How to Configure VPN Split Tunneling on Windows 7: Route Local Traffic Only


2 views

When setting up a Windows 7 VPN server, many administrators encounter an unexpected behavior: all client internet traffic gets routed through the host machine. This creates unnecessary bandwidth consumption and potential performance bottlenecks. The solution lies in implementing split tunneling - a technique that allows selective routing of network traffic.

By default, Windows VPN connections enable what's known as full tunnel routing. This means:

  • All client traffic (including internet-bound) goes through VPN
  • The VPN server acts as a gateway for remote clients
  • Client default route gets modified to point to VPN interface

Here's how to modify the routing behavior using PowerShell and routing commands:

# First, identify your VPN interface index
Get-NetAdapter | Where-Object {$_.InterfaceDescription -match "VPN"}

# Then add specific routes for your internal network
route -p add 192.168.1.0 mask 255.255.255.0 192.168.1.1 if 15

# Remove the default route through VPN
route delete 0.0.0.0

For more permanent solutions using Routing and Remote Access:

  1. Open RRAS Management Console
  2. Right-click the server → Properties
  3. IPv4 tab → uncheck "Enable IPv4 forwarding"
  4. In NAT section, remove any WAN interfaces

Test your setup with these commands:

# Check active routes
route print

# Test connectivity to internal resources
Test-NetConnection 192.168.1.100

# Verify internet traffic bypasses VPN
Test-NetConnection google.com -InformationLevel Detailed

If you encounter problems:

  • Double-check interface indexes in route commands
  • Verify firewall isn't blocking VPN traffic
  • Ensure client DNS settings aren't forcing all traffic through VPN
  • Check for existing persistent routes with route print -4

While split tunneling improves performance, be aware of:

  • Potential security implications of direct internet access
  • DNS leakage possibilities
  • The need for proper firewall rules on client machines

When configuring a Windows VPN server (especially on Windows 7), you'll often encounter this default behavior: all client traffic gets routed through the VPN server. This happens because most VPN solutions enable the "Use default gateway on remote network" option by default in the TCP/IP settings.

To maintain internal network access while preventing internet traffic relay:

# PowerShell commands to modify routing behavior
Set-VpnServerConfiguration -CustomConfiguration 
  '{
    "IPv4": {
      "UseDefaultGateway": false,
      "RouteAllTraffic": false
    }
  }'

For those preferring GUI configuration:

  1. Open Routing and Remote Access console (rrasmgmt.msc)
  2. Right-click server → Properties → IPv4 tab
  3. Uncheck "Enable IPv4 forwarding"
  4. Under Static Routes, ensure only internal subnets are listed

You'll need to modify the client connection properties:

# Sample Windows VPN connection script
Add-VpnConnection -Name "InternalOnlyVPN" -ServerAddress "your.server.ip" 
  -SplitTunneling $true -TunnelType "Automatic" -RememberCredential $true

Set-VpnConnection -Name "InternalOnlyVPN" -SplitTunneling $true

For granular control over which subnets go through VPN:

# Route only 192.168.1.0/24 through VPN
Add-VpnConnectionRoute -ConnectionName "InternalOnlyVPN" 
  -DestinationPrefix "192.168.1.0/24"
  
# Remove default route if it exists
Remove-NetRoute -InterfaceAlias "InternalOnlyVPN" 
  -DestinationPrefix "0.0.0.0/0" -Confirm:$false

After configuration:

  • Run tracert 8.8.8.8 from client - should show direct path
  • Run ipconfig /all - verify no default gateway assigned to VPN adapter
  • Test internal resources (file shares, RDP, etc.) to confirm they still work

If internal resources become inaccessible:

# Check effective routes on client
Get-NetRoute -InterfaceAlias "InternalOnlyVPN"

# Verify DNS resolution works for internal names
Resolve-DnsName "internal.resource.local" -Type A