How to Configure Shrewsoft VPN Client for Selective Routing (Split Tunnel) to Specific IP/Port


2 views

Many developers face this frustration: When connecting to remote development servers via Shrewsoft VPN, the client typically routes all traffic through the VPN tunnel. This means:

  • Email clients stop working
  • Web browsing becomes impossible
  • Local network resources become inaccessible

What we need is called split tunneling - where only specific traffic (in this case, to the 10.x.x.x development server) goes through the VPN while other traffic uses the normal network path.

Here's how to configure selective routing:

  1. Open Shrewsoft VPN Access Manager
  2. Select your connection profile → Click Modify
  3. Navigate to Policy tab → IPv4 section
  4. Check Enable Manual Policy
  5. Add your specific route:
# Example route configuration
Route: 10.10.20.0/24
Gateway: (leave blank for automatic)
Metric: 1

For even more granular control (specific ports only), you'll need to combine this with firewall rules. Here's a PowerShell example to create Windows Firewall rules:

# Allow only port 22 (SSH) to the VPN
New-NetFirewallRule -DisplayName "VPN-SSH-Only" -Direction Outbound 
  -RemoteAddress 10.10.20.5 -RemotePort 22 -Protocol TCP -Action Allow

# Block all other traffic to VPN subnet
New-NetFirewallRule -DisplayName "Block-Other-VPN-Traffic" -Direction Outbound 
  -RemoteAddress 10.10.20.0/24 -Action Block

After connecting:

# Check active routes
route print

# Test connectivity
Test-NetConnection 10.10.20.5 -Port 22
Test-NetConnection google.com -Port 80
  • DNS leaks: Ensure your DNS queries aren't being routed through the VPN
  • Metric conflicts: Lower metric values take precedence (use 1 for VPN routes)
  • Corporate policies: Some VPNs enforce full-tunnel - check with your admin

If VPN configuration proves difficult, consider SSH port forwarding instead:

ssh -L 2222:localhost:22 user@vpn-gateway.example.com

Then connect your tools to localhost:2222 for secure access without full VPN routing.

When working with Shrewsoft VPN client (or most traditional VPN solutions), the default configuration typically creates a full-tunnel connection that routes all network traffic through the VPN gateway. This becomes problematic when developers need simultaneous access to both:

  • The remote development server (10.x.x.x)
  • Local internet resources (email, documentation, etc.)

The proper approach is to implement split tunneling - where only specific network traffic is routed through the VPN while other traffic uses the direct internet connection. Here's how to configure this in Shrewsoft:

1. Open Shrewsoft VPN Access Manager
2. Select your connection profile → Properties
3. Navigate to the "Policy" tab
4. Under "IPv4 Protocol", select "Configure"
5. In the "IPv4 Settings" dialog:
   - Set "Configuration Method" to "Manual"
   - Click "Add" under "Subnet Entries"
   - Enter your target IP/network (e.g., 10.1.1.0/24)
   - Set "Destination Port" if needed (e.g., 22 for SSH)
6. Check "Enable Transparent Tunneling"
7. Uncheck "Enable Dead Peer Detection" (optional)
8. Save changes and reconnect

For more granular control, you can manually add routes after connecting:

# Windows command to add specific route:
route add 10.1.1.0 mask 255.255.255.0 [VPN_GATEWAY_IP] -p

# Linux alternative (if using open source version):
ip route add 10.1.1.0/24 via [VPN_GATEWAY_IP]

Test your setup with these commands:

# Check which interface handles traffic to target IP:
tracert 10.1.1.100

# Verify route table:
route print (Windows) or ip route show (Linux)

# Test port-specific routing:
telnet 10.1.1.100 22

If you encounter problems:

  • DNS leaks: Ensure your client isn't using the VPN's DNS servers for all queries
  • Policy conflicts: Check firewall rules that might override VPN routing
  • Gateway precedence: Verify metric values in your route table