Windows 10 Split VPN

Solved
MMoss
Building a reputation

Windows 10 Split VPN

Is there a way to split the VPN tunnel using the native Windows 10 client? I don't want to back haul everything to home office and saturate our pipe more so than it already is. If not possible or east to do for the average user what alternatives would work? 

1 Accepted Solution
Nash
Kind of a big deal

Routes are persistent.

 

You can absolutely add multiple routes.

 

If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.

 

My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.

 

Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.

 

His instructions include screenshots, but boil down to:

 

  1. Open PowerShell
  2. set-executionpolicy -scope process unrestricted -force
  3. cd [path to where script lives]
  4. ./script_name.ps1
  5. Use desktop shortcut [VPN Name] to connect to VPN.

View solution in original post

17 Replies 17
Nash
Kind of a big deal

You have to touch each PC, but it's otherwise trivial.

 

Create the VPN connection.

 

Then:

 

 

$ConnectName = 'Saved VPN Name'
$Destination = '192.168.100.0/24'
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -WA SilentlyContinue
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination

 

 

Remove -AllUserConnection if it's NOT an -AllUserConnection.

 

The scripts in my sig have this baked in. I do need to update the run-and-done to actually use an array. Figured out how to teach non-programming people how one populates an array, finally.

MMoss
Building a reputation

@Nash Unfortunately I'll never be able to explain anything to the non-programming people here. That said I can add multiple Destinations and the VPN will route to those destinations only while everything else goes out the local internet? Is the script persistent or need run after a reboot or disconnect from the VPN? 

Nash
Kind of a big deal

Routes are persistent.

 

You can absolutely add multiple routes.

 

If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.

 

My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.

 

Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.

 

His instructions include screenshots, but boil down to:

 

  1. Open PowerShell
  2. set-executionpolicy -scope process unrestricted -force
  3. cd [path to where script lives]
  4. ./script_name.ps1
  5. Use desktop shortcut [VPN Name] to connect to VPN.
MMoss
Building a reputation

I don't disagree, but let me rephrase, "We don't know how to, can you do it for us?" They basically won't read the directions or just skip to it's to hard and someone from IT will end up needing to do it for them. Easier to just remote in and run it ourselves or push it with PDQ unfortunately lol. 

MMoss
Building a reputation

@Nash 

 

Worked like a charm, used the full creation script and pushed it with PDQ. Our Help desk crew was ecstatic lol.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've got clients auto-deploying the VPN using group policy in Active Directory.

 

Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.

 

Then never touch it again.

Nash
Kind of a big deal


@PhilipDAth wrote:

I've got clients auto-deploying the VPN using group policy in Active Directory.

 

Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.

 

Then never touch it again.


Deploying via GPO would be my dream, but I can't get my systems folks to do that. I only just now got somebody to start trying to do it via RMM... and that's super fun, because he's got to figure out how to make ConnectWise Automate populate the required variables. Wish me luck.

Roger_Beurskens
Building a reputation

@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.

 

The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.

Including split tunneling.

 

Working really great 😄 

Nash
Kind of a big deal


@Roger_Beurskens wrote:

@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.

 

The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.

Including split tunneling.

 

Working really great 😄 


Thank you!! I'm so glad it helped. 

Brettvice
New here

Hi, 

 

Is it possible to add all office 365 addresses as the $Destination or is it internal subnets only?

 

How does that work?

MMoss
Building a reputation

You can place anything in the VPN including public IP's. I route my LAN IP's, but I add in the Microsoft IP's as well so they go through the VPN back to home office. Anything added to the list will be sent back over the VPN then to it's destination. Below is one of the list I've used when I was originally sent the script.

 

 

$Data = 'XXX.XXX.0.0/24','XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$Voice = 'XXX.XXX.0.0/24','1XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$MS = '104.146.128.0/17','13.107.128.0/22','13.107.136.0/22','13.107.18.10/31','13.107.6.152/31','13.107.64.0/18',

'131.253.33.215/32','132.245.0.0/16','150.171.32.0/22',
'150.171.40.0/22','191.234.140.0/22','204.79.197.215/32','23.103.160.0/20','40.104.0.0/15','40.108.128.0/17','40.96.0.0/13','52.104.0.0/14','52.112.0.0/14','52.96.0.0/14',
'52.120.0.0/14'

Brettvice
New here

Amazing, thank you so much for coming back so quickly..

 

I am trying to run that script but getting a PowerShell error 

 

1.PNG

 

Any ideas?

 

Thanks so much in advance

MMoss
Building a reputation

I'd need to see how the variable is writted, but are the IP's enclosed in sing quotes like 'XXX.XXX.XXX.XXX/24'

 

Brettvice
New here

just updated it now... Does that help?

 

Thanks again!

MMoss
Building a reputation

What's the Destination Prefix parameter line 1 char 94 in the error?

Brettvice
New here

I managed to do it in a slightly different way

 

Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "192.x.x.x/23" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "44.x.x.x/32" -PassThru

 

THANK YOU SO MUCH FOR YOUR HELP!

MMoss
Building a reputation

Glad to hear it worked. I know it saved me a ton of time when it was given to me.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels