Well this is the dilemma, I want remote clients to connect to my network and only route local access through the VPN. This is split tunneling, the client uses its internet connection for all other internet requests and the VPN tunnel to my network for local requests.
There's a couple of issues that arise: split tunneling in Windows is achieved by unticking an option which reads "Use default gateway on remote network" in the TCP/IP settings of the client VPN connection. At any point the user can tick it and route all his internet traffic through my network eating away at my bandwidth and being cloaked by my IP address. This is unacceptable.
Issue number 2 is that if the client is split tunneling, he becomes a gateway between the internet and my network, this is also unacceptable.
My questions are: how does one achieve split tunneling serverside? And is the latter issue a valid con worthy of worry?
Any thoughts would be appreciated!
Best Answer
There are several things you can do to prevent this. The first, and probably the easiest would be to just set firewall rules on your VPN server to disallow any traffic that's not destined for your local subnets. With those rules in place, any "internet-bound" traffic will just get dropped.
If you don't have the option to make firewall changes, then you can configure your outside NAT box to just refuse to perform its NAT duties for your VPN client subnet.
Regarding "Issue Number 2". How exactly will the client "become a gateway between the internet and your network"? Routing rules would need to be put in place for that to happen.