How To Keep My Local Network When Joining A VPN

A

Adam

[H]ard|Gawd
Joined
Jan 9, 2003
Messages
1,592
So heres my issue.

I'm on a domain here at my office. I have files stored on my server I need to access (client info). When I need to troubleshoot a client's system, I logon to their VPN and now I can access their server to do work. However, I no longer have access to my own network, because im on their VPN.

What can I do to keep local access to my own network when im on their VPN. Is installing a 2nd network card possible, if so, how would i handle the vpn/local access, via the route command in dos??
 
Sounds like the subnet of their network you VPN to is the same as your local network. If that is the case it will never work. Once you log on the VPN, windows will route all traffic to that subnet through the VPN gateway.

If you are going to using VPN to help clients out, get your local lan off the default 192.168.1.X subnet. I like to use the 172.16.0.X range as almost no other networks use it.
 
Split tunnel. Are the IP schemes similar on both sites? IE, both on 192.168.1.x ? That will be an issue as well.
 
Nope both are different. We're 192.168.0.xxx and they are in the 10.xxx range. They are also on a 255.255.255.240 subnet it seems for the most part and we're 255.255.255.0

When we join their VPN (Using the Nortel Network VPN client, cisco systems they use i believe) we also join their access policy so we can't access certain websites either, not as problematic as being able to browse my local lan.

I thought if i can install a 2nd network card, and dedicate that to my network, maybe the VPN join will only use the other card. I'd give my comptuer 2 local ip's on my network so when it takes over one, it still uses my other? That was my thought, wanted to ask around before i took my pc apart
 
/usr/home said:
Split tunnel. Are the IP schemes similar on both sites? IE, both on 192.168.1.x ? That will be an issue as well.
Click to expand...

Sounds like the VPN is setup to not allow split tunneling. Possibly for security reasons. Are you their IT vendor as well or just Surveillance?
 
You can do a couple of things. One has to be performed on the server side though.
1) Split-tunneling:
This will allow you to have two ip addresses assigned to your machine. One ip address will be from the VPN server side and the other would be from your home network router/dhcp (whatever). Any data sent to the VPN side (file sharing, etc.) will go through the tunnel and any data (such as internet browsing, etc.) will go directly to your ISP and NOT through the tunnel.
There are places that allow you to ONLY go through their tunnel so that they can monitor your connections and enforce policies they have in place to control traffic.

2) Use a VM session. If you use a VM through VM Workstation or similar, run your VPN stuff on that VM and only it will use the tunnel if you aren't able to do split-tunneling. Your computer session that's not in the VM will use your local network like always. It's like using two different computers because the network card doesn't care what's going through it data wise and how it's connected (via VPN or not), it just forwards the data on to the next hop.

Personally, I use a VM for anything like that so I don't have to worry about the VPN server side peering in through the connection for anything. If that happens, it stops at the VM and doesn't have access to my actual system through the hypervisor.
 
corge said:
You can do a couple of things. One has to be performed on the server side though.
1) Split-tunneling:
This will allow you to have two ip addresses assigned to your machine. One ip address will be from the VPN server side and the other would be from your home network router/dhcp (whatever). Any data sent to the VPN side (file sharing, etc.) will go through the tunnel and any data (such as internet browsing, etc.) will go directly to your ISP and NOT through the tunnel.
There are places that allow you to ONLY go through their tunnel so that they can monitor your connections and enforce policies they have in place to control traffic.

2) Use a VM session. If you use a VM through VM Workstation or similar, run your VPN stuff on that VM and only it will use the tunnel if you aren't able to do split-tunneling. Your computer session that's not in the VM will use your local network like always. It's like using two different computers because the network card doesn't care what's going through it data wise and how it's connected (via VPN or not), it just forwards the data on to the next hop.

Personally, I use a VM for anything like that so I don't have to worry about the VPN server side peering in through the connection for anything. If that happens, it stops at the VM and doesn't have access to my actual system through the hypervisor.
Click to expand...

I've never even thought of using a VM for that kind of stuff.... good thing to keep in mind.
 
Is this a PPTP? Go under the VPN properties -> Network tab -> IPv4 properties -> Advanced. Uncheck the box "Use default gateway on remote network".

*edit* I missed the part where you are using a 3rd party VPN client. This was assuming you were using the windows VPN. You can ask the client if there is a similar option in the 3rd party software (Or ask the software vendor). But like others said, this may be a policy on their end to protect their internal network from external/untrusted computers on their VPN.
 
a lot of corporate VPNs do not allow split tunnel. Running the vpn client from vm is your best bet
 
Hmm never thought of vmware either. I tried the built in windows 7 xp mode thing, but it never worked right. I'll try vmware
 
axan said:
a lot of corporate VPNs do not allow split tunnel. Running the vpn client from vm is your best bet
Click to expand...

This is what I do. We have many customer and many vpn solutions. I dont like to fill my laptop up with every single client out there. We run "support vm's" at the office. We have two. I RDP to a VM and then sign on to VPN from there.

There is 1 VPN that detects I'm in an RDP session and doesnt allow it. :mad: I have no choice but to run it from my pc.
 
try vnc instead of rdp or if you have access than just straight up vmware console
 
Interesting thought... see we're looking for a solution as well. We have maybe 3-4 VPN's we jump on for different clients. Im the only one who really has them ALL on my system (except 1, and the guy next to me has that).

Problem was I run x64 of windows 7 and one VPN doesnt have a client for it, so the guy next to me runs x32 of windows 7, no problems.

Sooo what i'll do now is i'll throw a server in our rack, RDP into that and then launch the VMWare to connect to the various networks. Or i'll just copy each of the VMWare images to the support guys so they can work from their desktops. This wya we're all using same exact OS version for the VPN's and we know it works.

I just tried this on my pc, i have windows 7 x64 but installed a vmware windows 7 x32 and the vpn worked, i could go back/forth very easily, so it'll work out great.
 
I was having issues with a Cisco VPN client we were sent. We're not cisco providers so we couldnt just download anything. But it wouldnt run on my 64 bit machine, ran in the 32 bit machine just fine. I have AnyConnect for one client installed but then this regular cisco client, no good, and client wouldnt really help us much on getting a newer version
 
jadams said:
Which VPN client doesnt offer 64bit?
Click to expand...

Older versions of Cisco VPN Client won't work with x64. I believe you have to be using the Anyconnect versions for it to work. Based on most of the replies I've been reading it seems like a VM workstation would be your best bet. Do you need the ability to transfer files from one network to another? Which I believe would still be possible with VMware.
 
Since its for your local home network.... why don't you.

Edit your LMhosts file and add you local network PCs.

Just remember to enable LMhosts in TCP/IP on your network adapter.
 
You must log in or register to reply here.
Back
Top