How to use split tunneling for your VPN on Windows 10

Jun 17, 2019 · 5 min read

I am a DotA2 Player, I also like listening to Spotify while I play my DotA matches, But Spotify is blocked in my country(?)

In order to unblock Spotify I need to connect to a VPN, However connecting to a VPN causes my DotA2 traffic to go through the VPN too, which causes unnecessary lag and excess ping.

I wish there was a way to route only part of my traffic through the VPN…

Fear not, Microsoft has added a special new feature on Windows 10 called Split Tunneling, This feature is especially useful in my case and It’s documentation is rather … none existent.

On this gui d e I will use the L2TP VPN provided by this awesome shell script, The GitHub Repository has all the guides about both client and server configuration on a variety of Operating Systems so I won’t go through them.

Now that you have your VPN Connection set, Let’s start configuring split tunneling.

First open a PowerShell as an Administrator and run the following script in order to enable Split Tunneling.

(Note replace >Your Connection Name with the connection name that you used when creating the VPN Connection)

Now that you have set split tunneling to true connect to your VPN Connection and go to api.ipify.org to check your IP, It should be your normal IP not the VPN IP.

This means that right now, even though you are connected to the VPN, none of your traffic goes through the VPN.

Let’s check our routing table inside windows.

Run the following command inside the PowerShell that you opened earlier:

This is your routing table, How this works is that for each packet windows goes through this list from the bottom and finds the first matching rule for that packet and routes it. As you can see the top most rule is very general

0.0.0.0/0 means all possible IPs.

You can look at it this way X.X.X.X where X can be anything from 0 to 255.

192.168.1.1 is my modem gateway address, basically it is my default interface.

IP 101

The IP Address is made of 4, 8bit parts so each part can be a number between 0 and 255 because 2 to the power of 8 is 256.

When you write an IP address and an Slash ( / ) you are defining a subnet. But what is a subnet?

A subnet is a collection of IP Addresses. 0.0.0.0/0 is a subnet. it just happens to be all the possible IPs

Let’s look at an other example, For example take the Subnet 233.76.80.0/24

The number after slash means how many bits are constant in this subnet

So the 24 means that the first 24 bits of this Subnet is constant and since every part has 8 bits this means that the first 3 parts of the IP address are constant you could see this subnet as 233.76.80.X

Now you have a general idea of how the windows routing table works.

All you need to do is add the specific subnets of applications. So that their traffic will go through the VPN.

But how do you know which subnets/IPs an application uses?

You can use the Resource Monitor!

Resource Monitor

In order to open the resource monitor you can search for it inside the windows search

You first have to go to the Network tab and then below Network Activity you can see a table, Image is the process name and Address is the IP address that, the process is sending/receiving traffic to/from.

Now let’s add some routes to our routing table.

Let’s say you want to add Routes for Spotify, What you need to do first is to route all traffic through the VPN so you can get the real IP for Spotify (In case your country has censorship)

To route all your traffic through the VPN run the following command.

In order to make sure that your traffic is going through the VPN you can visit api.ipify.org

Now that your traffic is going through the VPN sort your resource monitor table by TOTAL

Now open up Spotify but keep an eye on the resource monitor, The exact moment you open Spotify you will see a bunch of Spotify IPs appear!

As you can see there are a lot of IPs, But you don’t need to worry, All you have to do is start from the top with IPs that have the highest send/receive.

What you need to keep in mind is that you have to add the subnet not the IP.

A good rule of thumb is that most often than not the first 3 parts of the IP are static for example we can say that the subnet for 151.101.36.246 is 151.101.36.0/24 to route this subnet through your vpn run the following command in PowerShell.

Now lets stop routing all our traffic through the VPN!

Now you can close Spotify and Start it again, If everything is loading up fine that means you added the right subnet, If not you should try again, by adding 0.0.0.0 and closing and opening Spotify again and looking for the top Send/Receives inside Resource Monitor.

You should also do this for playing music, So the music information and playlist information is on one subnet, and the actual music is on an other subnet!

You can also add single IPs inside your routing table by adding /32 on the end of the IP meaning all 32 bits of the IP address are constant.

Why we didn’t do this? because Spotify uses different IPs for content delivery and they keep changing everytime by adding the subnet of the first 24 bits we are making sure that in the future every thing will work fine too!

One of the good IP address that I recommend adding for routing through the VPN is your DNS Server address because DNS is not a secure protocol, your government can change the IP of the domain that you want to resolve and pretending being someone else, Not only that but a very cleaver hacker can also do the same thing!

Austral Tech

F5 AWS Cloud DevOps

How to enable split tunneling in windows 10

Have you ever noticed your Internet connection is slower when connected to a VPN? Then enabling Split Tunnel may be the answer for you!.

Split tunneling

In a VPN connection, split tunneling is the practice of routing only some traffic over the VPN, while letting other traffic directly access the Internet. Usually, what is routed over the VPN will be traffic destined for internal resources, while web surfing, email, skype, etc. will go directly to the Internet. An advantage of using split tunneling, is that it alleviates bottlenecks and conserves bandwidth as Internet traffic, does not have to pass through the VPN server.

Split tunneling can be used for several different purposes including:

• Allowing normal use of the internet while simultaneously accessing resources only available to VPN users, such as a business server
• Setting up specific devices, such as game consoles or streaming media boxes, to use (or not use) the VPN without affecting other devices on the network
• Sending all of a device’s traffic through the VPN except when accessing content or services that don’t allow VPN connections, such as MLB.tv or Netflix
• Sending all traffic through the VPN except for content and services that require low latency, such as VoIP applications and online games
• Only routing torrent traffic through the VPN, while all other internet traffic goes to the default network
• Access the VPN without affecting your connection to other devices on the local network, such as printers or a Plex Media Server

If you are going to split tunnel, then you are going to reduce the overall bandwidth impact on your Internet circuit. Only the traffic that needs to come over the VPN will, so anything a user is doing that is not “work related” will not consume bandwidth. In addition, anything external to your network, that is also latency sensitive will not suffer from the additional latency introduced by tunneling everything over the VPN to the corporate network, then back out to the Internet, and the return traffic routing over the reverse. Users will get the best experience in terms of network performance, and the company will consume the least bandwidth.

If security is supposed to monitor all network traffic, or perhaps merely protect users from malware and other Internet threats by filtering traffic, users who are split tunneling will not get this protection and security will be unable to monitor traffic for threats or inappropriate activity. Users on open networks such as hotel wireless or hotspots will also be transmitting much of their traffic in the clear. Traffic to websites that use HTTPS will still be protected, but other traffic will be vulnerable to snooping.

How to Enable Spit Tunnel in Windows 10

In order to enable Split Tunnel in Windows 10, you must be sure the VPN is already working. If you have a problem with your VPN connection, like it is not connecting, or dropping every 5 minutes, etc. Split Tunnel won’t make a difference, so resolve those issues first. Once you have a working VPN connection, the way to change VPN Split Tunnel in Windows 10 is using Powershell.

Windows is fairly limited when it comes to split tunneling. There’s no way that we’re aware of to split tunnel by app or destination. Instead, the split tunneling option in Windows is much broader. You can choose not to tunnel IPv4 and IPv6 traffic so that only local traffic goes through the VPN. That’s useful if only need to use the VPN to access remote resources not available from your normal internet connection, but not much else.

Furthermore, Windows only split tunnels VPN protocols that it has built-in support for. That means you’ll need to configure an L2TP, SSTP, or PPTP connection first. OpenVPN won’t work here.

This example, will use your local connection to access the internet while the VPN will be used to access remote resources, such as a private business server that can only be accessed via VPN. The VPN will only be used when a host isn’t available on the local network.

In this tutorial, will use Windows 10. We’ll assume you’ve already set up your VPN connection, and you only need to enable split tunneling. You’ll need admin privileges and the destination subnet for your VPN private space.

Using Powershell to configure Split Tunnel

In your Windows search bar, type Powershell and right click it to Run as administrator split tunnel windows

Type the following command and press Enter:

This will bring up a list of all your available VPN connections. (I test a lot of VPNs so there are several in my screenshot, but you’ll likely only have one.) Make a note of the Name of the VPN you want to split tunnel.

PowerShell get VPN Connection

Type the following command and hit Enter, replacing with the name you noted in the previous step:

You can check that split tunneling is enabled by entering the Get-VPNConnection command again. The split tunneling field should now be set to True.

Next, enter this command and make a note of the Description field:

If necessary, add the route. Replace with the subnet you want to route through the VPN, and with the name of the Description field we mentioned in the last step:

If you want to disable split tunneling, enter this command:

We hope this guide helps you with your VPN deployment. Here at Austral Tech we are VPN experts and we have experience setting up VPN tunnels with F5 Products, Checkpoint, Ubiquiti and Cloud providers (AWS, Azure and Google). So if you need help with your VPN deployment, don’t hesitate to contact us!

Posts

Contact Us

Austral Tech Limited provides professional services to help customers to deploy, migrate and support ADC architectures on premises and Cloud using automation and DevOps methodology

Настройка туннелей VPN-устройств в Windows 10 Configure VPN device tunnels in Windows 10

Область применения: Windows 10 версии 1709 Applies to: Windows 10 version 1709

Always On VPN предоставляет возможность создания выделенного профиля VPN для устройства или компьютера. Always On VPN gives you the ability to create a dedicated VPN profile for device or machine. Always On VPN-подключения включают два типа туннелей: Always On VPN connections include two types of tunnels:

Туннель устройства подключается к указанным VPN-серверам, прежде чем пользователи смогут войти на устройство. Device tunnel connects to specified VPN servers before users log on to the device. Сценарии подключения до входа в систему и в целях управления устройствами используют туннель устройства. Pre-login connectivity scenarios and device management purposes use device tunnel.

Туннель пользователя подключается только после входа пользователя на устройство. User tunnel connects only after a user logs on to the device. Пользовательский туннель позволяет пользователям получать доступ к ресурсам Организации через VPN-серверы. User tunnel allows users to access organization resources through VPN servers.

В отличие от пользовательского туннеля, которое подключается только после входа пользователя на устройство или компьютер, туннель устройства позволяет VPN устанавливать подключение до входа пользователя в систему. Unlike user tunnel, which only connects after a user logs on to the device or machine, device tunnel allows the VPN to establish connectivity before the user logs on. Туннель туннеля устройства и пользователь взаимодействуют независимо с их профилями VPN. они могут быть подключены одновременно и могут использовать разные методы проверки подлинности и другие параметры конфигурации VPN. Both device tunnel and user tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. Туннель пользователя поддерживает протоколы SSTP и IKEv2, а туннель устройства поддерживает IKEv2 только без поддержки отката SSTP. User tunnel supports SSTP and IKEv2, and device tunnel supports IKEv2 only with no support for SSTP fallback.

Пользовательский туннель поддерживается на устройствах, присоединенных к домену, не присоединенных к домену (Рабочей группе) или в составе устройств, присоединенных к Azure AD, чтобы разрешить сценарии как для предприятия, так и для BYOD. User tunnel is supported on domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices to allow for both enterprise and BYOD scenarios. Он доступен во всех выпусках Windows, а функции платформы доступны третьим сторонам посредством поддержки подключаемого модуля VPN UWP. It is available in all Windows editions, and the platform features are available to third parties by way of UWP VPN plug-in support.

Туннель устройства можно настроить только на устройствах, присоединенных к домену, под управлением Windows 10 Корпоративная или для образовательных версий 1709 или более поздней версии. Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later. Сторонние средства управления туннелем устройства не поддерживаются. There is no support for third-party control of the device tunnel. Туннель устройства не поддерживает использование таблицы политики разрешения имен (NRPT). Device tunnel does not support using the Name Resolution Policy table (NRPT). Туннель устройства не поддерживает принудительный туннель. Device tunnel does not support Force tunnel. Его необходимо настроить как разделенный туннель. You must configure it as Split tunnel.

Требования и функции туннеля для устройства Device Tunnel Requirements and Features

Необходимо включить проверку подлинности сертификата компьютера для VPN-подключений и определить корневой центр сертификации для проверки подлинности входящих VPN-подключений. You must enable machine certificate authentication for VPN connections and define a root certification authority for authenticating incoming VPN connections.

Конфигурация туннеля VPN-устройства VPN Device Tunnel Configuration

Приведенный ниже пример XML-кода профиля предоставляет хорошее руководство для сценариев, в которых для туннеля устройства требуются только инициированные клиентом опросы. The sample profile XML below provides good guidance for scenarios where only client initiated pulls are required over the device tunnel. Фильтры трафика используются, чтобы ограничить туннель устройства только трафиком управления. Traffic filters are leveraged to restrict the device tunnel to management traffic only. Эта конфигурация хорошо подходит для Центр обновления Windows, типичных групповая политика (GP) и Microsoft Endpoint Configuration Manager обновления, а также VPN-подключения для первого входа без кэшированных учетных данных или сценариев сброса пароля. This configuration works well for Windows Update, typical Group Policy (GP) and Microsoft Endpoint Configuration Manager update scenarios, as well as VPN connectivity for first logon without cached credentials, or password reset scenarios.

Для инициированных сервером вариантов push-уведомлений, таких как служба удаленного управления Windows (WinRM), Remote GPUpdate и Remote Configuration Manager Update, необходимо разрешить входящий трафик в туннеле устройства, чтобы не использовать фильтры трафика. For server-initiated push cases, like Windows Remote Management (WinRM), Remote GPUpdate, and remote Configuration Manager update scenarios – you must allow inbound traffic on the device tunnel, so traffic filters cannot be used. Если в профиле туннеля устройства вы включите фильтры трафика, то туннель устройства отклоняет входящий трафик. If in the device tunnel profile you turn on traffic filters, then the Device Tunnel denies inbound traffic. Это ограничение будет удалено в будущих выпусках. This limitation is going to be removed in future releases.

Пример VPN-Профилексмл Sample VPN profileXML

Ниже приведен пример VPN-Профилексмл. Following is the sample VPN profileXML.

В зависимости от потребностей каждого конкретного сценария развертывания другой компонент VPN, который можно настроить с помощью туннеля устройства, — это Обнаружение доверенных сетей. Depending on the needs of each particular deployment scenario, another VPN feature that can be configured with the device tunnel is Trusted Network Detection.

Развертывание и тестирование Deployment and Testing

Туннели устройств можно настроить с помощью сценария Windows PowerShell и моста инструментарий управления Windows (WMI) (WMI). You can configure device tunnels by using a Windows PowerShell script and using the Windows Management Instrumentation (WMI) bridge. Туннель VPN-устройства Always On должен быть настроен в контексте локальной системной учетной записи. The Always On VPN device tunnel must be configured in the context of the LOCAL SYSTEM account. Для этого потребуется использовать PsExec, один из комплекта PsTools , входящий в комплект служебных программ Sysinternals Suite. To accomplish this, it will be necessary to use PsExec, one of the PsTools included in the Sysinternals suite of utilities.

Рекомендации по развертыванию для каждого устройства (.\Device) и профиля каждого пользователя (.\User) см. в статье Использование сценариев PowerShell с поставщиком моста WMI. For guidelines on how to deploy a per device (.\Device) vs. a per user (.\User) profile, see Using PowerShell scripting with the WMI Bridge Provider.

Выполните следующую команду Windows PowerShell, чтобы убедиться, что профиль устройства успешно развернут. Run the following Windows PowerShell command to verify that you have successfully deployed a device profile:

В выходных данных отображается список — профилей VPN для всех устройств, развернутых на устройстве. The output displays a list of the device-wide VPN profiles that are deployed on the device.

Пример сценария Windows PowerShell Example Windows PowerShell Script

Для создания собственного скрипта для создания профиля можно использовать следующий сценарий Windows PowerShell. You can use the following Windows PowerShell script to assist in creating your own script for profile creation.

Дополнительные ресурсы Additional Resources

Ниже приведены дополнительные ресурсы для помощи при развертывании VPN. The following are additional resources to assist with your VPN deployment.

Ресурсы конфигурации VPN-клиента VPN client configuration resources

Ниже приведены ресурсы конфигурации VPN-клиента. The following are VPN client configuration resources.

Ресурсы шлюза сервера удаленного доступа Remote Access Server Gateway resources

Ниже приведены ресурсы шлюза сервера удаленного доступа (RAS). The following are Remote Access Server (RAS) Gateway resources.

При использовании туннеля устройства с шлюзом Microsoft RAS необходимо настроить сервер RRAS для поддержки проверки подлинности сертификата компьютера по протоколу IKEv2, включив параметр Разрешить проверку подлинности на основе сертификата компьютера для проверки подлинности IKEv2, как описано здесь. When using Device Tunnel with a Microsoft RAS gateway, you will need to configure the RRAS server to support IKEv2 machine certificate authentication by enabling the Allow machine certificate authentication for IKEv2 authentication method as described here. После включения этого параметра настоятельно рекомендуется использовать командлет PowerShell Set-впнауспротокол вместе с необязательным параметром рутцертификатенаметоакцепт , чтобы убедиться, что подключения RRAS по протоколу IKEv2 разрешены только для сертификатов VPN-клиентов, которые связаны с явно определенным внутренним или частным корневым центром сертификации. Once this setting is enabled, it is strongly recommended that the Set-VpnAuthProtocol PowerShell cmdlet, along with the RootCertificateNameToAccept optional parameter, is used to ensure that RRAS IKEv2 connections are only permitted for VPN client certificates that chain to an explicitly defined internal/private Root Certification Authority. Кроме того, необходимо внести изменения в хранилище доверенных корневых центров сертификации на сервере RRAS, чтобы убедиться, что он не содержит общедоступных центров сертификации, как описано здесь. Alternatively, the Trusted Root Certification Authorities store on the RRAS server should be amended to ensure that it does not contain public certification authorities as discussed here. Аналогичные методы также могут быть рассмотрены для других VPN-шлюзов. Similar methods may also need to be considered for other VPN gateways.