So, you need to setup a VPN connection to your work/client/buddy's remote network. No problem, just use the Windows VPN client, fill in the remote VPN server IP address, your username and password... click Connect. And a few seconds later you're connected to the remote network and you can now access resources (servers, fileshares, etc...) on your work/client/buddy's network - and all traffic between your PC and the remote network is encrypted. Awesome!
However, if you've ever dug into the Microsoft VPN client settings you might have noticed a little check box that says "Use default gateway on the remote network."
What does that mean?
Google turns up plenty of technical details about exactly what the option will do. However the gist is, by checking that option all of the Internet traffic from your machine will be routed through the VPN connection, and passed on to the VPN's Internet gateway.
Basically this means that all of your traffic (web sites, IMs, email, VoIP , etc...) will now be flowing through the remote network. To me this is bad for at least two reasons:
- It's my data: I don't want all of my data flowing across some other network if I can avoid it.
- Performance: Sending all of that data through the VPN tunnel will result in slower throughput and higher latency times. All of that data needs to be encrypted by my PC, sent over the wire, decrypted by VPN server, and then sent out to the Internet. On the way back to me the data will be encrypted by the VPN server, sent over the wire, decrypted by my PC, and then finally used.
Why go through all of that hassle when you could just use your local network (and Internet connection) like you always do?
So, don't use the Default Gateway option.
The obvious thing to do is uncheck the "Use default gateway on the remote network" options, right? Well... maybe.
In most cases it is probably OK to uncheck the option and the only side effect will be resolving host names on the remote network. An easy way to get around that is by adding some mappings to your HOSTS file so your machine can correctly resolve the IP addresses of the machines on the remote network.
What about the other cases?
Depending on how the remote network is configured and how well locked down it is, you might not be able to connect to the remote machines even with the additions to the HOSTS file.
In these cases the issue is often that your PC doesn't know how to navigate to the IP addresses on the remote network because it can't find a route to the remote network. I ran into this very problem while setting up a VPN connection to a client's network.
Luckily Jon pointed me in the right direction when he suggested that I use Routing Tables to solve the problem. By tweaking my system's local IP routing table I could explicitly tell Windows how to navigate to the machines on the remote network. Great idea Jon!
I found this documentation very helpful when trying to figure out exactly how to tweak my local IP routing table. I ended up using a command like this to get it done:
route -p add 192.168.15.0 mask 255.255.255.0 10.10.10.1 if 0x70006
The parameters do the following:
- route : the command that alters the local IP routing table.
- -p : adds a persistent record to the local IP routing table, meaning the record will still be in your routing table even after TCP/IP protocol is restarted. So you won't have to run this command every time you reboot or alter your NIC settings.
- 192.168.15.0 : the destination IP of the machine(s) on the remote network.
- mask 255.255.255.0 : the subnet mask for the remote network. Combined with the destination IP, this means that anything going to an IP at 192.168.15.xxx will use this routing table record.
- 10.10.10.1 : the IP address of the gateway on the remote network.
- if 0x70006 : the index* (in hexadecimal) for the network interface over which the destination is reachable - meaning the index corresponding to the VPN network connection.
What it all means...
In the end, what all of that means is that any traffic going to an IP in the 192.168.15.1 - 192.168.15.254 range will be routed through the VPN connection, and their next stop will be the gateway at 10.10.10.1. The gateway will then take care of routing the traffic on to the actual host.
Check out these articles for more on how IP addresses and subnets work.
* = You can get a list of the network interfaces and their interface indexes using the route print command.