- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows 10 Split VPN
Is there a way to split the VPN tunnel using the native Windows 10 client? I don't want to back haul everything to home office and saturate our pipe more so than it already is. If not possible or east to do for the average user what alternatives would work?
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routes are persistent.
You can absolutely add multiple routes.
If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.
My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.
Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.
His instructions include screenshots, but boil down to:
- Open PowerShell
- set-executionpolicy -scope process unrestricted -force
- cd [path to where script lives]
- ./script_name.ps1
- Use desktop shortcut [VPN Name] to connect to VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to touch each PC, but it's otherwise trivial.
Create the VPN connection.
Then:
$ConnectName = 'Saved VPN Name'
$Destination = '192.168.100.0/24'
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -WA SilentlyContinue
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination
Remove -AllUserConnection if it's NOT an -AllUserConnection.
The scripts in my sig have this baked in. I do need to update the run-and-done to actually use an array. Figured out how to teach non-programming people how one populates an array, finally.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Nash Unfortunately I'll never be able to explain anything to the non-programming people here. That said I can add multiple Destinations and the VPN will route to those destinations only while everything else goes out the local internet? Is the script persistent or need run after a reboot or disconnect from the VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routes are persistent.
You can absolutely add multiple routes.
If you provide instructions, and your end users can follow instructions, you can give them this script if necessary.
My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script.
Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin.
His instructions include screenshots, but boil down to:
- Open PowerShell
- set-executionpolicy -scope process unrestricted -force
- cd [path to where script lives]
- ./script_name.ps1
- Use desktop shortcut [VPN Name] to connect to VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't disagree, but let me rephrase, "We don't know how to, can you do it for us?" They basically won't read the directions or just skip to it's to hard and someone from IT will end up needing to do it for them. Easier to just remote in and run it ourselves or push it with PDQ unfortunately lol.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked like a charm, used the full creation script and pushed it with PDQ. Our Help desk crew was ecstatic lol.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got clients auto-deploying the VPN using group policy in Active Directory.
Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.
Then never touch it again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhilipDAth wrote:I've got clients auto-deploying the VPN using group policy in Active Directory.
Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to.
Then never touch it again.
Deploying via GPO would be my dream, but I can't get my systems folks to do that. I only just now got somebody to start trying to do it via RMM... and that's super fun, because he's got to figure out how to make ConnectWise Automate populate the required variables. Wish me luck.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.
The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.
Including split tunneling.
Working really great 😄
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Roger_Beurskens wrote:@Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out.
The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops.
Including split tunneling.
Working really great 😄
Thank you!! I'm so glad it helped.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to add all office 365 addresses as the $Destination or is it internal subnets only?
How does that work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can place anything in the VPN including public IP's. I route my LAN IP's, but I add in the Microsoft IP's as well so they go through the VPN back to home office. Anything added to the list will be sent back over the VPN then to it's destination. Below is one of the list I've used when I was originally sent the script.
$Data = 'XXX.XXX.0.0/24','XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$Voice = 'XXX.XXX.0.0/24','1XXX.XXX.11.0/24','XXX.XXX.6.0/24'
$MS = '104.146.128.0/17','13.107.128.0/22','13.107.136.0/22','13.107.18.10/31','13.107.6.152/31','13.107.64.0/18',
'131.253.33.215/32','132.245.0.0/16','150.171.32.0/22',
'150.171.40.0/22','191.234.140.0/22','204.79.197.215/32','23.103.160.0/20','40.104.0.0/15','40.108.128.0/17','40.96.0.0/13','52.104.0.0/14','52.112.0.0/14','52.96.0.0/14',
'52.120.0.0/14'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing, thank you so much for coming back so quickly..
I am trying to run that script but getting a PowerShell error
Any ideas?
Thanks so much in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd need to see how the variable is writted, but are the IP's enclosed in sing quotes like 'XXX.XXX.XXX.XXX/24'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just updated it now... Does that help?
Thanks again!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the Destination Prefix parameter line 1 char 94 in the error?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to do it in a slightly different way
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "192.x.x.x/23" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "10.x.x.x/24" -PassThru
Add-VpnConnectionRoute -ConnectionName "Meraki 5000" -DestinationPrefix "44.x.x.x/32" -PassThru
THANK YOU SO MUCH FOR YOUR HELP!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to hear it worked. I know it saved me a ton of time when it was given to me.
