locked
Setup VPN access without Internet Access privilleges RRS feed

  • Question

  • Hi

    I have setup VPN on my Windows Server 2008. When I access the VPN with Widnows 7, my personal internet traffic at home passes through this VPN. I see "Internet Access" under my connection icon in "Network and Sharing Center". I have checked the office modem records and I know my persoanl traffic has passed through the office server.

    Is there anyway to instruct Windows Server 2008 to not give internet access to VPN clients?

    I am still testing the VPN and I am the only one accessing it for now. I have to fix this before I give access to other employees. I don't want them to think they are being spied on.

    any help is appreciated :)

    Friday, August 27, 2010 4:24 AM

Answers

  • Hi Farzanx,

     

    Thanks for update.

     

    You might like to check if you can access internet when VPN connected by disable “Use default gateway on remote network” on client side.

    To disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:

     

    ·         Right-click the VPN connection that you want to change, and then click Properties.

    ·         Click the Networking tab, click Internet Protocol (TCP/IP) in the Components checked are used by this connection list, and then click Properties.

    ·         Click Advanced, and then click to clear the Use default gateway on remote network check box.

    ·         Click OK, click OK, and then click OK.

     

    The purpose you want achieve is prevent remotely connected user access internet through your office’s internet gateway, if yes, then it could be done by modify DHCP option and clear the Default Gateway entry for remote connection.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 16, 2010 9:00 AM

All replies

  • Hi Farzanx,

     

    Thanks for post here.

    After reading your post I understand that you are going to prevent the users who connect remotly to access internet via the office’s internet connection.

    If I misunderstand please let me know.

     

    The most easiest way to prevent this situation is specially deny the IP range you assigned to VPN connection through on the internet gateway of your office.

    Usually , the IP segment we assigned for remote user is difference with the office IP segment , so that you could  control the route on the gateway of remote IP segment to prevent remote client connect to internet via office internet gateway.

     

    Meanwhile ,please post the “ipconfig /all” and “route print”  result of the remote client when VPN connected and the server of VPN provider ,the internet gateway address of your office for further investigation.

     

    You could verify the route that how remote client access internet by perform “tracert <internet site name>”.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     

     

    Monday, August 30, 2010 8:03 AM
  • Hi

    Thanks for you help Tiger Li

    Previously I used the same IPv4 range for both LAN and VPN. But now I created a new one under server properties in Routing and Remote Access. Eventually I am not able to connect to internet at all from my home PC when I am connected to the VPN server. This is while my LAN showes "Internet Access" and my VPN connection showes "No Internet Access". However I have connectivity to the office LAN.

    I am using Windows 7 Professional at home

    I really don't know how to prevent a specific IP range to access the internet on Windows Server 2008 settings. Could you help me on that please?

     

    Wednesday, September 8, 2010 9:12 PM
  • Hi Farzanx,

    Thanks for update.

    Coud you describe in detial that the topology of your network , especially the interenet gateway .

    Meanwhile please post the export result here that I mentioned in previous reply.

    Thanks.

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, September 14, 2010 7:59 AM
  • Hi

    I think the problem is with wWndows after all, why it thinks it should direct traffic to the dial-up/VPN connection?

    I decided to disconnect our office's internet for a while in the evening (for test) and use the VPN with the same DHCP scope given to the office LAN users (which is the defualt approach).

    I found that I am not able to connect to internet on my personal computer at home when I connect to office's VPN. At home I use an ADSL router.

    As for your concern, this is our office's network topoligy:

    Internet > router (gateway) > Switch > Windows Server 2008 (only 1 NIC as Internal interface, AD, DC, DHCP, VPN) + other clients

    Thursday, September 16, 2010 1:17 AM
  • Hi Farzanx,

     

    Thanks for update.

     

    You might like to check if you can access internet when VPN connected by disable “Use default gateway on remote network” on client side.

    To disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:

     

    ·         Right-click the VPN connection that you want to change, and then click Properties.

    ·         Click the Networking tab, click Internet Protocol (TCP/IP) in the Components checked are used by this connection list, and then click Properties.

    ·         Click Advanced, and then click to clear the Use default gateway on remote network check box.

    ·         Click OK, click OK, and then click OK.

     

    The purpose you want achieve is prevent remotely connected user access internet through your office’s internet gateway, if yes, then it could be done by modify DHCP option and clear the Default Gateway entry for remote connection.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 16, 2010 9:00 AM
  • Thank you Tiger Li. This is exactly what I was looking for. Wodering why I never noticed it before.
    Monday, September 20, 2010 11:49 AM