Skip to main content

 

Cisco Meraki Documentation

Configuring Split Tunnel Client VPN

Overview

Cisco Meraki MX Firewall appliances offer Client VPN feature where remote users can establish a VPN tunnel to your MX and then get access to resources inside your local LAN. This Client VPN tunnel connections only are "Full Tunnel", which means all client's network traffic will be routed through the VPN to the configured MX - including Internet traffic.

As a result, your MX firewall will inspect your all your clients traffic and apply any content filtering, firewall or traffic shaping rules Client VPN's outbound traffic. This is practical and secure however, sometimes remote users have specific network traffic flows that should not be restricted by MX.

In these use-cases, you will need to configure what is called a "Split Tunnel". For example, some Client VPN users may want to use their VPN tunnel just to access resources inside your local LAN but use their own Internet connection to avoid latency.

Split Tunnel can only be configured in the client side. MX Firewall appliances only do "Full Tunnel". Therefore, you must configure remote user's Operating System VPN settings to use a split-tunnel connection and forward traffic to the VPN only if necessary. The diagram below illustrates a Split Tunnel networ flow.

an overview of a topology detailing traffic flows when client VPN with split tunnel is enabled

This article includes instructions for configuring split tunnel client VPN on Windows and MacOS. For standard Client VPN configuration on Windows and Mac OS, please refer to our Client VPN setup guide. The rest of this article assumes a VPN has already been setup in this manner.

Note: This configuration involves manually adding entries to a client's route table, and should only be followed by users with a thorough understanding of routing mechanisms.

Configuring Split Tunnel for Windows

First, modify the properties of the VPN connection to not be used as the default gateway for all traffic:

  1. Navigate to Control Panel > Network and Sharing Center > Change Adapter Settings
  2. Right click on the VPN connection, then choose Properties
  3. Select the Networking tab
  4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
    Windows adapter settings with IPv4 options highlighted
     
  5. Click Advanced
  6. Deselect the box for "Use default gateway on remote network"
    default gateway selection in an IP settings tab within Windows OS
     
  7. Click OK to apply the changes to the interface

 

Next, add routes for the desired VPN subnets. This should be done with the VPN tunnel connected:

  1. Open a command prompt (hold down the Windows key and press 'R')
  2. Type 'ipconfig /all' and hit Enter (Note: The name of the VPN will not be displayed unless you are connected to the VPN)
  3. Under the list of interfaces, find the Description for the VPN connection created earlier. This will be needed later.
    PPP adapter output from ipconfig in a Windows command prompt window
  4. Run the below command replacing the relevant information between the <> markings:
    Note: "Destination subnet" refers to the local LAN subnet (in CIDR notation) on the appliance's site, not the Client VPN subnet specified in Dashboard.
netsh interface ipv4 add route <destination subnet> "<interface name>"

 adding a route via the netsh command in a Windows command prompt window

If you need to remove a route, use the same command, replacing "add" with "delete" to remove the route.

Your Windows OS will lose the routes after you reboot. If you want the slipt-tunnel destinations to be added permanently (a.k.a. persistent route) use the parameter store=persistent at the end. E.g.:

netsh interface ipv4 add route 192.168.128.0/24 "Home" store=persistent

Removing a persistent route has the same syntax using netsh:

netsh interface ipv4 delete route 192.168.128.0/24 "Home"

Configuring Split Tunnel for MacOS 12 and higher

First, disable full tunnel (all traffic over the VPN):

  1. Navigate to the specific VPN settings for MacOS, located in System Settings > VPN.
  2. Click on the "i" to open your VPN Settings
  3. Under "Options" section, deselect “Send all traffic over VPN” if this is enabled

MacOS L2TP over IPSec window with "send all traffic" option visible

Next, add a new route to local routing table:

1. Open your MacOS Terminal application (Finder; Go > Applications > Utilities > Terminal)

2. List your MacOS network services using the command below (note that you will need to provide your password as it requires root privilege):

sudo networksetup -listallnetworkservices

In this example, the network connection is called "My-Meraki-Client-VPN":

sudo networksetup -listallnetworkservices                                              
Password:
An asterisk (*) denotes that a network service is disabled.
Thunderbolt Ethernet Slot 0
Wi-Fi
My-Meraki-Client-VPN

3. As a superuser, enter the following command, replacing the relevant information between the <> markings:
Note: "Destination subnet" refers to the local LAN subnet on the appliance's site, not the Client VPN subnet specified in Dashboard.

networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]

In this example, you add a route to destination network 172.16.1.0/24 having the VPN interface as gateway (next-hop); Note that "" without space is used to inform "My-Meraki-Client-VPN" (i.e.: the VPN interface) - do not type your VPN name.

sudo networksetup -setadditionalroutes "My-Meraki-Client-VPN" 172.16.1.0 255.255.255.0 ""

Note: if you re-issue the command networksteup -setadditionalroutes <your-VPN-name> [...], the new route definitions are not appended but overwriten and you lose the previous routes. So if you want to add 2 or more routes but you already have one, you need to issue the command with all  routes at once.

To verify that the routes added to your VPN, type:

sudo networksetup -getadditionalroutes "My-Meraki-Client-VPN"

If you need to delete the route(s) added previously, enter the following command, replacing the relevant information between the <> markings:

sudo networksetup -setadditionalroutes <networkservice>

The route table will have to be modified depending on what networks will be accessed over the Client VPN (e.g. more than one network behind the concentrator). The interface will also have to be modified if there is more than one VPN configured on the client.

Note: You don't have to do these steps each time the VPN is brought up; networksetup utility already add permanent/persistent routes. However, you may need to remove routes manually if you need to connect to other non-Meraki VPNs

Verify Connectivity

Now that the route is added, a trace-route can be used to verify the traffic direction. In either Windows or MacOS, all internet traffic should head out the normal interface and all VPN traffic should head to the VPN interface.

  • Was this article helpful?