Page 1 of 1

I don't want all traffic to go through the tunnel

Posted: Tue Nov 05, 2019 7:42 pm
by marv42dp
Hi,
first of all: sorry, if this question / issue has been risen/discussed before, please just point me to that thread.
Setup: Softether VPN Server on a Windows Server 2016 VM, Softether Client on Win10. When I connect to the server all traffic is routed through the VPN, which slows down my download from the internet to 50%. I could not find a setting that does only send the traffic for the remote network through the tunnel - which is a standard feature on pretty much every other VPN solution out there.
Am I blind, or is there no such feature / setting in Softether?

Re: I don't want all traffic to go through the tunnel

Posted: Tue Nov 05, 2019 11:57 pm
by ozone
When using the SE-client in windows, I think "this" is the easiest way *:

Image

(At the right-bottom: set "no adjustment of routing table")


Although there are other ways of doing this as well....

In essence, by default the client sets the route to internet (0.0.0.0) to the vpn-gateway, instead of your local gateway.
This is what needs to be prevented in your case, so that internet traffic keeps flowing the normal way.
(note: if the remote site becomes more complex, eg. more subnets, this solution will not work anymore)

Oz

* reference and picture:
https://www.softether.org/4-docs/1-manu ... VPN_Server

Re: I don't want all traffic to go through the tunnel

Posted: Wed Nov 06, 2019 9:36 am
by marv42dp
Thanks for the reply, but that doesn't work.
The setting seems to be ignored - verified by looking at the routing table with the option set, and without.
SE always sets the route to 0.0.0.0 to go through the VPN gateway.
There should be an option to only set the route to the remote network to go through the VPN gateway.

Until then the solution is a CMD which deletes the unwanted route, but since that CMD has to be executed every time the connection is established, it's pretty inconvenient.

Re: I don't want all traffic to go through the tunnel

Posted: Wed Nov 06, 2019 7:58 pm
by ozone
Yes, that is not the way it should go.

I did a little test over here....
-when this option is 'checked', the route is SET, but with a lower metric then the standard 0.0.0.0. So traffic should flow over your normal internet connection.
-when this option is 'unchecked', the route is SET, but the default (local) 0.0.0.0 route is DELETED. So traffic will flow over your VPN connection.

So You are right, the routing table is ALWAYS changed: The remote gateway is always added. (but in most cases it will still work as desired)
Apparently this behavior isn't compatible with you situation.


However, as mentioned, there are more ways of doing it.

The routes are pushed via the dhcp-server (on the VPNserver-side) towards the VPN-nic on the client machine.
If the gui "check-mark" way doesn't work, manipulating the routes you push may achieve the same result.

If you use the SE securenat-dhcp, I would suggest disabling (deleting) the default gateway entry over there.
If you use a 3rd party dhcp, it depends on the circumstance. But it should work similarly (not pushing any default gateway).

As a last resort, there is always the option to create a separate vpn-nic on the client machine, specifically for this vpn-connection.
On the vpn client, in Windows give it a fixed-ip (valid on the VPN-network), but with no gateway.
I don't like this option very much, but it DOES work if the VPN-site only has one subnet.
(therefore, I'm just adding this option for reference)

Oz