Problem with persistent routes and VPN connection in Windows 7

Posted on

QUESTION :

My home PC has a VPN connection to my office. The office network is firewalled, with a secure zone on 192.168.0.* and a DMZ on 10.0.0.*

From outside, www.mycompany.com routes to a public IP – say 1.2.3.4. Our firewall NATs that to 10.0.0.4. From within the office LAN, we use DNS records on our domain controllers to resolve www.mycompany.com straight to 10.0.0.4, because we can’t route to the public interface of our own firewall.

When I connect the VPN from home, I get a 192.168.0.* IP assigned via DHCP, but because I’m not using the VPN as my default gateway, I can’t route to 10.0.0.* addresses unless I manually add a route.

I’ve created a persistent route to pass traffic for the 10.0.0.* subnet via the default gateway on the secure firewall zone:

route add -p 10.0.0.0 mask 255.255.255.0 192.168.0.1

Here’s the problem. When I reboot, the route still appears in the routing table – fine. If I then connect the VPN, the route appears, but doesn’t work – I can’t route to anything on the 10.0.0.0 subnet. BUT, if I remove and then re-add the route AFTER the VPN is connected, it works fine.

I have no idea why this is the case. The before/after configuration is IDENTICAL – same IP, same route table – but if I create route then connect, it fails; if I connect the VPN and then create the route, it succeeds.

Looking for any tips as to how I can either stabilize the configuration, or automatically create the route when the VPN connects?

ANSWER :

Honestly, there’s a few bits as to why this wouldn’t work properly. But lets skip that for now.

Rather than adding an arbitrary route to an IP address, try adding the route with the “interface” specified.

i.e. when connected to the VPN if you do a:

route print

and look for the “Interface” in the list, it should have a number assigned to the VPN interface.

 19...00 0e 2e 65 ca 61 ......Realtek RTL8139/810x Family Fast Ethernet NIC
 12...00 26 55 44 95 3c ......Broadcom NetXtreme Gigabit Ethernet
 28...00 00 00 00 00 00 ......MyVPN Interface Thingie
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter

in my example… #28 is my vpn. So, when you add the route… do this:

route add -p 10.0.0.0 mask 255.255.255.0 192.168.0.1 if 28

What this should do for you is add the route… only when that interface is up. It will still sit in the “persistent routes” … but won’t actually be added to the routing table until that interface is up… and it gets removed again when the interface goes down.

If you have multiple VPNs you might run into the issue that when they connect in random order, their interface IDs change. In that case the normal ROUTE -P ADD 10.0.0.0 MASK 255.255.0.0 10.0.0.1 IF 42 does not work. The next time the VPN connects it might have a different interface number.

Powershell has a cmdlet available that adds routes on VPN connection and removes them again when the VPN is disconnected: Add-VpnConnectionRoute. It works without having to specify the interface ID.

The basic syntax is like this:

Add-VpnConnectionRoute -ConnectionName "VPN Connection Name" -DestinationPrefix 10.0.0.0/16

After entering this command, the routes will be created/removed automatically on connection/disconnection of the VPN.

Leave a Reply

Your email address will not be published. Required fields are marked *