I recently configured a few hub and spoke VPN projects consisting 100% of MAX Routers and PepVPN. One of the project requirements was also remote access so we implemented the somewhat new L2TP/IPSec functionality. This worked great, but I have a concern. I noticed when I connect via L2TP Windows client to the hub, I could hit the hub LAN and the spoke LANs. While I do want the ability to hit the spoke LANs, I noticed the way this was accomplished is via a default route assigned to the VPN adapter at Windows. This is worrisome as when connected, ALL internet traffic now goes to the hub and out its cellular connection which could easily drive up a small SCADA data plan and lead to big $$$ bill for overages.
I thought perhaps I could simply advise customers “When connected L2TP, consider limiting your internet use as all internet traffic will go across tunnel and out cellular. WARNING: this could lead to excessive data plan charges.” in the hopes users will be careful about their internet activity while connected L2TP. After further consideration, this isn’t realistic as many users have backup software like Dropbox, Crashplan, Mozy, Carbonite, etc. running 24/7 and this traffic also will instantly move to the tunnel and out cellular when connected L2TP. It is a bit of a burden to ask the user to identify all these applications, shut them down, etc.
So I ask, is there a way to:
Offer a split tunneling option so user can choose to ensure a default route is NOT applied to the VPN adapter, and all internet traffic goes directly out as normal vs across the tunnel? I understand some consider this a security risk but I think this choice is often made available and left to the administrator to decide what is best for their application.
Assuming split tunnel can be done, there is the issue of making sure the remote user gets all routes pushed (not only the Hub LAN, but also the Spoke LANs); perhaps a choice for the admin to configure which routes the hub is aware of should be pushed to users? Or even just push all routes hub knows, just not default route?
If this is not possible with L2TP, I strongly urge consideration of adding OpenVPN to Peplink products as discussed in another feature request thread. OpenVPN is more than capable of providing all these options discussed above and offers a ton of extra features. Not to mention Android keeps going back and forth in breaking L2TP support
You can make the internet traffic goes through the tunneling using the peplink wan connections or you can choose to use the “local” internet connection.
To do that you just need to edit the VPN client options, go to the networking options, expand the internet protocol version 4 or 6 (in my case I have disabled the 6, but there is an option for both protocols), so click on the IPV4 (in my case) and click on properties.
This will open the IP Address configuration (that should be automatic), and below you need click in the button “Advanced”. This will open a new window.
Just uncheck the option “Use default gateway on remote network”.
This will make all the internet traffic that is going to internet, be routed to the local internet connection from the place where is the remote user.
If you want the remote user be also possible to spoken with the LAN behind the Peplink, I recommend to use the WINS server that is inside your Peplink configuration, so all the computers that has a LAN IP (also using VPN), will be able to talk with each other.
On a Windows 10 Pro 64 bit machine, I am unable to edit the IPv4 Properties of the WAN Miniport (L2TP) connection. I have tried with the tunnel in connected or disconnected state and clicking on Properties on IPv4 raises no additional dialog as it does on a normal ethernet adapter.
Even if this did work, what about mobile clients on Androird or iOS?
Even if this did work, it does not address the L2TP user receiving routes for the spoke LANs. If you removed the default route by making the change you suggest, the only route remaining at the client would be the hub LAN; how would the client know how to route traffic for the spoke LANs are not pushed/published/advertised to the user in some way?
This is a bug in Windows 10, one workaround to configure “Use default gateway on remote network” of L2TP / IPsec VPN is to use PowerShell to modify the VPN connection. To open PowerShell, simply type powershell in command prompt.
# First, run `Get-VpnConnection` to get your VPN connection name, in following example, it's "VPN @ Home".
PS C:\> Get-VpnConnection
Name : VPN @ Home
ServerAddress : my.domain.com
AllUserConnection : False
Guid : {B12EFC3B-BAAD-F00D-CAFE-049A1F1C78EE}
TunnelType : L2tp
AuthenticationMethod : {Eap, MsChapv2}
EncryptionLevel : Optional
L2tpIPsecAuth : Psk
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : True
***SplitTunneling : False***
DnsSuffix :
IdleDisconnectSeconds : 0
# Second, run Set-VpnConnection to turn on SplitTunneling
PS C:\> ***Set-VpnConnection -Name "VPN @ Home" -SplitTunneling $true
***
# Finally, run Get-VpnConnection again to confirm the changes
PS C:\> Get-VpnConnection
Name : VPN @ Home
ServerAddress : my.domain.com
AllUserConnection : False
Guid : {B12EFC3B-BAAD-F00D-CAFE-049A1F1C78EE}
TunnelType : L2tp
AuthenticationMethod : {Eap, MsChapv2}
EncryptionLevel : Optional
L2tpIPsecAuth : Psk
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : True
***SplitTunneling : True***
DnsSuffix :
IdleDisconnectSeconds : 0
As far as I know, iPhone has an option to disable “Send all traffic” to VPN, and Android can even configure different routes for VPN.
Yes this can be a limitation (at least for iOS), a possible workaround is to keep sending all traffic, and configure Balance / MAX firewall rules to whitelist specific clients for better security? Since firmware 6.2.1, we have introduced “Internal Network Firewall Rules” to filter internal network IP session much easier (i.e. sessions between LAN / VLAN / Static route networks / PepVPN networks / IPsec networks / L2TP with IPsec clients / PPTP clients).
As Steve told you in the previous msg, it’s a Windows 10 bug, I already hear that. Anyway, I have Windows 10 Pro and I was able to edit the IPv4 connection options (but this need to be configured into the VPN connection settings, not under your Connection adapter settings).
Anyway, about the clients on iOS and Android there are several tools you can find on the App Store, that offer advanced VPN connections, where you could configure into the advanced settings to don’t route the internet traffic using the VPN Gateway.
It spoke with the LANs if you configure the VPN Gateway correctly into the Peplink, keep in mind it will not be used for internet traffic but yes to talk with any internal IP Address (192.xxx.xxx.xxx) or at least in my case works great (As I explain before, to work with success you will need to configure the WINS server). In this way, all internet traffic is going through my ISP while all the communication with the LAN inside the office is going to the VPN (and all this internal IP’s -LAN- Address are listed into the WINS clients, otherwise I cannot reach them). But don’t forget that also the VPN setting need to have the WINS IP address server added inside.
Hey matias, you mention several tools you can find to offer Advanced VPN connections. Can you list a few for Android that offer L2TP over IPSec connectivity? We have found that Google/Android regularly breaks L2TP (works from 4.1.2, 4.3, doesn’t work in 5.1.1) and I was hoping maybe one of the tools you suggest can overcome the broken native client.
I use the APP time ago on android with KitKat, but doing a search I believe you need to download them and test. Please check this apps:
Tigervpns
SuperVPN Free VPN Client
Open VPN Connect
Just a quick update about this bug in Windows 10, Microsoft has just released November Update for Windows 10 and fixed this problem. If you are currently having problem on configuring Windows 10 L2TP/IPsec VPN, please check Windows Update and it will upgrade your device to “Windows 10 Version 1511 build 10586” then the problem will be fixed. Thank you.
