SoftEther VPN User Forum

Hello,

I am trying to find out how to disable internet access through the VPN on the client's side. Their local connection and the VPN connection both show internet access and the client defaults to accessing the internet over the VPN instead of their local internet.

I tried to remove the gateway IP from the NAT in the virtual hub. That worked however they could no longer access the file server on the remote end. As soon as I put the gateway back in that restored their access to the server but now their internet is back over the VPN

Then I tried just taking out the DNS server address. That seemed to have no affect.

Any ideas how I can do this?

It is server that puts internet into vpn. You have to block it on server side

No need to send option 3 (default gateway) (dhcp-option) from VPN server to client side.
To transfer networks behind the VPN server to the client, it is necessary to use dhcp-options 121 and/or 249.

@sky59 I left the gateway out in DHCP options - just left blank. When I did that, the client could connect but could no longer access their server.

@gg_user Where do if find options 121 and 249?

I'm sorry I am a bit of a newbie and still trying to figure this out.

Thanks for the help!

As long as there is no gateway specified the client will connect and receive DHCP but the client can not access anything on the remote network.

Surely I am doing something wrong ? What I am trying to accomplish is to allow the client to access shared folder on a Windows file server over the VPN. But, when they are at home accessing the internet it is going out through their home internet and not routing through the VPN.

Where do if find options 121 and 249?

These are the parameters of an external dhcp server, for example dnsmasq.
What OS is used on the vpn-server?

@ ODITech If the clients are using the SE-Client software. A) Remove the Gateway from the "SecureNAT" but leave the DNS. Now clients are Split- tunnel. ( they are connected to the VPN "secureNAT" network but the still use their HOME/LOCAL gateway to browse the internet. B) So you now need to tell the clients how to find the "Remote Office network/ resources" because their default gateway is no longer the "SecureNAT gateway". This is done using "static routes". You need to create a static route telling the clients where the remote network can be found.
Example: Office/Remote network 192.168.20.0/255.255.255.0/( this may be different for you) can be found at 192.168.30.1(default gateway for "SecureNAT" -- you may have changed this) 192.168.20.0/255.255.255.0/192.168.30.1 Or you can create a route for ONE specific resource ( your windows file server @ 192.168.20.125) 192.168.20.125/255.255.255.0/192.168.30.1

Thanks! This makes a lot of sense with the static route. I will give it a try a little later. It is a Windows server using DHCP on the server.

If LocalBridge is created, SecureNAT is disabled, and the DHCP server is activated on the local network for LocalBridge, you can create a User Class on the DHCP server, for example, MyVPN. For this class, you must create an empty parameter 003 (router), and add other parameters if necessary. On the VPN client side in MS Windows, use the ipconfig /setclassid SoftEtherVPN myVPN command to specify the name of this class on the softether interface. SoftEtherVPN is the name of my vpn adapter. Enter the name when the client is connected to the VPN Server. For subsequent connections, the default gateway for Internet access will be used on the client side. In other words, requests to the local network will be made via the Vpn adapter, and requests to the Internet will be made via the Ethernet adapter on the client side.

The Hub Extended Option List has the UseHubNameAsDHCPUserClassOption parameter, which is used to add the User Class option to a request to an external DHCP server. However this parameter does not work for softether sessions.

It's as easy as removing the default gateway from DHCP settings.

I described a situation when the DHCP server distributes the IP address simultaneously to the local network and to VPN clients. Deleting the default gateway in the DHCP server settings will cause clients in the local network to also have no default gateway and as a result, no access to any network other than the local network.

Question to the developers.
We have a VPN server with a local Bridge connected to the local network, SecureNAT is not used (disabled as a router and a DHCP server). The local network has a DHCP server that distributes addresses to both the local network and SoftEther VPN clients.
Would you like to have a parameter at the virtual hub level that sets the User Class for VPN clients and adds it to the DHCP requests from the VPN client to the DHCP server?
The goal is to split the DHCP server settings between LAN clients and VPN clients and make it easier to get these settings on the VPN client side without additional manipulation in the form of an ipconfig command

The only solution I have found to successfully split tunnel when using the "local Bridge" and SE-Client because the client doesn't have a built in option like the native windows clients and mobile devices. Is to change the IPv4 interface metric on the "VPN-client adapter" from "1" to automatic and verify all other Physical adapters (NICs & WiFi) are also set to the default "automatic". You can also Un-check automatic on all adapters and choose the metric priority. example: NIC = "1" Wifi = "5" VPN = "10".

A good solution is to prioritize interface metric adapters NIC = "1", Wifi = "5", VPN = "10" . However, if a physical adapter with a metric equal to "1" has a static address, you must also change the default gateway metric from automatic to " 1".

@sunnywilson09 You deleted the gateway, but did not add a route to the remote network. Please see the post by centeredki69 above. The General idea is to either set the interface metric to prioritize the physical adapter over the VPN adapter, or remove the gateway and add a route to the DHCP server in SecureNAT

I have already written: remove access to internet on vpn server

But, you do not explain at all network architecture. Do you need to access over vpn just a few computers? Do you want to access just one subnet /24? If yes you do not need any gateway. Make every client with static ip for vpn interface. Then all remote computers within the same ip range. Where is the DHCP server? Do you have two of them? One local and one on vpn server side?

Hi, on your local PC client, open Network and sharing center

1. Right click on the VPN adapter, select properties
2. Open properties on TCP/IP V4
3. Click Advanced
4. Click to place a check mark on Auto Metric
5. OK all the way out
6. Disconnect the VPN
7. Reconnect the VPN
8. Enjoy!

Afakename wrote: ↑

Thu Dec 03, 2020 7:53 pm

4. Click to place a check mark on Auto Metric

thank you very much! this solves my similar problem. I didnt use the secureNAT because on the server side, I already bridge the LAN card to the VPN hub.

centeredki69 wrote: ↑

Sat Apr 04, 2020 1:31 pm

@ ODITech If the clients are using the SE-Client software. A) Remove the Gateway from the "SecureNAT" but leave the DNS. Now clients are Split- tunnel. ( they are connected to the VPN "secureNAT" network but the still use their HOME/LOCAL gateway to browse the internet. B) So you now need to tell the clients how to find the "Remote Office network/ resources" because their default gateway is no longer the "SecureNAT gateway". This is done using "static routes". You need to create a static route telling the clients where the remote network can be found.
Example: Office/Remote network 192.168.20.0/255.255.255.0/( this may be different for you) can be found at 192.168.30.1(default gateway for "SecureNAT" -- you may have changed this) 192.168.20.0/255.255.255.0/192.168.30.1 Or you can create a route for ONE specific resource ( your windows file server @ 192.168.20.125) 192.168.20.125/255.255.255.0/192.168.30.1 static routes.jpgstatic route 2.jpg

Just created an account to say that this works perfectly for me (way better than trying to implement it client-side). When I read it, even without never having set a VPN before, instantly I understood the reason for omission of gateway and the need of a static route (else no connection between my server).Thank you.

I will give it a try a little later. It is a Windows server using DHCP on the server.