I don't want all traffic to go through the tunnel

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
marv42dp
Posts: 2
Joined: Tue Nov 05, 2019 7:31 pm

I don't want all traffic to go through the tunnel

Post by marv42dp » Tue Nov 05, 2019 7:42 pm

Hi,
first of all: sorry, if this question / issue has been risen/discussed before, please just point me to that thread.
Setup: Softether VPN Server on a Windows Server 2016 VM, Softether Client on Win10. When I connect to the server all traffic is routed through the VPN, which slows down my download from the internet to 50%. I could not find a setting that does only send the traffic for the remote network through the tunnel - which is a standard feature on pretty much every other VPN solution out there.
Am I blind, or is there no such feature / setting in Softether?

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: I don't want all traffic to go through the tunnel

Post by ozone » Tue Nov 05, 2019 11:57 pm

When using the SE-client in windows, I think "this" is the easiest way *:

Image

(At the right-bottom: set "no adjustment of routing table")


Although there are other ways of doing this as well....

In essence, by default the client sets the route to internet (0.0.0.0) to the vpn-gateway, instead of your local gateway.
This is what needs to be prevented in your case, so that internet traffic keeps flowing the normal way.
(note: if the remote site becomes more complex, eg. more subnets, this solution will not work anymore)

Oz

* reference and picture:
https://www.softether.org/4-docs/1-manu ... VPN_Server

marv42dp
Posts: 2
Joined: Tue Nov 05, 2019 7:31 pm

Re: I don't want all traffic to go through the tunnel

Post by marv42dp » Wed Nov 06, 2019 9:36 am

Thanks for the reply, but that doesn't work.
The setting seems to be ignored - verified by looking at the routing table with the option set, and without.
SE always sets the route to 0.0.0.0 to go through the VPN gateway.
There should be an option to only set the route to the remote network to go through the VPN gateway.

Until then the solution is a CMD which deletes the unwanted route, but since that CMD has to be executed every time the connection is established, it's pretty inconvenient.

ozone
Posts: 57
Joined: Thu Sep 19, 2019 7:18 pm

Re: I don't want all traffic to go through the tunnel

Post by ozone » Wed Nov 06, 2019 7:58 pm

Yes, that is not the way it should go.

I did a little test over here....
-when this option is 'checked', the route is SET, but with a lower metric then the standard 0.0.0.0. So traffic should flow over your normal internet connection.
-when this option is 'unchecked', the route is SET, but the default (local) 0.0.0.0 route is DELETED. So traffic will flow over your VPN connection.

So You are right, the routing table is ALWAYS changed: The remote gateway is always added. (but in most cases it will still work as desired)
Apparently this behavior isn't compatible with you situation.


However, as mentioned, there are more ways of doing it.

The routes are pushed via the dhcp-server (on the VPNserver-side) towards the VPN-nic on the client machine.
If the gui "check-mark" way doesn't work, manipulating the routes you push may achieve the same result.

If you use the SE securenat-dhcp, I would suggest disabling (deleting) the default gateway entry over there.
If you use a 3rd party dhcp, it depends on the circumstance. But it should work similarly (not pushing any default gateway).

As a last resort, there is always the option to create a separate vpn-nic on the client machine, specifically for this vpn-connection.
On the vpn client, in Windows give it a fixed-ip (valid on the VPN-network), but with no gateway.
I don't like this option very much, but it DOES work if the VPN-site only has one subnet.
(therefore, I'm just adding this option for reference)

Oz

Post Reply