SoftEther VPN User Forum

Hi, I'm a sysadmin who's relatively new to VPNs. I set up SoftEther VPN for a project of mine, and I've found that it seems to be capturing all traffic, so that when I run the VPN, it catches things like Youtube and reroutes that traffic through our main servers.

I don't want this to happen. I need our VPN to only capture traffic that's heading to our servers, or our local domain. I want to set it up so that our users can have SoftEther VPN running, connect to servers in our domain, but not route that podcast they're listening to or Webinar they're giving through our VPN server. Is this possible?

We've got a private domain in the 10.x.x.x range, subnet 255.255.255.0. It's all routed through a single externally-accessible IP address, but I don't know how relevant that is for VPN routing. Anything that isn't aimed at that internal, private domain should bypass VPN.

I do not know how to do this. I found some tips online that say it has to do with the NAT routing table, which I have attempted to set up:
10.0.0.0 is our local domain's IP space, 10.0.0.1 is the gateway. This still routes all traffic through the VPN, though...
...so clearly I'm doing something wrong.

Any support (be it solving the problem or helping me understand what the solution should look like) is greatly appreciated. :) Additionally, there are probably technical terms for what I'm describing... But I don't know them. So any help in that regards would be greatly appreciated.

EDIT: additionally, now, when I'm in the office but not on the VPN, I have no access to other websites. I'm guessing that has something to do with this recent change.

https://www.vpnusers.com/viewtopic.php? ... 914#p93914

Does that help?

nobody12 wrote: ↑

Wed Aug 11, 2021 10:40 am

https://www.vpnusers.com/viewtopic.php? ... 914#p93914

Does that help?

Once I understood what the question was, yes, it did. Thank you!

But I was also hoping that there's a solution that's a little easier to roll out in our current system, to all of our users, with no GPO or Domain to work with. Ideally something directly on the VPN server. I don't quite trust my users to edit their network connection correctly.

There is no GPO or Domain needed for my solution the only thing you have to do manual is the change of the metric of the VPN Ethernet adapter (even this might be not needed - try it out). Any other settings will be included in the profile. You can export a profile, then import into the client. The client only has to supply username and password.

You can as an alternative setup Softeher as a Layer 3 connection.
Then you can distribute the routing table to the client using DHCP, and you will have control if a default route will point to the network behind the VPN.
However the integration is not as nice as with L2. With L2 the client is in the same Broadcast segment, it will work as if the PC really sits in the office. With L3 and routing browsing the network will be impossible, also depending on your network setup, network name resolution might not work, automatic authentication against network resources might not work.

All right, I think that answers just about all my questions. Thank you very much! :)

If you do the default setup (and dont use any "secure nat" options), then everyhting will work with reasonable effort for the client (change of Ethernet card metric).