Always On VPN Split vs. Force Tunneling

Always On VPN Split vs. Force TunnelingDuring the planning phase of a Windows 10 Always On VPN implementation the administrator must decide between two tunneling options for VPN client traffic – split tunneling or force tunneling. When split tunneling is configured, only traffic for the on-premises network is routed over the VPN tunnel. Everything else is sent directly to the Internet. With force tunneling, all client traffic, including Internet traffic, is routed over the VPN tunnel. There’s been much discussion recently on this topic, and this article serves to outline the advantages and disadvantages for both tunneling methods.

Force Tunneling

Force tunneling is typically enabled to meet the following requirements.

Visibility and Control

By routing all the client’s Internet traffic over the VPN tunnel, administrators can inspect, filter, and log Internet traffic using existing on-premises security solutions such as web proxies, content filters, or Next Generation Firewalls (NGFW).

Privacy

Enabling force tunneling ensures privacy and protection of all Internet communication. By routing all Internet traffic over the VPN, administrators can be certain that all communication from the Always On VPN client is encrypted, even when clients access unencrypted web sites or use untrusted or insecure wireless networks.

Force Tunneling Drawbacks

While configuring force tunneling for Always On VPN has some advantages, it comes with some serious limitations as well.

Poor User Experience

User experience is often degraded when all Internet traffic is routed over the VPN. These suboptimal network paths increase latency, and VPN encapsulation and encryption overhead increase fragmentation, leading to reduced throughput. Most Internet traffic is already encrypted in some form, and encrypting traffic that is already encrypted makes the problem even worse. In addition, force tunneling short-circuits geographic-based Content Delivery Networks (CDNs) further reducing Internet performance. Further, location-based services are often broken which can lead to improper default language selection or inaccurate web search results.

Increased Resource Consumption

Additional resources may need to be provisioned to support force tunneling. With corporate and Internet traffic coming over the VPN, more CPU, memory, and network resources may be required. Deploying additional VPN servers and higher throughput load balancers to support the increase in network traffic may also be necessary. Force tunneling also places higher demands on Internet Service Provider (ISP) links to the corporate datacenter.

Split Tunneling

The alternative to force tunneling is “split tunneling”. With split tunneling configured, only traffic destined for the internal corporate network is routed over the VPN. All other traffic is sent directly to the Internet. Administrators define IP networks that should be routed over the VPN, and those networks are added to the routing table on the VPN client.

Security Enforcement

The challenge of providing visibility and control of Internet traffic with split tunneling enabled can be met using a variety of third-party security solutions. Microsoft Defender ATP recently introduced support for web content filtering. Also, there are numerous cloud-based security offerings from many vendors that allow administrators to monitor and control client-based Internet traffic. Zscaler and Cisco Umbrella are two popular solutions, and no doubt there are many more to choose from.

Recommendations

The general guidance I provide customers is to use split tunneling whenever possible, as it provides the best user experience and reduces demands on existing on-premises infrastructure. Enabling split or force tunneling is ultimately a design decision that must be made during the planning phase of an Always On VPN implementation project. Both configurations are supported, and they each have their merits.

In today’s world, with many applications accessible via public interfaces, force tunneling is an antiquated method for providing visibility and control for managed devices in the field. If required, investigate the use of Microsoft or other third-party solutions that enforce security policy in place without the requirement to backhaul client Internet traffic to the datacenter over VPN for inspection, logging, and filtering.

Additional Information

Whitepaper: Enhancing VPN Performance at Microsoft

Whitepaper: How Microsoft Is Keeping Its Remote Workforce Connected

Microsoft Defender ATP Web Content Filtering

Leave a comment

14 Comments

  1. Hello,
    It is important to consider local traffic and not just Internet traffic. To date Always On does not manage the restriction of flows on the local network of the user and this is really a shame. Only LockDown mode allows you to restrict all flows in the VPN tunnel which is really recommended in a highly secure context

    Reply
  2. Hi Richard,

    Thank you for this article. I think that Windows 10 Always On VPN is a good solution to secure remote access.

    Regards,
    Florian

    Reply
  3. James Hawksworth

     /  May 26, 2020

    My org is (unfortunately) keen for me to set up Always On with Force Tunnel, so it’s really useful that we can now add O365 exceptions. Would dual NIC not be a hinderance with force tunnel though as you’d need endless static routes to override the default gateway? I’m sure I’m overthinking this…

    Reply
    • If you plan to use force tunnel I’d suggest moving to a single-NIC configuration on your VPN server to eliminate these issues. The alternative is to ensure that your VPN server has access to the public Internet and that all firewalls/gateways upstream allow traffic from the VPN client subnet.

      Reply
  4. Justin

     /  June 25, 2020

    Thanks Richard, this was very informative! I have just implemented an AOVPN with Azure VWAN P2S VPN and was forced to go for split tunneling. So far so good will let you know how it goes. Only limitation that keeps tripping me up with split tunneling is whitelisting the Public IP with 3rd parties & allowing access to internal resources based on the same. Otherwise, Split tunneling works well and keeps the users happy!

    Reply
  5. Maciej

     /  July 2, 2020

    Hi Richard amazing blog. I have deployed Device tunnel with your help :_)
    Now i’ve this problem. We would like to use DeviceTunnel in split mode so our device can be managed by SCCM and other services. After Device is established and user logs on i would like to be able connect with an another 3rd party VPN where user will have access to fileservers and another resources dedicated to him/her

    Regards.
    Maciej

    Reply
    • Do you want to use another VPN separately? Or do you want the VPN to access resources over the device tunnel VPN connection?

      Reply
      • Maciej

         /  July 7, 2020

        I would like to use separately 3rd party VPN (Fortinet to be precise) for user access when computer is connected using DeviceTunnel to the DC and SCCM servers. (using split tunnel or even force tunnel)

        Have you tried this kind of setup. ?

      • I’ve not implement device tunnel using Fortigate before. It might be possible, just not something I’ve done myself.

  6. aventador06

     /  September 12, 2020

    Hi Richard,
    We are finally deploying AOVPN to a test population and, of course, some questions have emerged that wasn’t answered when we asked them in June/July when we studied the infrastructure.
    We’ve decided to deploy split-tunnel device AOVPN with a single route to access all of internal resources. The WAN and LAN security is then handled by Cisco ASA and FirePower.
    Now, we have the following problem:
    Some providers have public websites that are not displaying the same page when coming from the LAN or from a public IP address.
    How can we force this traffic to go through the VPN and exit through the Internet access of our LAN?
    What is the best practice in this situation?
    Thanks

    Reply
    • If you want to route a public web site over the VPN, you would simply add their public IP addresses to your VPN client routing table to point it over the VPN.

      Reply
  1. Always On VPN Force Tunneling with Office 365 Exclusions | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: