Configure Routing on a VPN Client

  • Article

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

By default, when a Windows-based VPN client makes a VPN connection, the VPN client automatically adds a new default route for the VPN connection and sets a higher metric for the existing default route. Because a new default route has been added, all Internet locations, except for the IP address of the VPN server and locations based on other routes, are not reachable for the duration of the VPN connection.

Whether the default route is acceptable for the VPN connection depends on whether your remote access client needs simultaneous access to both the intranet and the Internet and its security issues. For a full discussion of the routing options for VPN remote access clients, see Determining Routing for VPN Remote Access Clients.

Based on your design, implement one of the following routing options on the VPN client:

  • If the remote access user does not require concurrent access to intranet and Internet resources, use the default gateway for the VPN connection.

  • If the remote access user requires concurrent access to intranet and Internet resources over a VPN connection, choose one of the following options:

    • If you want to allow Internet access through the organization’s intranet, use the default gateway for your VPN connection.

      Internet traffic between the VPN client and Internet hosts passes though firewalls or proxy servers as though the VPN client were physically connected to the organization’s intranet. This method can affect performance, but it enables an organization to filter and monitor Internet access according to its network policies while the VPN client is connected to the organization network.

    • If the addressing within your intranet is based on a single class-based network ID, and the addresses assigned to VPN clients are from that single class-based network ID, prevent the use of the default gateway for your VPN connection.

    • If the addressing within your intranet is not based on a single class-based network ID, prevent the use of the default gateway for your VPN connection. Then, use one of the split tunneling methods described in Determining Routing for VPN Remote Access Clients in the Routing and Remote Access Design Guide.

To prevent the VPN client from creating a new default route during a VPN connection

Complete the following steps on the VPN client:

  1. Click Start, click Run, type control netconnections, and then click OK. Double-click the name of the VPN connection.

  2. In the Connect dialog box, click Properties.

  3. In the properties dialog box for the VPN connection, click the Networking tab.

  4. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  5. On the General tab, click Advanced to display the Advanced TCP/IP Settings dialog box.

  6. To prevent a default route from being created during a VPN connection, on the General tab, clear the Use default gateway on remote network check box.

    No default route will be created for the connection. However, a route corresponding to the Internet address class of the assigned IP address will be created. For example, if the IP address assigned during the connection process is 10.0.12.119, the VPN client creates a route for the class-based network ID 10.0.0.0 with the subnet mask 255.0.0.0.