Always On VPN Routing Configuration

Windows 10 Always On VPN Routing ConfigurationWhen configuring Windows 10 Always On VPN, the administrator must choose between force tunneling and split tunneling. When force tunneling is used, all network traffic from the VPN client is routed over the VPN tunnel. When split tunneling is used, the VPN client must be configured with the necessary IP routes to establish remote network connectivity to on-premises resources. How those routes are established is a common source of confusion. This article provides guidance for properly configuring routing for Always On VPN clients.

Class Based Routing

IP addresses are assigned to Windows 10 Always On VPN clients from either a static pool of addresses configured by the administrator or by DHCP. If split tunneling is enabled, the client will also be assigned a class-based route that is derived from the IP address assigned to it by the VPN server, by default. If the client is assigned an IP address from the Class A network, a corresponding /8 prefix is used. For Class B networks a /16 prefix is defined, and for Class C networks a /24 prefix is used.

As an example, if the VPN server assigns the client an IP address of 10.21.12.103, a route to the 10.0.0.0/8 network is added to the client’s routing table, as shown here.

Windows 10 Always On VPN Routing Configuration

Complex Networks

This default class-based route is of limited use though, and is only applicable when the internal network is simple and VPN clients are assigned IP addresses from the same subnet class. In the example above, if the entire internal network resides in the 10.0.0.0/8 Class A address space, all resources will be reachable by the VPN client. Any resources in the Class B or Class C subnet ranges would be unreachable without additional configuration.

Route Configuration

To configure routing for Windows 10 Always On VPN clients, first disable the default class-based route by defining the following element in ProfileXML as shown here.

<VPNProfile>
   <NativeProfile>
      <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
   </NativeProfile>
</VPNProfile>

Next, enable specific routes as needed by defining the following element(s) in ProfileXML. The example below defines routes for all private RFC 1918 networks.

<VPNProfile>
   <Route>
      <Address>10.0.0.0</Address>
      <PrefixSize>8</PrefixSize>
   </Route>
   <Route>
      <Address>172.16.0.0</Address>
      <PrefixSize>12</PrefixSize>
   </Route>
   <Route>
      <Address>192.168.0.0</Address>
      <PrefixSize>16</PrefixSize>
   </Route>
</VPNProfile>

Once implemented, the VPN client’s routing table will appear as shown here.

Windows 10 Always On VPN Routing Configuration

Summary

Proper routing is crucial for ensuring full network connectivity and access to internal resources for Windows 10 Always On VPN clients. When split tunneling is employed, avoid using the default class-based route and instead define specific routes using ProfileXML as required.

Additional Information

Always On VPN Client DNS Server Configuration

Deploying Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Certificate Requirements for SSTP

Leave a comment

47 Comments

  1. ND

     /  July 23, 2018

    Good post thanks for clarifying. Discovered this a while ago this post would have saved some time as the MSFT docs aren’t totally clear.

    Reply
  2. ced666

     /  July 24, 2018

    Hello Richard,

    I do not quite agree between Split Tunnel mode and Tunnel strength used in Always On.
    Contrary to what one might think, Tunnel Force mode only routes internet traffic into the tunnel and not all traffic. Split tunnel mode allows the Internet stream to pass through the home network router.

    In tunnel force mode, access to a local file server on its network is quite possible.

    Then I followed your Split Tunneling procedure with the Disabledclassroute directive to true and the declaration of all routes according to RFC 1918.
    I still can access my local resources on the home network.
    I think you really have to make the point between Tunnel Force and Split Tunnel mode. these two modes only manage Internet traffic.

    Patrick

    Reply
  3. Hello,

    In this case, the documentation is confusing between ForceTunnel mode and Split Tunnel mode. Only Lockdown mode allows you to control all traffic through the VPN connection.
    Partrick

    Reply
  4. Anders

     /  August 21, 2018

    FYI, there is an error in the example. Should be NativeProfile instead of NativePolicy.

    Thanks for this great article by the way, helped us a lot 🙂

    Reply
  5. David Oliver Elgh

     /  September 6, 2018

    Hi.
    We use Split Tunneling.
    Is there a way to direct specific traffic for a site to be tunneled and routed through the VPN. Without adding the IP ranges.

    Example I want all traffic to *.microsoft.com go through the VPN.

    BR, David

    Reply
    • You can route specific namespaces over the Always On VPN tunnel by configuring the DomainNameInformation element in your ProfileXML. However, you will also need to specify a proxy server for this to work by using the WebProxyServers element and providing the FQDN and port of your internal proxy server to be used for the namespace.

      Reply
  6. Marlon Rivera

     /  November 15, 2018

    Is there a way to set the metric on the static route?

    192.168.0.0
    16
    looking to set it here if possible. I’m reading on documentation about this

    the issue I’m facing is that I disable the class base routing and added a specific route but the metric comes lower than the Local Interface and VPN connection causing the intended traffic to go through the VPN when I do a traceroute. I’m using IP filters on the NPS server so when the user connects over vpn they are allow only the specified assigned resources, causing outlook to not connect which I will like to route the traffic on the split tunneling.
    I tested it by manually setting the metric on the interface lower than the static routes and everything works ok.

    thank you again and great documentation.

    Reply
  7. WADDAH

     /  December 13, 2018

    I need your advice, please
    I have setup a testing environment on Azure. So i have 1 VNET (172.0.0.0/16) on and one subnet (172.0.1.0/24) where all the DC/PKI/NPS/VPN servers are connected to. Only the VPN server is not joined to the domain. It has a public ip address attached to this single nic on the VPN server
    I have created the VPN connection profile and the clients can connect VPN successfully (they get ip addresses 192.168.1.0/24)
    The client is able to reach out to the VPN server internal IP address (172.0.1.6) but not able to reach to DC nor to NPS.
    I know it is a routing issue but i cannot figure out where exactly i need to do the routing? is it on the VPN server or on the VPN clients using the XML profile?

    Reply
    • Routing in Azure is a bit different. First, you’ll need to tell Azure it should route your VPN client subnet. Also, the VPN connection must also include routing information. For the Azure routing piece, have a look at this article I wrote about configuring NetMotion Mobility in Azure. The principle will apply to RRAS in Azure as well. https://directaccess.richardhicks.com/2018/02/08/deploying-netmotion-mobility-in-azure/

      You’ll need to make sure your server can reach any remote internal subnets and configure any static routes on the server if necessary. Finally you can follow the guidance in this post to configure your ProfileXML to ensure the Always On VPN client has the necessary routes as well.

      Reply
  8. Tavid

     /  January 7, 2019

    I am very inquisitive to test more secure ForceTunnel mode with this Always On VPN. Specially performance with IKEv2, is there any improvements versus DA/IPHTTPS or DA/Teredo.

    First of all, AOVPN SplitTunnel mode is working great. I can reach intra servers and surf to the public internet (straight from client´s ISP connection, not via VPN). When I change MakeProfile.ps1 configuration SplitTunnel -> ForceTunnel and deploy a new VPN profile, I still can access intra servers but not anymore to public internet. Also there is a yellow triangle icon on my connection saying some problem with connectivity test.

    Is there some additional steps in ForceTunnel mode to make clients ALL public internet traffic flow out through your VPN/Office and back to internet? Some proxy needed or is this scenario totally handled by proper routing configuration?

    Any tips are more than welcomed 🙂

    Reply
    • VPN performance using IKEv2 or SSTP will be much better than DirectAccess, no question about that. Interestingly enough, SSTP always seems to provide more throughput than IKEv2. Would be interesting to know if you have the same experience. Regarding force tunneling, you can configure an on-premises proxy but it isn’t strictly required. You just have to make sure that your VPN server and internal network routing/firewall configuration allows VPN clients to access the Internet.

      Reply
      • Tavid

         /  January 8, 2019

        Glad to share experiment results! But I still have problems to figure out how to make proper routing.

        In ForceTunnel mode, my client can access public routable internet address via VPN only if I add manually route to the target IP on my VPN-server. For example: “route -p add 8.8.8.8 mask 255.255.255.255 10.1.1.3”
        where 10.1.1.3 is VPN server´s internal network without gateway (because external network have the VPN servers default gateway). After this addon my VPN client is able to query google DNS 8.8.8.8. Just for example.

        But how to route all public networks via 10.1.1.3? I cannot add 0.0.0.0/0 route to 10.1.1.3 because then we loose VPN servers external network connectivity and clients on field cannot access at all. There is plenty of internet services with multiple/changing IP addresses and maintaining manually routes would be extremely painful. Is there some other way/place to do this routing? Thanks in advance!

      • In order for force tunneling to work correctly, the VPN server must have a default gateway with a path to the Internet. No way around this. On a single-NIC VPN server it usually just works. If you have multiple network interfaces, it is recommended the external interface be configured with a default gateway and the internal interface configured with static routes to any remote internal subnets. Details here: https://directaccess.richardhicks.com/2013/06/19/network-interface-configuration-for-multihomed-windows-server-2012-directaccess-servers/. Again, you’ll also need to ensure the Internet is reachable from this external interface because, as you’ve proven with your single static route, all traffic to the Internet from VPN clients will use this path. 🙂

  9. I added the lines and rebuilt the Vpn profile, but I don’t see any new routes appearing when i connected.
    I have tried to remove and readd to the exported xml, with no change.

    Is it maybe because similar subnets are already permanently defined with different gateway (for when I am on a local subnet)?

    Reply
    • No, any routes defined in your ProfileXML should appear in the routing table. If there are duplicate routes they’ll likely have different metrics assigned to them.

      Reply
  10. Also by removing the static routes, still no route addition. Force Tunnel mode works fine though, and also if I add a route manually.

    Reply
    • If the routes aren’t showing up in the client’s routing table it’s a good bet your ProfileXML isn’t configured correctly. Compare your configuration with some of the samples I’ve posted in my GitHub repository here: https://github.com/richardhicks/aovpn.

      Reply
      • It looks fine to me. It is the one exported with your lines added, but I remove the Native profile and Vpnprofile double tags, like in your example.
        I updated the Vpn server, tried in another machine 1809, with same result: only the route of the Dhcp lease relayed from the Vpn server appear, as though I hadn’t ever written the new lines from your site. Completely ignored.

      • Did you also set DisableClassBasedDefaultRoute to “true” in your ProfileXML?

  11. Positive. And also tried the same in a Win10-1803. Vpn works, no automatic extra routes.

    ….

    SplitTunnel
    true

    true
    true
    lab.domain.pro

    .lab.domain.pro
    192.168.6.66,10.1.1.4

    10.0.0.0
    8

    192.168.0.0
    16

    Reply
  12. Sergey

     /  April 2, 2019

    Hi Richard. Great article. Helped a lot for split tunneling, but I still have some issues.
    I have all routes in routing table and even use split tunnel, so I have internet while connected to VPN, but when I try to access local network I reach only VPN server. When can be wrong?

    Thank you

    Reply
    • Could be any number of things, but most commonly it can be routing configuration on the VPN server itself. Another common cause is internal network routing. For example, if you are using a unique IP subnet for your VPN clients, your LAN routing will need to be updated to return this traffic back to the VPN server.

      Reply
      • Sergey

         /  April 3, 2019

        Thank. I found the issue. It was routing on local network.

  13. Ben De Cock

     /  April 12, 2019

    Just wondering if you or anybody alse saw the following issue since feb 2019 patch rollup:
    After adding routes and disabling the classbasedDefault route we are getting reports of users sometimes getting the routes defined and sometimes not.
    They still get the VPN client ip, but all the routes defined in the profile just don’t appear.
    Disconnect + retry and they actually get the routes 0.o
    I’ve already got a premier case open for this, but just was hoping you came accros this and had a fix.

    Below the config of the routes.

    true

    10.0.0.0
    8

    185.138.96.135
    32

    185.138.96.136
    32

    185.138.98.135
    32

    185.138.98.136
    32

    Reply
    • Unusual for sure. This is the first report I’ve heard. Will be listening closely for others.

      Reply
      • Ben De Cock

         /  May 8, 2019

        Ok a few weeks later and msft has identified a possible issue when you have the aovpn profile with the alwayson value set to false… the last part i added as this is my setup and can see that with a full alwayson setup it might not be noticeable by the end user.
        The problem only occurs when going through the network “fly-out” to start your vpn connection.
        Details are still fussy but it seems to be related to the tcp stack calling a function, that is calling a service and receiving an access denied (for some reason)
        Will keep you updated when i have a confirmed fix.

    • I think it has to do with previously defined routes, like those distributed with Dhcp option…try reset those.

      Reply
      • As a point of reference, when using DHCP for VPN client IP addressing no options are provided to the client. The client only receives it’s IP address and subnet mask from the DHCP server and nothing else. It might be possible that some routes persist if moving from the corporate on-premises network to an external network. Of course if someone configured static routes on the client those could be problematic as well.

  14. Alex Kram

     /  April 17, 2019

    Hi, i have trubleshot with my Always On VPN.
    User tunnel (IKEv2) connection from Windows 10 (1803) is triggered, routes applied, i see it`s status, packets are sended to interface – but no packets return back (zero at “Received”). Network and Sharing center shows my VPN-connection as “Identifying…” for a minute or two, then changed to “Public network”. If i wait 3-5 minutes(or if i reconnect manually) – status changed to “Domain Network” and in same time packets start running in both direction – everything is good now, connection worked.
    When i use SSTP protocol all work fine.
    How i can fix it?

    Reply
    • IF SSTP is working then it makes sense you have a valid network path. I’d suggest looking closely at IKEv2 communication and make sure that UDP ports 500 and 4500 are open and that NAT is configured correctly. Importantly, if you have more than one VPN server you’ll need to ensure that load balancing is configured correctly to ensure that both UDP 500 and 4500 are always delivered to the same server.

      Reply
      • Alex Kram

         /  April 18, 2019

        Richard thanks for your reply.
        I have one server vpn: wan interface looks on the Internet, and lan on my local network. Ports 500, 4500 are open. I use Split tunneling in my configuration.
        I tried the configuration that Microsoft recommends with van interfaces in dmz. But I got the same story.
        Perhaps this is important, my entire infrastructure is located on a VMware server.
        I will be grateful for any advice on this issue, I spent more than a week trying to solve this situation ((

      • If you have two network interfaces, make sure only the external interface is configured with a default gateway and that static routes are configured on the internal interface for any remote internal subnets.

  15. Asgeir Husum

     /  April 26, 2019

    Do you know of any option to use split tunneling like this:
    – Default everyting to VPN server, except
    – Office 365 URL and IPs (Dynamcally updated from O365 REST API…)

    Reply
    • There’s no native way to do this, unfortunately. There are custom solutions available. For example, I know Microsoft Consulting Services (MCS) in the UK offers something like this.

      Reply
      • Ben De Cock

         /  May 8, 2019

        There is a way by just having a correct proxy configuration file.
        Out of the box no, as you need to parse the ret api data into your pac file… although i know msft does do it for services like SfB were they provide a json file for everuthing that needs to be excluded from going over a forwarding proxy.
        So if you can find the data you just need to incorporate it correctly into a pac file.

      • Thanks for the tip!

  16. Dan Isaksson

     /  May 8, 2019

    Hi, as I understand and I would like to have a confirmation that i am not missing anything: It is not possible to separate the routing for the server and the VPN clients? If it is possible it would make life so much easier, for example as of now all internal subnets must be definied in the VPN server routing table. If new subnets are added internally they must be added to VPN server as well. If it was possible to separate this VPN clients could have default gateway pointing internally? Is it possible to have dynamic routing on the VPN server? Many thanks for great articles!

    Reply
    • VPN server and client routing are two different things. Indeed, the VPN server must be configured with internal routes, assuming it has two network interfaces. If it has just one interface it isn’t required (default gateway takes care of everything). VPN clients must be configured to route specific IP subnets over the VPN connection, if required. This does not have to strictly match the VPN server’s configuration. However, the VPN client can’t get to anything the VPN server can’t. so keep that in mind. I’m not sure about using a routing protocol for VPN clients though. I don’t believe that would work in this case.

      Reply
      • Dan Isaksson

         /  May 9, 2019

        Thank you for your answer, I see now that i was not clear in what i meant. I know that we define routes that should go into the tunnel at the client when using split tunnel. I was thinking about that the routing done in the VPN server is shared between the VPN server and the clients terminating there. Sometime it could be useful to have clients have a different default GW than the VPN server.

        Is it supported to configure Always on VPN using only one NIC? In Microsoft documentation i find no information about this. What would be your recommendation to do this setup? Maybe it is best to use NAT for the public IP since clients and the VPN server would share the same subnet?

      • Ok, I understand. Sorry for the confusion. To answer your question, no, there is no way to define a different default gateway for VPN clients. However, it is supported to configure the VPN server with a single network interface. Personally I prefer using two network interfaces, but sometimes using a single NIC can be easier.

  17. sebus

     /  May 17, 2019

    How does one route BACK to the CLIENTS from Internal LAN?

    VPN server
    public interface (with its default route out to Internet) ——- internal interface (LAN IP 10.0.0.x/16)) with nothing in default GW

    VPN Client
    Gets IP (10.0.16.x) from Pool on VPN (I could not get DHCP relay agent to work)

    LAN clients
    DHCP assigned 10.0.10.x-10.0.15.x /16

    I can ofcourse ping Internal VPN server interface, but none of the connected VPN clients

    Reply
    • If your VPN clients are on the same subnet as the internal network (10.0.0.0/16 as you indicated) then routing should not be required. If you are using a different mask than /16 and the VPN client subnet is different from the internal network, then the router on the LAN would need to advertise the route for the VPN client subnet.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: