VPN Routing Question

[Crashsector]

Hello again all. I've been pondering something for a while.

I have a SBS2003 server at work and I use the Windows VPN to work on our database and such from home. The VPN itself works very well. I noticed something that made me think though. When connected to the VPN, all web traffic from my home computer gets routed through the server at work.

I know this is probably the fundamental idea behind VPN tunneling, but it makes things quite slow for me since I have lower bandwidth at work than at home.

Is there any way to route traffic with a VPN connection to work so that only the traffic that needs to access resources at work (Windows file shares, Sybase DB connections, etc.) goes through the server at work?

If you don't believe me or are confused, here's a tracert from my home computer when connected over the VPN:

C:\Documents and Settings\ajuskelis.INVERNESS>tracert google.com

Tracing route to google.com [72.14.207.99]
over a maximum of 30 hops:

  1   745 ms    77 ms   148 ms  192.168.1.122
  2   308 ms   436 ms   780 ms  192.168.1.1
  3   771 ms   131 ms   828 ms  <masking my work host> [66.xx.xx.xx]
  4   345 ms   425 ms   774 ms  220.ge-0-1-0.cr2.wdc1.speakeasy.net [69.17.83.45]
  5   648 ms   155 ms   884 ms  eqixva-google-gige.google.com [206.223.115.21]
  6   749 ms   795 ms    84 ms  216.239.49.248
  7   588 ms    37 ms    38 ms  72.14.236.178
  8   115 ms    55 ms   110 ms  66.249.95.122
  9   400 ms   108 ms   769 ms  72.14.238.233
 10   177 ms   488 ms   452 ms  66.249.94.234
 11   404 ms   672 ms   240 ms  72.14.236.181
 12   103 ms   797 ms   666 ms  72.14.236.130
 13   581 ms   796 ms   691 ms  66.249.94.78
 14   559 ms   453 ms  1081 ms  72.14.207.99

Trace complete.

C:\Documents and Settings\ajuskelis.INVERNESS>

Thanks in advance!

 

[Darkstar850]

This is called split tunneling if I remember correctly, and alot of VPN concentrators don't allow it. I am not sure if SBS does or not.

EDIT: Why is traffic reaching your gateway so slow? You shouldn't have a several hundred second ping to your gateway.

 

[SJConsultant]

It's called "Split Tunneling" and SBS allows it.

If working over a vpn is slow, why not just use RDP and connect to a local workstation on the lan of the SBS network?

 

[ktwebb]

Split tunneling can be a significant security risk but if your the administrator of the VPN and you want to use your gateway, and your VPN server is setup to allow split tunneling you can uncheck use remote gateway in the advanced section of your vpn client connection. That is if your using a windows DUN/VPN client to connect.

 

[Malk-a-mite]

Split tunneling can be a significant security risk

Echo the above to infinity.

Imagine you have a trojan on your PC, attacker connects to your PC from your Net connection (Cable, DSL, whatever) then uses your VPN connection into the business to attack the systems there.

 

[UnrealRage]

in the advanced tcp ip settings for the windows client vpn connection there is a checkbox for use default gateway on remote network.

uncheck it and it should fix your problem.

 

[YeOldeStonecat]

Yes, the "use remote gateway" option.

However as also noted above, why not RDC in?

 

[drizzt81]

Echo the above to infinity.

Imagine you have a trojan on your PC, attacker connects to your PC from your Net connection (Cable, DSL, whatever) then uses your VPN connection into the business to attack the systems there.

Thanks for pointing that out. I had not thought of it that way. It seems that in case of split tunnelling, I should make sure that the non-VPN connection is as safe as the VPN, huh?

 

[Crashsector]

RDC makes it difficult when working with large SQL queries (very laggy), and I don't have a spare workstation to connect to at work (all being used by other people).

I'll give that option a try. Thanks guys!

P. S.: Latency was so high because I was transferring a 300MB database from work to here when running that tracert.

 

[SJConsultant]

RDC makes it difficult when working with large SQL queries (very laggy), and I don't have a spare workstation to connect to at work (all being used by other people).

I'd imagine SQL queries over a VPN would be slower as compared to working from a local workstation on the server side, but that's just been my experience.

 

[YeOldeStonecat]

RDC makes it difficult when working with large SQL queries (very laggy), and I don't have a spare workstation to connect to at work (all being used by other people).t.

It shouldn't be...what were you RDC'ing into?

 

[goodcooper]

i think he's talking graphically...


when RDCing, graphics update through transferred compressed images, i don't feel comfortable doing a lot of work remotely either, too slow and if you type fast, depending on speed/reliability of network, sometimes the typing is switched around

also, if your office is managed by someone else, have fun getting them to forward a port to that box for your rdc

 

[YeOldeStonecat]

also, if your office is managed by someone else, have fun getting them to forward a port to that box for your rdc

SBS2K3 handles that with it's portal...makes it easy for everyone.

 

[Crashsector]

The option to use the remote gateway, while buried quite well, did work. Thanks for the help guys.

To answer some questions...

The primary reason I don't like RDC is because, like I stated before, all of the workstations at work are in use from 5:30AM until 10PM/12AM (retail sucks).

Secondly, the issue with large SQL queries was graphical. It may take only .04 seconds to pull up 14,000 rows, but imagine scrolling through them when my upload at work is 384Kb/s and is under stress already from other users.

I appreciate the security warnings. The most important thing to note is that I will only have the VPN connection active when I'm doing work, a practice I've gotten my boss into as well.

Thanks!

 

[SJConsultant]

Secondly, the issue with large SQL queries was graphical. It may take only .04 seconds to pull up 14,000 rows, but imagine scrolling through them when my upload at work is 384Kb/s and is under stress already from other users.

As a side note, you could try adjusting the RDP properties when you connect. IOW, try scaling down the color scheme a bit, disable background wallpaper, don't connect remote drives or printers etc, in an attemp to get better response.

384K *should* be fine, but without knowing how hard your internet connection is being hit during the day makes it a tad bit difficult to say if the above will work for you or not.

 

[YeOldeStonecat]

384K is more than fine....you can tweak RDC so it'll run on a 28.8 modem and still be functional. Look at that "experience" tab under RDC properties.

If this is a full time thing (you mentioned retail...assuming you're talking about a retail point of sale WAN)....I'd seriously look at setting up a dedicated XPpro box to be your full time RDC host...just get a little small form factor box with 512 megs of RAM and run it tucked in a corner next to your server. POS or inventory...this is important, I'd make smooth function of it a priority.

Also take a peek at how your remote access it setup, either a router to router VPN tunnel, or do you software VPN connect to your SBS service? If software, I'd recommend a hardware approach, and some routers can be set to guarantee a higher percentage of the bandwidth to the VPN tunnel...that way if some users like to sit there and listen to media player online....they get lesser priority, and don't butcher your bandwidth.