DNS and Split Tunneling for VPN?

Discussion in 'Server Networking' started by Andrew, Jul 19, 2007.

  1. Andrew

    Andrew Guest

    Ok I was following the guide found here,
    http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx, to
    setup split tunneling for our VPN connections.

    The splitting works wonderfully! Oh I'm using the "Classless Static Routes
    DHCP Option".

    However the remote client only pulls DNS from host network DNS servers.

    Therefore unless you know the IP address(es) of the VPN'd network this is
    useless. I can't imaging this is supposed to be the case.

    ipconfig /all on the remote computer, lists the DNS servers on the VPN'd
    network, but doesn't access them.

    Does anyone have any ideas?

    Thanks,

    Andrew
     
    Andrew, Jul 19, 2007
    #1
    1. Advertisements

  2. The VPN Dialup Connectiod needs its own separate DNS Server entry,...either
    via DHCP or Statically.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jul 19, 2007
    #2
    1. Advertisements

  3. Andrew

    Andrew Guest

    I think understand what you're saying, but not 100% sure. Can you explain
    more?


    ipconfig /all does show:

    PPP adapter ARSCO - DC01:

    Connection-specific DNS Suffix . : ROCKNET.Local
    Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
    Physical Address. . . . . . . . . : 00-53-45-00-00-00
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.8.8
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 192.168.10.24
    192.168.10.25
    Primary WINS Server . . . . . . . : 192.168.10.24
    Secondary WINS Server . . . . . . : 192.168.10.25

    All 192.168.8.0, 255.255.252.0 traffic goes out over the VPN.

    Andrew
     
    Andrew, Jul 19, 2007
    #3
  4. The type of VPN you are dealing with here is Remote Access VPN.
    Keep that in mind.
    There are different types of VPN with different behavors and different
    purposes.

    The subnet you connected to with VPN is:
    192.168.8.0

    The DNS Servers are on a different subnet of:
    192.168.10.0

    When you run Split Tunneling you can only access the immediate subnet you
    VPN'ed into,...you can *not* reach any other subnet on the system you VPN'ed
    into,...that is the way it is,...that is the way it was designed and was
    meant to be. The DNS Servers are unreachable to you unless you stop using
    Split-Tunneling becuase you are only allowed to connect to devices on
    192.168.8.x.

    There are reasons why you are not supposed to use Split-Tunneling. When you
    VPN into a system you put that system at risk from whatever "else" your PC
    may be connected to,...therefore VPN is design so that once you connect all
    traffic goes through the VPN'ed system and effectively "cuts off" your
    machine from any "other" connections it may be connected to (like the
    Internet, or other subnets on your own local LAN). When you run
    Split-Tunneling you are side-stepping this safety feature and therefore as a
    result you can only connect to resources on the immediate subnet you VPN'ed
    into. This is why some companies put their VPN Server on its own special
    subnet so that if someone connects to it while running Split-Tunneling they
    cannot get to anything anywhere else on the companies LAN.

    The intension of Remote Access VPN is that you connect,..take care of the
    task you connected to do,..then disconnect. It is not designed to
    connect,..stay connected,...and access other resources on other LAN Segments
    or the Internet at the same time.

    This is not anything new. It is exactly the same way things behaved with the
    old "modem-dialup-over-a-phone-line" connections. Remote Access VPN is
    *still* the same old modem dialup technology except the physical modem was
    replaced by the "virtual VPN adapter" and the phone number was replaced by
    the IP#,...beyond that it is the same thing working on the same principles.

    If you need to do all those tasks at the same time while connected to the
    VPN,...then you need a Site-to-Site VPN (aka Router-to-Router VPN) which is
    a completely different type of VPN which is "always up" and is performed by
    a pair of VPN capable routing devices.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jul 19, 2007
    #4
  5. Andrew

    Andrew Guest

    Ok I understand what you're saying. However I really don't consider this a
    risk. Why would you want your VPN users to waste your companies bandwidth,
    by not using split tunneling? i.e. They VPN in and then access the
    Internet.

    As a network admin, there a lot of times I need to be connected to the
    company network and access the Internet at the same time. This accomplished
    with the default VPN setup, but Internet access is really slow. Work only
    has a T1, I have a 15MB pipe from Time Warner.

    I was able to get it to work, by having the VPN connection not pull a DHCP
    address, but rather assign it an IP in the 192.168.10.0 network, from which
    it had access to the DNS server.

    Another work around would be to assign an 192.168.8.0 network address to the
    DNS server.

    Thank you for help.

    Andrew
     
    Andrew, Jul 19, 2007
    #5
  6. I know,...and the true level of risk is debatable,...but it doesn't matter,
    that is the way the technology is designed.
    Becuause it was determined by the VPN networking gods (whomever they may be)
    that security was more important than bandwidth. But also remember that it
    doesn't mean the users would "surf the net" by looping through the VPN,...it
    could mean that they would not have the Internet at all,...they are supposed
    to just use the resources they came for and then "leave",...then there is no
    bandwidth being sacrificed. Many commercial VPN capable products (like MS
    ISA for example) do not let the VPN users get to the internet at all unless
    you go out of your way to make it happen.
    Well you'd have to actually move that DNS machine to the 8 subnet, you
    couldn't just assign it the address if it doesn't agree with the
    cabling,..but yes that is an option to get the DNS naming working,...but you
    still can not access resources on other subnets beyond the "8" subnet with
    Split-Tunneling on. Just because you could now resolve the name properly
    doesn't mean you can connect to them. You'd still have to stop using
    Split-Tunneling to do that.

    I think the best solution would be to place a Workstation or Terminal Server
    on the "8" subnet and then remote control it with RDP to do whatever Admin
    work you wanted to do. That machine would be able to access anything since
    it is physically there on the LAN and is not a VPN Client. Then the machine
    you are sitting at home would access the Internet for whatever you want at
    the same time. This is the way I handle ours,..early on I RDP'ed to my
    desktop machine at work to work on things,...later on I deployed a Terminal
    Server and replaced my desktop machine with a laptop that I take home,...I
    RDP the Terminal Server from the Laptop. It may not be the answer to
    everything but it workd for me. You may also have to reconsider some of
    your methods of how you administrate things to deal with the reality of how
    things are. You can't get anywhere by being rigid and only wanting to do
    things one way.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jul 19, 2007
    #6
  7. Andrew

    Andrew Guest

    Actually that's not true, I can access anything within the 192.168.8.0,
    255.255.252.0 network. All I did was assign a secondary IP address to the
    DNS server to be in the 192.168.8.0 network, and then made sure its static
    DNS information was set to use the 8.0 network IP.

    Since 8.0 is the DHCP range, I have to restrict giving out the DNS server's
    IP too.
     
    Andrew, Jul 20, 2007
    #7
  8. Ok,..I didn't know there was a 252 in the third octect of the mask. Details
    make a difference, that's why I annoy people so much by asking for more and
    more details.

    That can cause you to overload the IP Segment with broadcasts if you climb
    over 250-300 hosts,...but that is a whole other debate that I don't want to
    get into. Suffice it to say that the guidline is to never go over 250-300
    hosts per segment. The 24 bit mask provides for 254 hosts which fits that
    perfect. If you need more, then create a new 254 host segment. But that is
    off the current topic and I don't know that I want to get into that one.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jul 20, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.