Windows – Can’t change routes with VPN Client

vpnwindows

My VPN connection forces all internet traffic through the tunnel, and that's very slow. I want to be able to tunnel only certain IP addresses, and to do that at my side (client-side).

I'm connecting to a VPN with FortiSSL Client, the route table looks like this before a connection is established:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.101     40
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link     192.168.0.101    276
    192.168.0.101  255.255.255.255         On-link     192.168.0.101    276
    192.168.0.255  255.255.255.255         On-link     192.168.0.101    276
    192.168.119.0    255.255.255.0         On-link     192.168.119.1    276
    192.168.119.1  255.255.255.255         On-link     192.168.119.1    276
  192.168.119.255  255.255.255.255         On-link     192.168.119.1    276
    192.168.221.0    255.255.255.0         On-link     192.168.221.1    276
    192.168.221.1  255.255.255.255         On-link     192.168.221.1    276
  192.168.221.255  255.255.255.255         On-link     192.168.221.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.119.1    276
        224.0.0.0        240.0.0.0         On-link     192.168.221.1    276
        224.0.0.0        240.0.0.0         On-link     192.168.0.101    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.119.1    276
  255.255.255.255  255.255.255.255         On-link     192.168.221.1    276
  255.255.255.255  255.255.255.255         On-link     192.168.0.101    276

After connecting it looks like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.101   4265
          0.0.0.0          0.0.0.0         On-link        172.16.0.1     21
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
       172.16.0.1  255.255.255.255         On-link        172.16.0.1    276
      192.168.0.0    255.255.255.0         On-link     192.168.0.101   4501
    192.168.0.101  255.255.255.255         On-link     192.168.0.101   4501
    192.168.0.255  255.255.255.255         On-link     192.168.0.101   4501
    192.168.119.0    255.255.255.0         On-link     192.168.119.1   4501
    192.168.119.1  255.255.255.255         On-link     192.168.119.1   4501
  192.168.119.255  255.255.255.255         On-link     192.168.119.1   4501
    192.168.221.0    255.255.255.0         On-link     192.168.221.1   4501
    192.168.221.1  255.255.255.255         On-link     192.168.221.1   4501
  192.168.221.255  255.255.255.255         On-link     192.168.221.1   4501
   200.250.246.74  255.255.255.255      192.168.0.1    192.168.0.101   4245
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link     192.168.119.1   4502
        224.0.0.0        240.0.0.0         On-link     192.168.221.1   4502
        224.0.0.0        240.0.0.0         On-link     192.168.0.101   4502
        224.0.0.0        240.0.0.0         On-link        172.16.0.1     21
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link     192.168.119.1   4501
  255.255.255.255  255.255.255.255         On-link     192.168.221.1   4501
  255.255.255.255  255.255.255.255         On-link     192.168.0.101   4501
  255.255.255.255  255.255.255.255         On-link        172.16.0.1    276

The VPN client puts a catch-all route with a lower metric than all of my other routes and this routes all internet traffic through the tunnel.
I tried changing my default internet route's metric to a lower value:

C:\Windows\system32>route change 0.0.0.0 mask 0.0.0.0 192.168.0.1 metric 10 if 13
OK!

But nothing changed.

Then I tried deleting the VPN's "catch-all" route, the one with metric 21 above:

C:\Windows\system32>route delete 0.0.0.0 mask 0.0.0.0 if 50
OK!

And it broke everything:

C:\Windows\system32>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
PING: transmit failed. General failure.

I tried changing the metric on the adapters as well, but the FortiSSL Client overrides all settings when it connects, so it didn't help.

The fix must come from my side, as the folk on the other side take days to respond.

I'm running Windows 7 x64 if that helps.

— UPDATE (2013-12-24) —

Thanks to mbrownnyc's tip, I examined the issue with Rohitab and found out FortiSSL Client watches the routes table with the NotifyRouteChange IP Helper API call.

I set a breakpoint before NotifyRouteChange calls and used the option "Skip Call" to sucessfully prevent FortiSSL from resetting route metrics, and I now have:

Routes with metrics favoring my Wifi adapter

Yet when I run tracert my route still goes out through the VPN:

C:\Windows\system32>tracert www.google.com

Tracing route to www.google.com [173.194.118.83]
over a maximum of 30 hops:

  1    45 ms    47 ms    45 ms  Jurema [172.16.0.1]

Is there any aspect of windows networking I'm not aware of that can favor a certain route even if route print's metrics say otherwise?

Best Answer

Note that I am not using regular networking notation for addressing here (such as CIDR or even host/mask notation, as not to confuse the asker).

Instead of deleting your "default gateway" route (0.0.0.0 mask 0.0.0.0) so that your network stack has no idea where to send most packets, try to raise the metric of the VPN route below that of your default route (in this case 4265).

After connecting with the Fortigate client:

route change 0.0.0.0 mask 0.0.0.0 172.16.0.1 metric 4266 if N

Where N is the interface number for the fortissl interface returned at the beginning of route print.

The networking stack should treat this properly:

The route that "includes the destination addresses" will handle the packets (the route tells the network stack to send packets destined for this IP to this gateway for further routing).
All packets with a destination IP 172.16.*.* will be sent to the VPN; because the Windows network stack knows that if there's an address attached to an interface, then that interface is how you access other IPs on in that address range. I can get more explicit with the range if you post the "Subnet Mask" for the 172.16.0.1.

You must determine the IP addresses of resources you need access to over the VPN. You can do this easily by using nslookup [hostname of resource] when connected without having adjusted the routes.

[rant]

I have no problem with allowing split-tunneling over VPN, particularly because of the usage issue you cite. If your IT department considers split-tunneling a security mechanism, they need to rethink what they are doing:

VPN clients' access to resources should be isolated and heavily restricted as if they are being accessed via the Internet (because assets where you don't assert complete control present higher risk than assets where you can assert some).
They should integrate a network access control mechanism for VPN clients. This could allow them to enforce some policies on the client machines (such as "are anti-virus definitions up to date?", etc etc).
Consider using a rigid solution like the Fortigate SSL VPN Virtual Desktop (which is fairly easy to configure and free [me thinks] with the SSL VPN license).

[/rant]

Part 1. Output of locally-generated (outbound connection) packages.

Mark outgoing locally generated packages with connection-specific mark for future rerouting with different rt_table.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp --dport Y -m owner --uid-owner 100Z -j CONNMARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp --dport Y -m owner --uid-owner 100Z -j CONNMARK --set-mark 2

Translate connection-specific markers to package-specific markers.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j MARK --set-mark 2
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j MARK --set-mark 2

Save marker for further restoring it for all tracked connections. This can be implemented in NAT POSTROUTING table only - it's just a precaution to not loose markers after connection traverse the routing table.

/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p tcp -m owner --uid-owner 100Z -m tcp --dport Y -m connmark ! --mark 0 -j CONNMARK --save-mark
/sbin/iptables -t mangle -A OUTPUT -s 192.168.XXX.XXX -p udp -m owner --uid-owner 100Z -m udp --dport Y -m connmark ! --mark 0 -j CONNMARK --save-mark

Normally connection-specific markers should be saved after packages rerouted and reached NAT POSTROUTING table

/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j CONNMARK --save-mark
/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j CONNMARK --save-mark

Replace source with proper VPN-related local address for tun0 interface.

/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p tcp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j SNAT --to-source 10.???.???.???
/sbin/iptables -t nat -A POSTROUTING -s 192.168.XXX.XXX -o tun0 -p udp --dport Y -m owner --uid-owner 100Z -m connmark --mark 2 -j SNAT --to-source 10.???.???.???

Part 2. Input of connections related to locally-generated (outbound connection) packages.

Restore connection-related markers for input packets before they go to the routing table.

/sbin/iptables -t mangle -A PREROUTING -i tun0 -p tcp -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A PREROUTING -i tun0 -p udp -j CONNMARK --restore-mark

Part 3. Optional optimization

Other than above rules there is a strong desire in optimizing marking process to prevent or minimize redundant and repeated checks with marking. The most general approach for this task is to distinguish rules between NEW and RELATED,ESTABLISHED connection and use below template for optimal remarking already marked connections: * Restore old markers (you probably won't do this for NEW connections because they are obviously wasn't marked earlier):

/sbin/iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark

Skip already marked connections:

/sbin/iptables -A OUTPUT -t mangle -m mark ! --mark 0 -j ACCEPT

Mark new (usually marking only NEW connection should be enough) connections:

/sbin/iptables -A OUTPUT -m mark --mark 0 -p tcp --dport 21 -t mangle -j MARK --set-mark 1
/sbin/iptables -A OUTPUT -m mark --mark 0 -p tcp --dport 80 -t mangle -j MARK --set-mark 2

Mark other packages with a "dummy" marker (that is not used anywhere else at all):

/sbin/iptables -A OUTPUT -m mark --mark 0 -t mangle -p tcp -j MARK --set-mark 3

Finally save markers:

/sbin/iptables -A OUTPUT -t mangle -j CONNMARK --save-mark

NOTE: the above settings are not a mandatory part of netfilter configuration for split tunnel - it is just a template (i.e. proper suggestion) for the way to minimize redundant filter checks. It also can be POSTROUTING instead of OUTPUT, but only one place is recommended for markings, do not need to implement it twice.

Part 4. Create table aliases in rt_tables.

echo 2 vpn >/etc/iproute2/rt_tables
echo 3 novpn >/etc/iproute2/rt_tables

Part 5. Configuring routing tables for VPN connections.

This is a standard configuration for VPN that allows to redirect all local sources (0.0.0.0/1 and 128.0.0.0/1 subnets include the whole IP range for local addresses) and also provides backward compatibility for returning packages (i.e. the "default" route).

Table with VPN connection

ip route flush table vpn
ip route add 10.???.???.(???+1) dev tun0 src 10.???.???.??? table vpn
ip route add 0.0.0.0/1 dev tun0 via 10.???.???.(???+1) table vpn
ip route add 128.0.0.0/1 dev tun0 via 10.???.???.(???+1) table vpn
ip route add 192.168.0.0/16 src 192.168.XXX.XXX dev eth0 table vpn
ip route add default via 192.168.XXX.1 dev eth0 table vpn

The other table called "novpn". It's goal to provide direct routing bypassing VPN connection.

ip route flush table novpn
ip route add 192.168.0.0/16 src 192.168.XXX.XXX dev eth0 table novpn
ip route add default via 192.168.XXX.1 dev eth0 table novpn

Part 6. Configuring routing rules (it is better to follow rule order below)

ip rule add from all lookup novpn
ip rule add from all fwmark 2 lookup vpn
ip rule add from 10.XXX.XXX.XXX lookup vpn

Part 7. Final steps

Now it is time to flush main routing table (there is no need for it while split tunnel is working):

ip route flush table main

The last step in configuration is to enable IP forwarding and dynamic IP addresses for sockets (client application connections) in Linux kernel:

echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/ip_dynaddr

Now we can launch OpenVPN client with "--route-noexec" and/or "--ifconfig-noexec" (whether you already know or still not receive push message from VPN server with your tun0 interface configuration) parameters. If there are troubles with tun0 addresses - it is better to not use "--ifconfig-noexec" and let OpenVPN client set tun0 addresses for you. After that you just need to delete some old rules from "ip route" and "/sbin/iptables" and replace them with similar ones containing proper tun0 addresses (refer to all lines with 10.XXX.XXX.XXX or 10.XXX.XXX.(XXX+1) from above).

openvpn --config ./<your_config>.ovpn --route-noexec --ifconfig-noexec --auth-nocache

Those are only rules for outbound connections. The main difference between inbound and outbound configurations: inbound rules should be implemented mostly in "mangle" table, not "nat", and vice-verse for outbound as shown above. There is an exception - for output of both locally-generated (outbound) and answered (inbound connection) packages rules must be placed in "mangle" table due to netfilter architecture implementation (for some reason "nat" table will intercept packages only after the rerouting procedure - consult Wikipedia netfilter graph or netfilter official documentation).

Networking – pfSense 2.1 OpenVPN client not using tunnelled interface

Normally, you must provide an instruction to forward IPv4 traffic from the LAN to the new interface which the VPN provides, be it tun0 or tap0.

I am way too rusty with pf to try and suggest how to do it. With iptables you would use this command:

 iptables --table nat --append POSTROUTING --out-interface tap0/tun0 -j MASQUERADE

I hope this will provide a push in the right direction, even though this is not a solution.