verify if the VpnConnectionRoute is present in your configuration:

PS C:\Users\yyyyyy> (Get-VpnConnection -Name "EXAMPLE").Routes

DestinationPrefix     :
InterfaceIndex        :
InterfaceAlias        : EXAMPLE
AddressFamily         : IPv4
NextHop               :
Publish               : 0
RouteMetric           : 1
PolicyStore           :

As you can see I have only added one /24 network.

Step 3: Dial the VPN

Step 4: Verify the network adapter and your IP on the VPN:

PS C:\Users\yyyyyy> ipconfig

Windows IP Configuration

PPP adapter EXAMPLE:

Connection-specific DNS Suffix .  :
IPv4 Address. . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :

Step 5: Verify windows routing table

PS C:\Users\yyyyyy> route print
Interface List

32...xx xx xx xx xx xx ......Intel(R) Dual Band Wireless-AC 7265
1...........................Software Loopback Interface 1

IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric           192.168.101.X   192.168.101.XX   35     On-link      26   On-link      281   On-link      281
81.165.XXX.XX   192.168.101.X   192.168.101.XX   36     On-link         192.168.101.XX   291
192.168.101.XX   On-link         192.168.101.XX   291   On-link         192.168.101.XX   291
Persistent Routes:

Here you can clearly see the network being available through the VPN adapter at
Also the address references the Internet IP of the MX I'm connected to.

Getting noticed

the tunnel has to be connected, and the cmd prompt run as admin.  It has always persisted for us.


Great tool, but this doesn't seem to create a persistent route to the new VPN adapter when it's connected. What else do I need to add to get this to be persistent on every reboot? I've tried using the add-vpnconnectionroute command, but the Next Hop shows, not the gateway to the remote LAN gateway.

Thank you for the tool! I tried using it and had a bit of hit or miss success. If I setup the VPN using only full tunnel it returns success and creates the VPN profile. As soon as I add in the exceptions to exclude some traffic (such as Teams related traffic) I get the following error message. 


Unable to create [name of VPN] profile: A general error occurred that is not covered by a more specific error code.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.