By default the windows vpn client has this checked in the advanced tcp/ip settings: Use default gateway on remote network...
I do not want to use the default remote gateway... (the clients internet access uses the company network when it is like this) how can I set up the win 2008 RRAS server to not give out this gateway, or disable this? can I make a special dhcp scope (with no gateway defined) and tie incoming pptp connections to it? are there any other methods? -- without doing anything to the client... I want to be able to just leave it checked--
Thanks!
The settings you're looking to change are client-side only, unfortunately. Unlike, say, OpenVPN, where you "push" configuration information from the VPN server to the client, in the Microsoft VPN client the "Use default gateway on remote network" option is set client-side only.
The Connection Manager Administation Kit (CMAK) will let you build an EXE that can be run on clients to setup the VPN connection with all the parameters you want.
Some frustration may come from the unfortunate method by which the client receives a route to the remote network. When the "Use default gateway on remote network" option is disabled, the client receives a route to the remote network based on the "classful" IP address of the VPN server (this changes in Windows 7, but I don't have details of the change handy). If you're just doing a VPN into a little "/24" network numbered "192.168.x.x", then this will work out fine.
If you have a more complex topology, though, this will give you fits. The CMAK is supposed to give you a way to run a script on the client after the VPN comes up, and to modify the client's routing table, but I've never actually gotten that functionality to work on Windows XP SP2-based client computers. I'd love to hear from somebody who has.
AFAIK, the connection has to have a gateway, or else there's no way it can send traffic over that interface to anything except the VPN server at the other end.
Also AFAIK there's no way around this except to manually disable the connection (even a PowerShell script won't be any good, even if it has the functionality there's too many unknown variables in locating the connection).
Worth noting that without this open, name resolution won't work either unless your local DNS has the VPN IP's in it.
I feel your pain though.
The reason it is enabled by default is as it is the most secure option. Your client could pose a security risk if they get hacked from the internet, there might not be much to secure your network...
http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html
I block such traffic with site router. 1st assign static pool of IPs to the VPN PPTP server, then in the router block all outbound traffic with source ip in that ip pool.