Meraki

Community

Windows 10 Split VPN

Solved
MMoss
Building a reputation
‎Mar 19 2020 5:48 AM
‎Mar 19 2020 5:48 AM

Windows 10 Split VPN

Is there a way to split the VPN tunnel using the native Windows 10 client? I don't want to back haul everything to home office and saturate our pipe more so than it already is. If not possible or east to do for the average user what alternatives would work? 

1 Accepted Solution
In response to MMoss
Nash
Kind of a big deal
‎Mar 19 2020 7:27 AM
‎Mar 19 2020 7:27 AM

Routes are persistent.

 

You can absolutely add multiple routes.

 

If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.

 

My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.

 

Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.

 

His instructions include screenshots, but boil down to:

 

  1. Open PowerShell
  2. set-executionpolicy -scope process unrestricted -force
  3. cd [path to where script lives]
  4. ./script_name.ps1
  5. Use desktop shortcut [VPN Name] to connect to VPN.
Windows 10 Client VPN scripts: Makes life better!

View solution in original post

17 Replies 17
Nash
Kind of a big deal
‎Mar 19 2020 6:27 AM
‎Mar 19 2020 6:27 AM

You have to touch each PC, but it's otherwise trivial.

 

Create the VPN connection.

 

Then:

 

 

$ConnectName = 'Saved VPN Name'
$Destination = '192.168.100.0/24'
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -WA SilentlyContinue
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination

 

 

Remove -AllUserConnection if it's NOT an -AllUserConnection.

 

The scripts in my sig have this baked in. I do need to update the run-and-done to actually use an array. Figured out how to teach non-programming people how one populates an array, finally.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
MMoss
Building a reputation
‎Mar 19 2020 6:45 AM
‎Mar 19 2020 6:45 AM

@Nash Unfortunately I'll never be able to explain anything to the non-programming people here. That said I can add multiple Destinations and the VPN will route to those destinations only while everything else goes out the local internet? Is the script persistent or need run after a reboot or disconnect from the VPN? 

0 Kudos
In response to MMoss
Nash
Kind of a big deal
‎Mar 19 2020 7:27 AM
‎Mar 19 2020 7:27 AM

Routes are persistent.

 

You can absolutely add multiple routes.

 

If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.

 

My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.

 

Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.

 

His instructions include screenshots, but boil down to:

 

  1. Open PowerShell
  2. set-executionpolicy -scope process unrestricted -force
  3. cd [path to where script lives]
  4. ./script_name.ps1
  5. Use desktop shortcut [VPN Name] to connect to VPN.
Windows 10 Client VPN scripts: Makes life better!
In response to Nash
MMoss
Building a reputation
‎Mar 19 2020 7:33 AM
‎Mar 19 2020 7:33 AM

I don't disagree, but let me rephrase, "We don't know how to, can you do it for us?" They basically won't read the directions or just skip to it's to hard and someone from IT will end up needing to do it for them. Easier to just remote in and run it ourselves or push it with PDQ unfortunately lol. 

0 Kudos
In response to Nash
MMoss
Building a reputation
‎Mar 19 2020 12:43 PM
‎Mar 19 2020 12:43 PM

@Nash 

 

Worked like a charm, used the full creation script and pushed it with PDQ. Our Help desk crew was ecstatic lol.

In response to MMoss
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 19 2020 1:00 PM
‎Mar 19 2020 1:00 PM

I've got clients auto-deploying the VPN using group policy in Active Directory.

 

Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.

 

Then never touch it again.

In response to PhilipDAth
Nash
Kind of a big deal
‎Mar 22 2020 6:50 AM
‎Mar 22 2020 6:50 AM

@PhilipDAth wrote:

I've got clients auto-deploying the VPN using group policy in Active Directory.

 

Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.

 

Then never touch it again.

Deploying via GPO would be my dream, but I can't get my systems folks to do that. I only just now got somebody to start trying to do it via RMM... and that's super fun, because he's got to figure out how to make ConnectWise Automate populate the required variables. Wish me luck.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Roger_Beurskens
Building a reputation
‎Mar 22 2020 2:17 PM
‎Mar 22 2020 2:17 PM

@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.

 

The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.

Including split tunneling.

 

Working really great 😄 

0 Kudos
In response to Roger_Beurskens
Nash
Kind of a big deal
‎Mar 22 2020 3:23 PM
‎Mar 22 2020 3:23 PM

@Roger_Beurskens wrote:

@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.

 

The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.

Including split tunneling.

 

Working really great 😄 

Thank you!! I'm so glad it helped. 

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Brettvice
New here
‎Nov 17 2020 5:17 AM
‎Nov 17 2020 5:17 AM

Hi, 

 

Is it possible to add all office 365 addresses as the $Destination or is it internal subnets only?

 

How does that work?

0 Kudos
In response to Brettvice
MMoss
Building a reputation
‎Nov 17 2020 5:32 AM
‎Nov 17 2020 5:32 AM

You can place anything in the VPN including public IP's. I route my LAN IP's, but I add in the Microsoft IP's as well so they go through the VPN back to home office. Anything added to the list will be sent back over the VPN then to it's destination. Below is one of the list I've used when I was originally sent the script.

 

 

$Data = 'XXX.XXX.0.0/24','XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$Voice = 'XXX.XXX.0.0/24','1XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$MS = '104.146.128.0/17','13.107.128.0/22','13.107.136.0/22','13.107.18.10/31','13.107.6.152/31','13.107.64.0/18',

'131.253.33.215/32','132.245.0.0/16','150.171.32.0/22',
'150.171.40.0/22','191.234.140.0/22','204.79.197.215/32','23.103.160.0/20','40.104.0.0/15','40.108.128.0/17','40.96.0.0/13','52.104.0.0/14','52.112.0.0/14','52.96.0.0/14',
'52.120.0.0/14'

In response to MMoss
Brettvice
New here
‎Nov 17 2020 6:15 AM
‎Nov 17 2020 6:15 AM

Amazing, thank you so much for coming back so quickly..

 

I am trying to run that script but getting a PowerShell error 

 

1.PNG

 

Any ideas?

 

Thanks so much in advance

0 Kudos
In response to Brettvice
MMoss
Building a reputation
‎Nov 17 2020 6:19 AM
‎Nov 17 2020 6:19 AM

I'd need to see how the variable is writted, but are the IP's enclosed in sing quotes like 'XXX.XXX.XXX.XXX/24'

 

0 Kudos
In response to MMoss
Brettvice
New here
‎Nov 17 2020 6:19 AM
‎Nov 17 2020 6:19 AM

just updated it now... Does that help?

 

Thanks again!

0 Kudos
In response to Brettvice
MMoss
Building a reputation
‎Nov 17 2020 6:26 AM
‎Nov 17 2020 6:26 AM

What's the Destination Prefix parameter line 1 char 94 in the error?

0 Kudos
In response to MMoss
Brettvice
New here
‎Nov 17 2020 6:58 AM
‎Nov 17 2020 6:58 AM

I managed to do it in a slightly different way

 

Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "192.x.x.x/23" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "44.x.x.x/32" -PassThru

 

THANK YOU SO MUCH FOR YOUR HELP!

0 Kudos
In response to Brettvice
MMoss
Building a reputation
‎Nov 17 2020 7:00 AM
‎Nov 17 2020 7:00 AM

Glad to hear it worked. I know it saved me a ton of time when it was given to me.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.