cancel
Showing results for 
Search instead for 
Did you mean: 

VPN problem

Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

I occasionally use a VPN/RDP connection into work.
All setup using XP (Home SP2) wizard so it shows as a WAN Miniport PPTP connection.
When first set it up, every time I used it, it disconnected everything else on my laptop from the internet, until I realised (DOH!) that my local lan and the work lan were both on 192.168.n.n. So I changed local lan to 172.16.n.n (quick and dirty as I couldn't get my head around changing just the subnet mask)
Now when connected to the VPN, my browser, email etc stays connected but traffic is routed (so far as i can see) via work -- it certainly uses work dns. this must punch up my traffic a bit and decreases performance. (an irritating side effect is that when i look at various forums they think i've disconnected and reconnected and so don't show me any "posts since last visit" )
any network gurus care to offer suggestions as how to get round this or if not explain why you can't ?

thanks
Paul
18 REPLIES
N/A

VPN problem

I'm not certain that there is a way around it really, since once you connect, your machine becomes part of the work network. Therefore it uses the rules for default gateways etc set by the admins at your work.

Depending on the VPN client you use, there may be options worth exploring - if you use the Windows one, I think you are stuck.

I'd be interested in the answer though if there is a way around it - it'd save me time when downloading etc whilst I'm dialled in.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

Pretty much what I thought too, and just using the windows rdp client.
i'll happily download any other compatible (free) client if you think it can make a difference. I've a linux box (puppy) as well which I've managed to run a vpn app on, but it b*ggers-up the dns on that machine and never got the rdp client to work at all ... I probably need a slightly more butch linux.
IT at work is FM'd and though they're nice, knowledgeable and helpful, they've set this up for me rather as a favour so if there's any config changes needed server-side I'm reluctant to ask.
N/A

VPN problem

You say you are using vpn and rdp which is it?

If you use rdp you are actually using the pc at work and only passing screen refresh back to your pc so this should have no bearing on your pc only software run in the window should use works dns etc.

If you are using vpn it should only be the connection which is effected not the rest of the pc. You dont say if you are on a router or a modem I assume a router. It could be simply the setting in IE which is set to use dial up so it sees the dialup connection as the main connection and therefore uses its dns etc. Try setting IE to never dial a connection(unless you are using a modem) Give us the result of ipconfig /all when you are connected to the vpn
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

quite a few things to respond to:
1. I understand the principles of remote control. A "VPN" was setup using the M$ networking wizard which connects me into the work LAN via a public (212.something)IP; then the RDP connection is made to an internal IP (192.something).
(Remember I didn't design this, I voz only following orders). So the terminal server that I'm logging onto has no public IP (we're largely setup with thin clients internally so what I'm doing is reflecting our internal lan architecture)
2. Modem/router (DrayTek 2800VG and I was instructed to allow PPTP passthrough). The DrayTek has plenty of VPN capabilities but they are not being used for this arrangement.
3. IE6 is set to Never Dial.
4. IPCONFIG & NSLOOKUP (latter rather interesting)
Quote

Host Name . . . . . . . . . . . . : Computer
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : disguised.domain.name
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/ireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-00-00-00-00-00
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 172.16.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.0.1
DHCP Server . . . . . . . . . . . : 172.16.0.1
DNS Servers . . . . . . . . . . . : 212.159.13.49
212.159.13.50
Lease Obtained. . . . . . . . . . : 17 January 2007 07:41:10
Lease Expires . . . . . . . . . . : 20 January 2007 7:41:10
PPP adapter WORK:
Connection-specific DNS Suffix . : disguised.domain.name
Description . . . . . . . . . . . : WAN (PPP/SLIP) nterface
Physical Address. . . . . . . . . : 00-00-00-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.111
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.111
DNS Servers . . . . . . . . . . . : 192.168.1.5
192.168.1.6
192.168.1.5
192.168.1.6
NetBIOS over Tcpip. . . . . . . . : Disabled
bin>nslookup portal.plus.net
*** Can't find server name for address 212.159.13.49: Query refused
*** Can't find server name for address 212.159.13.50: Query refused
Server: xx.yy.zzz.disguised.domain.name
Address: 192.168.1.5
Non-authoritative answer:
Name: portal.plus.net
Address: 212.159.8.137

obviously i've changed a few things to protect security
N/A

VPN problem

The thing is, once you connect via VPN, the rest of your own network becomes completely transparent, and your machine acts as if it were one plugged into the wall at work.

(Ignore for the minute the fact that once connected you use RDP, its a bit of a red herring as far as this issue is concerned)

Its designed to work this way so that everything works as if you were connected to the network itself.

Supposing for example that you have an Intranet site, which is http://<SERVERNAME>/<DEPTNAME>/home.htm

If your browser tried to look this up on the internet, it would clearly fail - hence it needs to always use your internal network structure for resolving DNS.

(Equally if your machine tried to look up your RDP server on the internet, it would fail)

The only way around it is to separate the two somehow:

One thing which may well be worth your company considering the purchase of is a SSL VPN box.

Sonicwall do a version which you can explore the functionality of online ( https://sslvpn.demo.sonicwall.com/cgi-bin/portal )
Its a good solution for businesses, as they no longer need to allow other users computers to join the LAN - the whole thing runs through a web browser.
Using this type of hardware, the problem goes away immediately - your rdp session runs in a similar way to how it works now (ie in a window) but because its only that window connected to your work servers, everything else on your machine operates as it would without having a VPN session open.

The demo has a restricted window size, as obviously they are concerned about bandwidth use on a demo site, but it can be configured to allow different size windows.

As well as the RDP sessions, the first menu after logging in is configured by your admins, who can add network share links, Intranet sites etc. onto it if desired. Any irrelevant stuff for your organisation can be ditched.

They start at about £400 for one which will support around 10 clients (will support unlimited, but performance won't be great with more than 10) after that you can leap up to around £1500 for one which will support more sessions.

If you want to buy one, get in touch - I get commission.
(Thats a joke, but just realised I did a bit of a sales job on them - most IT resellers will be able to sort you [your IT guys] out.)
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

A very comprehensive answer! sadly for the 5 minutes a day i spend using it #400 is a bit cost-ineffective to say the least.

Weirdly until about 10 years ago i used to design and consult on messaging, lans and remote access solutions. Since then almost every scrap of knowledge i ever had has been displaced ... but i'm quite enjoying learning again, and I appreciate the effort you (and mark) have made
N/A

VPN problem

If you fancy playing a bit, you could try VMWare. Its not something I've gotten round to playing about with yet, so I don't know if it will acheive the right result.

I think the idea is that you install it on your machine, and you can create virtual machines within your single machine.

Perhaps that would allow a virtual machine to have its connections/gateways etc defined by your LAN over the VPN, but also leave you with your actual machine and all its config as you would like it.

As I say, not played yet, but if you have the time and fancy trying something a little different, it might be worth it.

(I'd be interested in any feedback you could give on it if you do try it.)

http://www.vmware.com/products/player/

Perhaps have a read and see what you think?
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

that's an inspired thought.
i've actually had that downloaded for a while, but haven't got round to installing it as I didn't want to bloat my already-overloaded-with-test-installs XP box any more, and I couldn't think of a good use for it anyway.
I'm hoping to have a new linux box soon so when that arrives I might give it a go.
N/A

VPN problem

LOL, I'm OK at inspired thoughts, just not too hot on the inspired actions yet.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

you talk it, i'll walk it Tongue
Highlighted
N/A

VPN problem

cant work simple open the rdp port then you go straight in with no messing about this works well and you can copy files to your pc print to your pc etc.
N/A

VPN problem

But if the company is unwilling to open the rdp ports to the net, the only way to connect to the network is via a VPN connection. Only once connected to the LAN by VPN can the rdp session can be launched. (Which is the whole crux of the problem.)
Community Veteran
Posts: 26,529
Thanks: 766
Fixes: 9
Registered: 10-04-2007

VPN problem

I've solved this in the past using the standard windows VPN. What you need to do is change the routing tables on your PC so that only the IP addresses on the remote network go through the VPN gateway and everything else goes through the usual gateway.

It's a long time since I did this and I'm now using FortiClient for my VPN in which you specify the remote network IP and mask.

I remember a painful long time playing with route (from the command prompt) before I got it right. You have to set up persistent routes so that each time you connect the VPN is remembered. Also if you get different IPs assigned when you connect the VPN you have to set up the routing each time until you have saved persistent routes for all the possible IPs.

Here is my current routing table which may help you see how it works and what you need to do (10.10.10.15 is my currently assigned IP - I think 10.10.10.16 was probably my previous IP).


C:\Documents and Settings\John>route print

==============================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0f 1f 9b 02 53 ...... Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
0x3 ...00 09 0f fe 00 01 ...... Fortinet virtual adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 20
10.10.0.0 255.255.0.0 10.10.40.15 10.10.40.15 20
10.10.0.0 255.255.0.0 10.10.40.16 10.10.40.15 1
10.10.40.15 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.10.40.15 10.10.40.15 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.104 192.168.0.104 30
192.168.0.0 255.255.255.0 192.168.0.104 192.168.0.104 20
192.168.0.104 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.104 192.168.0.104 20
192.168.100.0 255.255.255.0 10.10.40.16 10.10.40.15 1
224.0.0.0 240.0.0.0 10.10.40.15 10.10.40.15 20
224.0.0.0 240.0.0.0 192.168.0.104 192.168.0.104 20
255.255.255.255 255.255.255.255 10.10.40.15 10.10.40.15 1
255.255.255.255 255.255.255.255 192.168.0.104 192.168.0.104 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

VPN problem

Grrr forum not sending me emails even tho' i'm watching this topic! (another thread I know i know)

thanks jelv. i had wondered very vaguely about static routing but this looks like an answer. (easier than trying a linux solution which looks like i would have to blow the dust off a compiler)

I'll have a fiddle and report back.

paul