How to disable internet through VPN on Client side

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ODITech
Posts: 6
Joined: Tue Sep 25, 2018 12:57 pm

How to disable internet through VPN on Client side

Post by ODITech » Fri Apr 03, 2020 4:21 pm

Hello,

I am trying to find out how to disable internet access through the VPN on the client's side. Their local connection and the VPN connection both show internet access and the client defaults to accessing the internet over the VPN instead of their local internet.

I tried to remove the gateway IP from the NAT in the virtual hub. That worked however they could no longer access the file server on the remote end. As soon as I put the gateway back in that restored their access to the server but now their internet is back over the VPN

Then I tried just taking out the DNS server address. That seemed to have no affect.

Any ideas how I can do this?

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: How to disable internet through VPN on Client side

Post by sky59 » Fri Apr 03, 2020 5:06 pm

It is server that puts internet into vpn. You have to block it on server side

gg_user
Posts: 16
Joined: Sat May 13, 2017 6:39 pm

Re: How to disable internet through VPN on Client side

Post by gg_user » Fri Apr 03, 2020 5:44 pm

No need to send option 3 (default gateway) (dhcp-option) from VPN server to client side.
To transfer networks behind the VPN server to the client, it is necessary to use dhcp-options 121 and/or 249.

ODITech
Posts: 6
Joined: Tue Sep 25, 2018 12:57 pm

Re: How to disable internet through VPN on Client side

Post by ODITech » Fri Apr 03, 2020 9:47 pm

@sky59 I left the gateway out in DHCP options - just left blank. When I did that, the client could connect but could no longer access their server.

@gg_user Where do if find options 121 and 249?

I'm sorry I am a bit of a newbie and still trying to figure this out.

Thanks for the help!

ODITech
Posts: 6
Joined: Tue Sep 25, 2018 12:57 pm

Re: How to disable internet through VPN on Client side

Post by ODITech » Fri Apr 03, 2020 10:16 pm

As long as there is no gateway specified the client will connect and receive DHCP but the client can not access anything on the remote network.

Surely I am doing something wrong ? What I am trying to accomplish is to allow the client to access shared folder on a Windows file server over the VPN. But, when they are at home accessing the internet it is going out through their home internet and not routing through the VPN.

gg_user
Posts: 16
Joined: Sat May 13, 2017 6:39 pm

Re: How to disable internet through VPN on Client side

Post by gg_user » Sat Apr 04, 2020 6:16 am

Where do if find options 121 and 249?
These are the parameters of an external dhcp server, for example dnsmasq.
What OS is used on the vpn-server?

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: How to disable internet through VPN on Client side

Post by centeredki69 » Sat Apr 04, 2020 1:31 pm

@ ODITech If the clients are using the SE-Client software. A) Remove the Gateway from the "SecureNAT" but leave the DNS. Now clients are Split- tunnel. ( they are connected to the VPN "secureNAT" network but the still use their HOME/LOCAL gateway to browse the internet. B) So you now need to tell the clients how to find the "Remote Office network/ resources" because their default gateway is no longer the "SecureNAT gateway". This is done using "static routes". You need to create a static route telling the clients where the remote network can be found.
Example: Office/Remote network 192.168.20.0/255.255.255.0/( this may be different for you) can be found at 192.168.30.1(default gateway for "SecureNAT" -- you may have changed this) 192.168.20.0/255.255.255.0/192.168.30.1 Or you can create a route for ONE specific resource ( your windows file server @ 192.168.20.125) 192.168.20.125/255.255.255.0/192.168.30.1
static routes.jpg
static route 2.jpg
You do not have the required permissions to view the files attached to this post.

ODITech
Posts: 6
Joined: Tue Sep 25, 2018 12:57 pm

Re: How to disable internet through VPN on Client side

Post by ODITech » Mon Apr 06, 2020 4:58 pm

Thanks! This makes a lot of sense with the static route. I will give it a try a little later. It is a Windows server using DHCP on the server.

klan2000
Posts: 5
Joined: Wed Apr 15, 2020 12:55 pm

Re: How to disable internet through VPN on Client side

Post by klan2000 » Wed Apr 15, 2020 1:44 pm

If LocalBridge is created, SecureNAT is disabled, and the DHCP server is activated on the local network for LocalBridge, you can create a User Class on the DHCP server, for example, MyVPN. For this class, you must create an empty parameter 003 (router), and add other parameters if necessary. On the VPN client side in MS Windows, use the ipconfig /setclassid SoftEtherVPN myVPN command to specify the name of this class on the softether interface. SoftEtherVPN is the name of my vpn adapter. Enter the name when the client is connected to the VPN Server. For subsequent connections, the default gateway for Internet access will be used on the client side. In other words, requests to the local network will be made via the Vpn adapter, and requests to the Internet will be made via the Ethernet adapter on the client side.

The Hub Extended Option List has the UseHubNameAsDHCPUserClassOption parameter, which is used to add the User Class option to a request to an external DHCP server. However this parameter does not work for softether sessions.

OliverTejada
Posts: 46
Joined: Mon Apr 13, 2020 8:08 pm

Re: How to disable internet through VPN on Client side

Post by OliverTejada » Wed Apr 15, 2020 2:00 pm

It's as easy as removing the default gateway from DHCP settings.

klan2000
Posts: 5
Joined: Wed Apr 15, 2020 12:55 pm

Re: How to disable internet through VPN on Client side

Post by klan2000 » Thu Apr 16, 2020 8:20 am

I described a situation when the DHCP server distributes the IP address simultaneously to the local network and to VPN clients. Deleting the default gateway in the DHCP server settings will cause clients in the local network to also have no default gateway and as a result, no access to any network other than the local network.

klan2000
Posts: 5
Joined: Wed Apr 15, 2020 12:55 pm

Re: How to disable internet through VPN on Client side

Post by klan2000 » Thu Apr 16, 2020 9:08 am

Question to the developers.
We have a VPN server with a local Bridge connected to the local network, SecureNAT is not used (disabled as a router and a DHCP server). The local network has a DHCP server that distributes addresses to both the local network and SoftEther VPN clients.
Would you like to have a parameter at the virtual hub level that sets the User Class for VPN clients and adds it to the DHCP requests from the VPN client to the DHCP server?
The goal is to split the DHCP server settings between LAN clients and VPN clients and make it easier to get these settings on the VPN client side without additional manipulation in the form of an ipconfig command

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: How to disable internet through VPN on Client side

Post by centeredki69 » Thu Apr 16, 2020 12:37 pm

The only solution I have found to successfully split tunnel when using the "local Bridge" and SE-Client because the client doesn't have a built in option like the native windows clients and mobile devices. Is to change the IPv4 interface metric on the "VPN-client adapter" from "1" to automatic and verify all other Physical adapters (NICs & WiFi) are also set to the default "automatic". You can also Un-check automatic on all adapters and choose the metric priority. example: NIC = "1" Wifi = "5" VPN = "10".

klan2000
Posts: 5
Joined: Wed Apr 15, 2020 12:55 pm

Re: How to disable internet through VPN on Client side

Post by klan2000 » Fri Apr 17, 2020 11:49 am

A good solution is to prioritize interface metric adapters NIC = "1", Wifi = "5", VPN = "10" . However, if a physical adapter with a metric equal to "1" has a static address, you must also change the default gateway metric from automatic to " 1".

klan2000
Posts: 5
Joined: Wed Apr 15, 2020 12:55 pm

Re: How to disable internet through VPN on Client side

Post by klan2000 » Sat Apr 18, 2020 10:10 am

@sunnywilson09 You deleted the gateway, but did not add a route to the remote network. Please see the post by centeredki69 above. The General idea is to either set the interface metric to prioritize the physical adapter over the VPN adapter, or remove the gateway and add a route to the DHCP server in SecureNAT

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: How to disable internet through VPN on Client side

Post by sky59 » Sat Apr 18, 2020 6:58 pm

I have already written: remove access to internet on vpn server

But, you do not explain at all network architecture. Do you need to access over vpn just a few computers? Do you want to access just one subnet /24? If yes you do not need any gateway. Make every client with static ip for vpn interface. Then all remote computers within the same ip range. Where is the DHCP server? Do you have two of them? One local and one on vpn server side?

Afakename
Posts: 30
Joined: Thu Dec 03, 2020 6:15 pm

Re: How to disable internet through VPN on Client side

Post by Afakename » Thu Dec 03, 2020 7:53 pm

Hi, on your local PC client, open Network and sharing center

1. Right click on the VPN adapter, select properties
2. Open properties on TCP/IP V4
3. Click Advanced
4. Click to place a check mark on Auto Metric
5. OK all the way out
6. Disconnect the VPN
7. Reconnect the VPN
8. Enjoy!

wasalph
Posts: 1
Joined: Sun Dec 06, 2020 3:18 pm

Re: How to disable internet through VPN on Client side

Post by wasalph » Sun Dec 06, 2020 3:23 pm

Afakename wrote:
Thu Dec 03, 2020 7:53 pm
4. Click to place a check mark on Auto Metric
thank you very much! this solves my similar problem. I didnt use the secureNAT because on the server side, I already bridge the LAN card to the VPN hub.

sacasoh
Posts: 1
Joined: Sat Mar 20, 2021 1:59 am

Re: How to disable internet through VPN on Client side

Post by sacasoh » Sat Mar 20, 2021 2:03 am

centeredki69 wrote:
Sat Apr 04, 2020 1:31 pm
@ ODITech If the clients are using the SE-Client software. A) Remove the Gateway from the "SecureNAT" but leave the DNS. Now clients are Split- tunnel. ( they are connected to the VPN "secureNAT" network but the still use their HOME/LOCAL gateway to browse the internet. B) So you now need to tell the clients how to find the "Remote Office network/ resources" because their default gateway is no longer the "SecureNAT gateway". This is done using "static routes". You need to create a static route telling the clients where the remote network can be found.
Example: Office/Remote network 192.168.20.0/255.255.255.0/( this may be different for you) can be found at 192.168.30.1(default gateway for "SecureNAT" -- you may have changed this) 192.168.20.0/255.255.255.0/192.168.30.1 Or you can create a route for ONE specific resource ( your windows file server @ 192.168.20.125) 192.168.20.125/255.255.255.0/192.168.30.1 static routes.jpgstatic route 2.jpg
Just created an account to say that this works perfectly for me (way better than trying to implement it client-side). When I read it, even without never having set a VPN before, instantly I understood the reason for omission of gateway and the need of a static route (else no connection between my server).Thank you.

vermamanu8
Posts: 1
Joined: Fri Mar 26, 2021 8:53 am

Re: How to disable internet through VPN on Client side

Post by vermamanu8 » Fri Mar 26, 2021 10:03 am

I will give it a try a little later. It is a Windows server using DHCP on the server.

Post Reply