Juniper VPN forces the traffic via the corporate proxy – can it be undone

juniperPROXYroutingvpn

When connected to the corporate VPN from home, all the traffic is redirected to go via the corporate proxy, effectively blocking sites that I want to use freely when I am at home, and slowing down access to external sites. How can I undo this situation?

I am asking the same question as here Avoid corporate blocked URL's when on Cisco VPN, with the exception that my VPN client is Juniper and the OS is windows7. Non of the answers there worked for me:
– Juniper client doesn't have the "Use default gateway on remote network" configuration
– I wasn't able to find the setting on win7's control pannel (I could find the connection, than IpV4 => properties => advanced => Ip Settings , but nothing there similar to "Use default gateway on remote network"

Interestingly enough the very same vpn client does not force the traffic via the corporate proxy on another computer of mine which runs WinXP

Best Answer

Absolutely possible. I wrote a script that sets up static routes to my home gateway for all IP ranges that I know do not need to go to my corp network. Then it launches Network Connect, then updates the Instantproxy.pac file. (note my corp network is on 136.x.x.x)

basic idea is below - good luck :

%echo off
echo Set up Static routes to home network then launch VPN application

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Set interfaceID (found using ROUTE PRINT command) to be equal to the       :::
::: number of the interface of your regular network adapter.                   :::
::: Set homegw equal to the IP address of your home network g/w.               ::: 
:::                                                                            :::
:::    Issue the command as:     LaunchVPN Ethernet       or                   :::
:::                              LaunchVPN Wireless       or                   :::
:::                              LaunchVPN Gigabit                            :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

set lookfor=%1
set  VPN_version=Network Connect 7.2.0


:: Look for the interface ID that corresponds with the argument passed. Most wireless
:: NIC cards are identified as "Wireless", Ethernet Cards either as "Ethernet" or "Gigabit"

@For /f "tokens=1" %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


:: If we did not find any interface - it could be that we need to look for
:: a Gigabit adapter. (If this still fails - the argument passed will need to be
:: modified to match the specific string that identified your NIC. In a DOS
:: window issue the command "Route Print" to see how your NICs are shown.

if (%interfaceID%)==() (set lookfor=Gigabit)

@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:%lookfor%'
   ) Do @Set "interfaceID=%%*"


@For /f "tokens=1 delims=." %%* in (
   'route.exe print ^|findstr /C:Juniper'
   ) Do @Set "VPNinterfaceID=%%*"


echo Setting up static routes to %lookfor% interface %interfaceID% using %VPN_version%
echo If you should be using a different version than %VPN_version% then update the batch file.

:: Now we need to find the default home gateway. Often this is 192.168.2.1
:: But we'll also search to see if there is a better value to be used.
:: This is to be used as the first hop for non-VPN traffic

set homegw=192.168.2.1


@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\<0.0.0.0\>"'
   ) Do @Set "homegw=%%*"

echo Home Gateway is at IP address %homegw%
echo wait .........
pause

:: The loops below may need to be updated to match your specific network needs.
:: A good way to find this is to launch your VPN the noraml way - and to see
:: which addresses need to go to your corporate net. Also, once the VPN is
:: launched, the instantproxy.pac file (that is created for you and stored in
:: "%USERPROFILE%\Application Data\Juniper Networks\Network Connect 7.0.0"
:: or equivalent location may hold some clues.
:: The objective is to make this loop issue the ROUTE command below only for
:: the range of IP address that do NOT need to go to your corp network.

set /a counter=0
:loop_one
set /a counter=%counter%+1
if %counter% ==127 (goto :done_one) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_one
:done_one
set /a counter=127
:loop_two
set /a counter=%counter%+1
if %counter% ==136 (goto :done_two) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_two
:done_two

set /a counter=136
:loop_three
set /a counter=%counter%+1
if %counter% ==198 (goto :loop_three)
if %counter% ==225 (goto :done_three) 

route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 21 IF %interfaceID%

goto :loop_three
:done_three



set /a counter=225
:loop_five
set /a counter=%counter%+1
if %counter% ==240 (goto :done_five) 


route add %counter%.0.0.0 MASK 255.0.0.0 %homegw% METRIC 22 IF %interfaceID%

goto :loop_five
:done_five

route add 192.168.2.0 MASK 255.255.255.0 %homegw% METRIC 15 IF %interfaceID%


Start "" "%PROGRAMFILES(x86)%\Juniper Networks\%VPN_version%\dsNetworkConnect.exe"
echo "wait until VPN client is fully launched and you have logged-in then hit any key.............."
pause

:: Once the client is launched, then kill the intantproxy.pac that is created each time
:: or overwrite it with your own version as needed.

copy /Y "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\pacmanproxy.pac" "%USERPROFILE%\Application Data\Juniper Networks\%VPN_version%\instantproxy.pac"



@For /f "tokens=3" %%* in (
   'route.exe print ^|findstr "\< 1 \>"'
   ) Do @Set "VPNgw=%%*"

echo The VPN Gateway is at IP address %VPNgw%

:: route add 198.152.0.0 MASK 255.255.0.0 %VPNgw% METRIC 20 IF %VPNinterfaceID%
:: net use \\192.168.2.2 /USER:Bobby


% echo "Done - ready to use now"
pause

Related Solutions

Windows – How to control which traffic goes through a VPN

Here is a great document on manually configuring a split tunnel on the system's side (if it's possible). You can control where your Windows PC sends it's traffic by creating routing rules on your system, and specifically controlling the interfaces that traffic to certain IP ranges leaves through. This is probably the best way to accomplish your goal without involving the IT department of your company, and it will ensure all your regular traffic leaves your home internet connection regardless of browser used. This may not work depending on the IT admin's configuration of the AnyConnect software, but it's general policy to configure it for split-tunnel. See here.

Differences in Client Split Tunneling Behavior for Traffic within the Subnet

The AnyConnect client and the legacy Cisco VPN client (the IPsec/IKEv1 client) behave differently when passing traffic to sites within the same subnet as the IP address assigned by the ASA. With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all traffic destined to 10.0.0.0/8, regardless of the split tunneling policy.

By contrast, the legacy Cisco VPN client only passes traffic to addresses specified by the split-tunneling policy, regardless of the subnet assigned to the client.

Therefore, use a netmask for the assigned IP address that properly references the expected local subnet

Here's the doc: https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

This could be used to check what the software is doing when a connection is established, and possibly to manually configure a split tunnel.

I'll add the steps here, in case the link ever gets broken.

1) On the network adaptor created by the VPN software, under IPv4, Advanced, make sure "Use default gateway on remote network" is unchecked.

2) In a command window, type: route print

3) Look for the VPN Interface in the list, and note it's ID (a number like 12). You can then add specific routes by typing:

route add <destination subnet> mask <subnet mask> 0.0.0.0 IF <VPN adapter number> -p

eg.

route add 10.10.10.0 mask 255.255.255.0 0.0.0.0 IF 12 -p

Here is another question that asks the same question. Good luck!

Ubuntu – Route all Ubuntu traffic to Windows 7 Virtualbox with Juniper VPN

I made it work today!

Setup is not that hard actually. I run Ubuntu 17.04 and have a Windows 7 VM.

Windows VM network setup:

adapter 1: host only (give a static ip: 192.168.56.11)
adapter 2: bridged   (got a DHCP ip from my router: 192.168.0.106)

Ubuntu setup:

wlp5s0: DHCP ip from router 192.168.0.105
vboxnet0: 192.168.56.1

I have a CheckPoint VPN connection on Windows VM.

Ethernet 2 = Host only
Ethernet 3 = Bridged
Ethernet 4 = VPN. This is the one you will need to share with Ethernet 2 (hostony)

Right-click 'Properties'
Sharing tab
Share with 'Host-only' network

Then on my Ubuntu box: (192.168.222.50 is just a host on the corporate net)

sudo route add 192.168.222.50 via 192.168.56.11

Or route an entire range

sudo route add 192.168.222.0/24 via 192.168.56.11

Also, don't forget to add your corporate DNS server to the /etc/resolv.conf!

Best Answer

Related Solutions

Windows – How to control which traffic goes through a VPN

Ubuntu – Route all Ubuntu traffic to Windows 7 Virtualbox with Juniper VPN

Related Question