locked
Pushing static routes to VPN clients connecting to WIndows Server 2016 running RRAS RRS feed

  • Question

  • I've set up a Windows 2016 server and enabled VPN/RRAS services. Pretty standard setup, one NIC on the public WAN, one NIC on the private LAN. I have split-tunneling enabled on the VPN clients and the are able to connect to anything on the same internal network as the VPN server LAN NIC.

    Problem is, there are a few internal networks here that are outside that VPN server LAN subnet and the VPN clients are not able to access those. I've added static routes to these networks on the VPN server:

    The VPN server itself can ping all of these remote networks, and machines on the remote networks can ping the VPN server. But the VPN *clients* are not able to ping these other networks - they can only ping the "default" network that's on the same subnet as the VPN server LAN. 

    Oddly enough, when I disable split tunneling on the clients (i.e., tunnel everything back to the VPN server), they can then ping all of the internal networks, but they can no longer get out to the internet. The VPN server itself *is* able to get out to the internet. 

    Not sure what I'm missing here, but definitely seems like a routing issue. I figured VPN clients would be able to access all of the resources that the server itself can access, but clearly not the case. Any help would be greatly appreciated! 


    Shaun

    Thursday, March 26, 2020 2:18 PM

All replies

  • Hi Shaun,

    Please tracert IP of the internal networks that are outside that VPN server LAN subnet, before split-tunneling enabled on the VPN clients and after split-tunneling disabled on the VPN clients.

    Compare the difference of the tracert results. 

    If possible, please post the results for us to troubleshooting.

    Note: since this is a public forum, everyone could view your information, please remove private information that might leak your privacy.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Friday, March 27, 2020 8:02 AM
  • Hi ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Tuesday, March 31, 2020 9:17 AM
  • Tracert times out at the VPN server in all cases where it doesn't go through completely. 

    If I add static routes on the VPN clients using powershell, then I'm able to get to/from the internal remote networks. For example, on the VPN client:

    Add-VPNConnectionRoute -ConnectionName "name" -DestinationPrefix 192.168.1.0/24

    I thought adding those static routes on the VPN server would push those to the clients, but doesn't seem to be the case. 


    Shaun

    Tuesday, March 31, 2020 3:05 PM
  • Hi ,

    As far as I know, A client running Windows uses a DHCPINFORM message after the connection to obtain additional information about the connection, such as a DNS name or a set of routes for the target network. This additional information is only available if the remote access server has been configured to relay the DHCPINFORM message to the DHCP server, and if the DHCP server has been configured to provide the DHCP Classless Static Routes option 121.

    So you have to add the stastic routes in both DHCP and RRAS server, then VPN clients can obtain the route information from the connection.

    Hope this can help you.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   




    Wednesday, April 1, 2020 2:40 AM
  • Thanks! I'll give this a try.

    The second part of my question here is regarding internet access for the clients when split-tunneling is *disabled*...Clients can't get to the internet for some reason, tracert shows traffic hits the client VPN interface, and then times out from there. All of the internal networks are accessible. The VPN server itself can get to the internet through it's WAN-connected interface, default gateway on the server is configured on that interface and points to our internet router, but VPN client internet traffic isn't being routed. Thoughts on that?


    Shaun

    Wednesday, April 1, 2020 1:14 PM