Configuring Split Tunnel Client VPN
Cisco Meraki Client VPN only establishes full-tunnel connections, which will direct all client traffic through the VPN to the configured MX. As such, any content filtering, firewall or traffic shaping rules will apply to the VPN client's outbound traffic.
For remote teleworkers or users whose traffic should not be restricted in the same manner, clients can be configured to use a split-tunnel connection to direct traffic through the VPN only if necessary:
This article includes instructions for configuring split tunnel client VPN on Windows and Mac OS X. For standard Client VPN configuration on Windows and Mac OS X, please refer to our Client VPN setup guide. The rest of this article assumes a VPN has already been setup in this manner.
Note: This configuration involves manually adding entries to a client's route table, and should only be followed by users with a thorough understanding of routing mechanisms.
Configuring Split Tunnel for Windows
First, modify the properties of the VPN connection to not be used as the default gateway for all traffic:
- Navigate to Control Panel > Network and Sharing Center > Change Adapter Settings
- Right click on the VPN connection, then choose Properties
- Select the Networking tab
- Select Internet Protocol Version 4 (TCP/IPv4) and click Properties
- Click Advanced
- Deselect the box for "Use default gateway on remote network"
- Click OK to apply the changes to the interface
Next, add routes for the desired VPN subnets. This should be done with the VPN tunnel connected:
- Open a command prompt (hold down the Windows key and press 'R')
- Type 'ipconfig /all' and hit Enter (Note: The name of the VPN will not be displayed unless you are connected to the VPN)
- Under the list of interfaces, find the Description for the VPN connection created earlier. This will be needed later.
- Run the below command replacing the relevant information between the <> markings:
Note: "Destination subnet" refers to the local LAN subnet (in CIDR notation) on the appliance's site, not the Client VPN subnet specified in Dashboard.
netsh interface ipv4 add route <destination subnet> "<interface name>"
Use the same command, replacing "add" with "delete" to remove the route.
Configuring Split Tunnel for OS X
First, disable full tunnel (all traffic over the VPN):
- Navigate to the specific VPN settings for OS X, located under System Preferences > Network.
- Click Advanced Settings
- Under "Options" section, deselect “Send all traffic over VPN”
Add a new route to local routing table:
- Connect to the Client VPN
- Open the Terminal Application; normally this is located in Applications > Utilities > Terminal
- Verify the PPP interface that is being used for the Client VPN, this can be done by typing “ifconfig”
- As a superuser, enter the following command, replacing the relevant information between the <> markings:
Note: "Destination subnet" refers to the local LAN subnet on the appliance's site, not the Client VPN subnet specified in Dashboard.
route add -net <destination subnet> -netmask <subnet mask> -interface ppp0
Ex. "route add -net 10.3.0.0 -netmask 255.255.240.0 -interface ppp0"
To verify that the route was added take a look at the routing table, the new subnet should now have an entry. The route table can be accessed by typing "netstat -r":
The route table will have to be modified depending on what networks will be accessed over the Client VPN (e.g. more than one network behind the concentrator). The interface will also have to be modified if there is more than one VPN configured on the client.
Now that the route is added, a trace route can be performed to verify the direction of the traffic. All internet traffic should head out the normal interface and all VPN traffic should head to the PPP interface.
Note: These steps will have to be entered each time the VPN is brought up, but they can be defined in a script to make the changes quickly when needed. The specific process for this will be highly dependent on the operating system, tools available, and administrator preferences.