Always On VPN Routing Configuration

Windows 10 Always On VPN Routing ConfigurationWhen configuring Windows 10 Always On VPN, the administrator must choose between force tunneling and split tunneling. When force tunneling is used, all network traffic from the VPN client is routed over the VPN tunnel. When split tunneling is used, the VPN client must be configured with the necessary IP routes to establish remote network connectivity to on-premises resources. How those routes are established is a common source of confusion. This article provides guidance for properly configuring routing for Always On VPN clients.

Class Based Routing

IP addresses are assigned to Windows 10 Always On VPN clients from either a static pool of addresses configured by the administrator or by DHCP. If split tunneling is enabled, the client will also be assigned a class-based route that is derived from the IP address assigned to it by the VPN server, by default. If the client is assigned an IP address from the Class A network, a corresponding /8 prefix is used. For Class B networks a /16 prefix is defined, and for Class C networks a /24 prefix is used.

As an example, if the VPN server assigns the client an IP address of 10.21.12.103, a route to the 10.0.0.0/8 network is added to the client’s routing table, as shown here.

Windows 10 Always On VPN Routing Configuration

Complex Networks

This default class-based route is of limited use though, and is only applicable when the internal network is simple and VPN clients are assigned IP addresses from the same subnet class. In the example above, if the entire internal network resides in the 10.0.0.0/8 Class A address space, all resources will be reachable by the VPN client. Any resources in the Class B or Class C subnet ranges would be unreachable without additional configuration.

Route Configuration

To configure routing for Windows 10 Always On VPN clients, first disable the default class-based route by defining the following element in ProfileXML as shown here.

<VPNProfile>
   <NativeProfile>
      <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
   </NativeProfile>
</VPNProfile>

Next, enable specific routes as needed by defining the following element(s) in ProfileXML. The example below defines routes for all private RFC 1918 networks.

<VPNProfile>
   <Route>
      <Address>10.0.0.0</Address>
      <PrefixSize>8</PrefixSize>
   </Route>
   <Route>
      <Address>172.16.0.0</Address>
      <PrefixSize>12</PrefixSize>
   </Route>
   <Route>
      <Address>192.168.0.0</Address>
      <PrefixSize>16</PrefixSize>
   </Route>
</VPNProfile>

Once implemented, the VPN client’s routing table will appear as shown here.

Windows 10 Always On VPN Routing Configuration

Summary

Proper routing is crucial for ensuring full network connectivity and access to internal resources for Windows 10 Always On VPN clients. When split tunneling is employed, avoid using the default class-based route and instead define specific routes using ProfileXML as required.

Additional Information

Always On VPN Client DNS Server Configuration

Deploying Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Certificate Requirements for SSTP

Leave a comment

9 Comments

  1. ND

     /  July 23, 2018

    Good post thanks for clarifying. Discovered this a while ago this post would have saved some time as the MSFT docs aren’t totally clear.

    Reply
  2. ced666

     /  July 24, 2018

    Hello Richard,

    I do not quite agree between Split Tunnel mode and Tunnel strength used in Always On.
    Contrary to what one might think, Tunnel Force mode only routes internet traffic into the tunnel and not all traffic. Split tunnel mode allows the Internet stream to pass through the home network router.

    In tunnel force mode, access to a local file server on its network is quite possible.

    Then I followed your Split Tunneling procedure with the Disabledclassroute directive to true and the declaration of all routes according to RFC 1918.
    I still can access my local resources on the home network.
    I think you really have to make the point between Tunnel Force and Split Tunnel mode. these two modes only manage Internet traffic.

    Patrick

    Reply
  3. Hello,

    In this case, the documentation is confusing between ForceTunnel mode and Split Tunnel mode. Only Lockdown mode allows you to control all traffic through the VPN connection.
    Partrick

    Reply
  4. Anders

     /  August 21, 2018

    FYI, there is an error in the example. Should be NativeProfile instead of NativePolicy.

    Thanks for this great article by the way, helped us a lot 🙂

    Reply
  5. David Oliver Elgh

     /  September 6, 2018

    Hi.
    We use Split Tunneling.
    Is there a way to direct specific traffic for a site to be tunneled and routed through the VPN. Without adding the IP ranges.

    Example I want all traffic to *.microsoft.com go through the VPN.

    BR, David

    Reply
    • You can route specific namespaces over the Always On VPN tunnel by configuring the DomainNameInformation element in your ProfileXML. However, you will also need to specify a proxy server for this to work by using the WebProxyServers element and providing the FQDN and port of your internal proxy server to be used for the namespace.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: