Questions[split-tunneling](server)

I am trying to setup Strongswan for VPN split tunneling.

What I want is only the subnets 10.88.0.0/16 and 10.0.200.0/24 is accessible through the VPN tunnel. Everyting else is handled throught the default gateway for the network.

All clients are assigned an ip adress belonging to the 10.0.201.0/24 subnet.

In my configuration file I have among others the following:

# Default login method
eap-defaults {
  remote {
   auth = eap-radius
   id = %any
   eap_id = %any
  }
}

connections
{
  conn-unix : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 10.0.200.0/24, 10.88.0.0/16
      }

      esp_proposals = aes128gcm128-x25519
    }

    pools = IkeVPN-ipv4
    proposals = aes128-sha256-x25519
  }

  conn-windows : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 10.0.200.0/24, 10.88.0.0/16
      }

      esp_proposals = aes256-sha256-prfsha256-modp1024
    }

    proposals = aes256-sha256-prfsha256-modp1024
    pools = IkeVPN-ipv4
  }
}

pools
{
  IkeVPN-ipv4 {
    addrs = 10.0.201.0/24
    dns = 10.0.88.2
  }
}

When I login over VPN it is possible to ping hosts belonging to 10.88.0.0/16 and 10.0.200.0/24, so I know I can use the VPN tunnel.

However:

If I try to access any other ressource on the Internet while still being connected to the VPN, then I cannot even ping the ip adress belonging to that ressourse.

In my routing table on my Windows computer I can find the following entries:

I know that when you have two routes to a given subnet like 0.0.0.0/0 in the routing table, then whatever rule has the lowest metric wins and traffic is forwarded using that rule.

However I do not want the VPN server to install a default route via VPN, but rather only tell that the subnets 10.88.0.0/16 and 10.0.200.0/24 has to be routed via VPN.

What I want is that I see a routing table closer to this without having to edit the routing table by hand on every VPN client:

So how do I go about doing that?

In my work, I have quite a few different external networks that I need to access from time to time via VPN. Generally I need to connect to somebody else's managed network to access their Building Management System (BMS) so I am at the mercy of however they set up their network access - this usually involves juggling various assigned logins and having to re-enter the credentials everywhere I go. More annoyingly, they usually require me to login to their VPN (most often through GlobalProtect). These are not my primary work networks, so the restrictions vary and I have to log into the VPN and then back out as soon as I am done so that I am not sending all of the rest of my traffic through the VPN. In a few of these instances, I have run into issues where I can't directly access the internet for troubleshooting while I am connected to the VPN because of their restrictive policies.

Is there a relatively straightforward way to wall off either a separate instance of Chrome or maybe a Windows desktop where only that traffic would be routed through the VPN? I thought that maybe split tunneling might be the answer, but that seemed to miss the mark when I tried to use NordVPN since it would only let me connect to their VPN servers.

I want to use openvpn. But with some differences. I don’t want to send all trafics to the vpn. For example, when using FoxyProxy on firefox and connected to localhost:8000, send traffics to vpn but when the FoxyProxy is off, send traffic to the regular ports (and not connected to the VPN) How can I do that? Maybe with vpn split tunneling or something else? I’m using linux as the openvpn client

I was going by this tutorial, looking at the sections for split tunneling with OpenVPN or Windows Powershell (IKEv2).

I'm relatively new to this sort of stuff, so I would really appreciate some help.

To do it, this website says to choose a subnet. I kind of understand what they are, but what I would like to do instead, is just route traffic on one or two ports (e.g. port 80 and/or port 21).

Preferably, I'd like to be able to do it by editing my OpenVPN config file (as the tutorial I linked above says, but instead with ports), but if that can't be done, I'll be happy if it can be done in Powershell with an IKEv2 connection instead.

I've seen some pretty good tutorials for Ubuntu that allow you to do this, but you can't apply them to Windows (because they use iptables, etc).

If possible, I'd like to do it on Windows, rather than switching to Linux.

Can anyone help me understand how to do this? Thanks.

Edit:

Would it be easier to route applications instead? (e.g. Route an app like Zoom around the VPN, but tunnel a game through VPN?) This is just an example, but is that more straightforward to do on Windows?

This Powershell command triggers the VPN connection when a specific app is opened:

Add-VpnConnectionTriggerApplication -Name "<VPNConnection>" –ApplicationID "<AppPath>"

So I assume what I want to do would look somewhat similar to this, except it only applies to that one app. (and it doesn't have to only be triggered when that app opens, it can stay on always).

It looks like I'm going to have to use this Powershell command. It's not exactly what I wanted but it doesn't seem I have any other choice. It's ridiculous that Windows doesn't have something that can do this.

We have a Cisco ASA 5510. We use split tunneling for AnyConnect SSL VPN clients. All internal addresses are tunnelled. Everything else is routed through the client's own internet connection.

We use a SaaS service that only responds to requests when they come from one of our own public IP addresses. Because of this, VPN users are unable to access it currently. Is there a way to specify that a specific website should be tunneled and all others should not?

NOTE: Worst case we will use a web bookmark on the clientless portal to tranlate through our network, but I'd like to see if the above is possible first.