Guide on how to set up split tunneling

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Posts: 10
Joined: Fri Jun 30, 2017 12:32 am

Guide on how to set up split tunneling

Post by chaoscreater » Sun Feb 25, 2018 7:19 am

It took me a while to get this working, so I'm going to share my findings with the community and hope it'll be useful to someone.

There are 2 ways (that I know of) to set this up. Let's start with the SecureNAT method. But before we do anything, we must first make sure that we never set up Local Bridge and SecureNAT at the same time. This will wreck havoc to your remote network, because Local Bridge will bridge your remote network connection to SecureNAT, which is bad.

So, on your VPN server running at your remote network (in this case my workplace), go into "Local Bridge Setting" and remove any local bridges that you have configured. Then, go into your VPN hub and go into "Virtual NAT and Virtual DHCP Server (SecureNat)" and edit the configuration. By default, the virtual host's network interface settings should have its IP address set to Just leave that as is. Enable DHCP and just let it use the defaults. Configure the DNS servers to use the same ones as you do on your work PC. If your work PC is on the domain, it'll likely use the domain controllers or whatever DNS server on the domain for your DNS.

Next, we need to edit the routing table to push. Let's say your work's network is 10.x.x.x/8. You will then push this out:

This is basically saying, for the entire 10.x.x.x/8 range, route through the gateway Remember, is your virtual host's network interface from the main screen. If you changed it to something else, make sure you update it in your routing table.

Once you're done, go to your client machine. You would have installed the SoftEther VPN adapter already. Configure the metric of this adapter (either using powershell or go into the IPV4 stack of the adapter) and change the metric to a high value, something like 9000. Just make sure this is higher than the metric value of your primary NIC. To use Powershell to do it, first run Powershell as administrator. Then, run this:

Get-NetIPInterface | sort-object interfacemetric

It should list a bunch of your NICs with the interface metric and ifIndex. The ifIndex is just an index for your NIC, it doens't mean anything other than just a number. The interface metric however, determines which NIC is used as the primary NIC for routing connections. For example, let's say you have the following:

ifIndex - 14
interfaceAlias - Example1
interfaceMetric - 1

ifIndex - 7
interfaceAlias - Example2
interfaceMetric - 9000

If you ping, which interface is it going to use? It'll use "Example1", because it has a lower metric of 1 comapred to a metric of 9000.

Anyway, just find your SoftEther VPN adapter and set its metric to 9000, by doing this:

Set-netipinterface -interfaceindex "21"-interfacemetric "9000"

You'll need to change the interfaceIndex to match whatever yours has.

Now, from the client machine, connect to your VPN server and try pinging something on your work LAN. It should resolve via the gateway via your SoftEther VPN adapter interface. You can check the routing table on your client machine by doing a "route print" in command prompt. Next, go to Google and lookup "what is my IP". If you've done this right, your IP should be reported to be the IP provided by your ISP, not your work's IP. Check multiple "what is my IP" sites to confirm.

Essentially, we are only routing the work network (10.x.x.x/8) through to our VPN adapter on the client side, and anything else will route out using our primary adapter. Because of the routing table, and the fact that the primary NIC has a higher metric value, everything that isn't on the work network range will route using our primary adapter, i.e split tunneling.

The PROBLEM with this is that if you were to do a SpeedTest, you won't get the actual speed you're paying for. I haven't gotten to the bottom of this yet, but I think that despite it being a split tunnel setup, traffic is still trying to route through your SoftEther VPN adapter interface, even though it shouldn't (due to its metric being set to 9000). I think this is an issue related to the SecureNAT setup on the server.

Next, let's go over the Local Bridge method. I personally prefer this method over 2 reasons. The main reason is that I can get an IP directly from the DHCP server at work, rather than having a NAT address like with our SecureNAT scenario. The other reason is that this split tunneling method is actually a proper working split tunneling in comparison to the SecureNAT method. However, there are some quirks and annoyances, which I will go over. First of all, on your VPN server, make sure to disable SecureNAT. Then, go into "Local Bridge Settings" and select a LAN adapter as your source for the bridge connection. One caveat here is that you cannot select a virtual NIC as your LAN adapter. Well, you can, and it will still work, but there is a bug with this (which I'll go over below). Just make sure that the LAN adapter you've selected is not used for a virtual switch or virtual NIC for e.g. Hyper-V or whatever. Then, select your VPN hub and bridge the connection.

On the client machine, we again make sure that the SoftEther VPN adapter's IPv4 metric is set to a high value, e.g. 9000. Next, we need to configure a static route on the client machine. Let's say your work network's range is 10.x.x.x/8 and the default gateway is You'll simply need to do this:

route -p ADD MASK metric 1 if 7

What this is saying is, for the 10.x.x.x/8 network, route via the default gateway of and assign this route a metric of 1. Also, route this out the NIC with an ifIndex of 7. To get your ifIndex for your SoftEther VPN adapter, run Get-NetIPInterface | sort-object interfacemetric and just use substitute the value 7 with yours. Of course, if your network range is e.g. 192.168.x.x/16, then you'll need to change the above to fit your scenario.

Now, make the connection to your VPN server. You'll find that your SoftEther VPN adapter will get an IP directly from your work's DHCP server, as if you're sitting right there in the office. Great. Now, try to ping a work machine, it should resolve OK. If you do an IP lookup, it should return your ISP's IP. If you do a SpeedTest, the result should match what you're actually paying for.

Now, try and access a resource (e.g. a work document) on your work network share via SMB. You will find that you can access it just fine. On your VPN server, if you were to use a virtual NIC for your Local Bridge connection, then you will NOT be able to access the work document from the client machine. This seems to be a bug.

The one caveat here is that if you have a split DNS set up, you will require one additional configuration. For example, let's say your work machine is on a domain, e.g. It'll probably be using a domain controller or an internal DNS server to resolve resources to internal IPs. For example, may resolve to or something. But you also have an external DNS server authoritative for and it might resolve to or something. Well, when you ping on your client machine, it will route through your primary NIC (again, it has a lower metric value comapred to the 9000 metric on your SoftEther VPN NIC), which will then do a DNS query against the public DNS servers and return a result of That might not be what you want, as you might want to have returned instead. The only way I can get around this is to remove all public DNS servers from my primary NIC, and just configure the DNS to use my work DNS instead. So if my work DNS uses e.g., then that's what I'll use for my primary NIC.

Obviously, changing the DNS on your primary connection constantly is a pain. So what you can do is download "RunElevated", create a shortcut of RunElevated edit the shortcut roperties to this:

"C:\Apps\RunElevated\RunElevated.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -File SetDNS.ps1

In the same folder as the shortcut, create a SetDNS.ps1 file and add the following content inside. Here, the interfaceIndex should be your primary NIC, and the DNS IP of should be your work DNS IP.

Function Do-DHCP {
Write-Output "Set primary DNS to DHCP"
Set-DNSClientServerAddress –InterfaceIndex 17 -ResetServerAddresses

Function Do-WorkDNS {
Write-Output "Set primary DNS to WorkDNS"
Set-DNSClientServerAddress –InterfaceIndex 17 -ServerAddresses

$choices = @(

Do {
$choice = $choices | Out-GridView -PassThru


} Until (-not $choice)


Switch (Read-Host -Prompt "Choice")
"DHCP" {
Write-Output "DHCP"

Write-Output "Work DNS"

Write-Output "Invalid Selection"
$continue = Read-Host -Prompt "Enter to continue, Any character and Enter to exit"
If($continue) { Exit }

} Until ($False)

Run the RunElevated shortcut (which points to your powershell file) and it should launch your Powershell script just fine. Select WorkDNS and hit enter on your keyboard. It should configure your primary NIC to use your work DNS. Then, do a ipconfig /flushdns and finally ping whatever resource is on your split DNS set up (in our example, It should resolve to the internal IP.

Your primary NIC still has the lower metric, therefore it is used for resolving queries, but because its DNS points to your work DNS, eventually it'll just use your SoftEther VPN adapter to query instead.

It's a bit confusing to get your head around, but this all works pretty well.

Posts: 1
Joined: Tue Mar 20, 2018 3:18 pm

Re: Guide on how to set up split tunneling

Post by mjeff » Tue Mar 20, 2018 4:26 pm

Thanks for the tutorials that you providing in the above post, I think tunneling also formed from any vpn services including zenmate and purevpn
i hope this helps you in this case, thanks again

Post Reply