Quickly enable/disable default gateway for VPN on Windows

Submitted by Hannes Schmidt on Thu, 01/10/2008 - 14:53.

Whether a VPN connection has the "Use default gateway on remote network" option enabled has big impact on how network traffic from your machine is routed.

If the option is on (the default), ...

... Windows will create a new default route with the VPN endpoint as a gateway. This means that all traffic will be sent through the tunnel and the other end, i.e. the VPN server has to forward it to its final destination. In many cases the VPN server doesn't have IP forwarding enabled, for example when the VPN's sole purpose is to connect you to the remote LAN but not further.

Now you may say: well, if it doesn't have forwarding enabled, how do the packets get from the VPN client to the other boxes on the LAN? The anwswer is that there are alternative, lower-layer forwarding mechanisms other than forwarding at the IP layer: bridging and proxy ARP.

Ever had the situation where you dialed into a VPN and suddenly your internet connection went down? Right! The VPN connection probably had "Use default gateway on remote network" enabled but the VPN server didn't forward the client VPN traffic to the internet.

There's is another gotcha. If the default gateway affects all traffic to destinations outside the VPN client's local subnet, how come the encrypted packets, i.e. the PPTP or L2TP traffic is not sent back into the tunnel, creating an infinite loop? Luckily, Windows creates second route that exempts the IP packets going to the VPN server's public IP address from being affected by the default route. If you open a command line window and type route print you will see a route with a destination of 0.0.0.0 and the gateway set to the VPN tunnel endpoint (most likely an IP address from the remote subnet, i.e. the VPN servers LAN). That's the default route. There will be another route with a destination of the VPN server's public IP and the gateway set to the client's LAN router. That's the exception route. Without it, the VPN would go in circles. Luckily Windows never creates one route without the other if "Use default gateway on remote network" is enabled.

If "Use default gateway on remote network" is disabled ...

... Windows will not touch the default route. Whatever default route was setup when the system was initialized will remain active. Most likely, that default route was configured via DHCP by the client's LAN router.

For some reason Windows still sets up an exception route to the VPN server's public IP although that is redundant. When the VPN connection is in the process of being established, no such route exists but the connection requests make it to the VPN server anyway (via the client's LAN router). So there's no real need for that exception route.

Independent of whether "Use default gateway on remote network" is on or off, you may see two more routes: a route to the remote subnet and a gateway set to the VPN endpoint IP and a so-called "On-Link" route with destination and gateway set to endpoint IP. Again, the former route is redundant if "Use default gateway on remote network" is enabled, but Windows creates it anyways.

Alternating between the two settings

I often end up in a situations in which I have to frequently switch "Use default gateway on remote network" between enabled and disabled on the same VPN connection. Sometimes I want to route all traffic through the VPN connection for example to protect my privacy when I am connected to a public WLAN. My home network, on the other hand, is already secure and I don't want the overhead of routing everything through the VPN. That's why I like to disable that option once I am at home. Since I can never remember what set the option to last time I used the connection, I end up having to check everytime before I connect.

Screenshot of Windows Vista's Network Connections window.

Unfortunately, the option is hard to get to: On Vista, one needs to

  1. cLick the network icon in the notification are of the taskbar,
  2. click "Connect or disconnnect...",
  3. right-click the VPN connection,
  4. click "Properties",
  5. click the "Networking" tab
  6. double-click "Internet Protocol Version 4 (TCP/IPv4)",
  7. click the "Advanced..." button,
  8. and there it is: "Use default gateway on remote network".
  9. Click OK three times.

What a nuisance!

A simple yet effective solution

It really is simple: just duplicate the VPN connection, disable "Use default gateway on remote network" in the original and enable it in the clone. Name the clone accordingly. The result is shown in the screen shot on the right.

The drawback of having to apply potential changes to the VPN settings to both the the original and the VPN is acceptable. Most of the time VPN settings (other than the default gateway option) don't need to be touched again once they work.

( categories: Windows | Administrator | Dummy )
Submitted by Anonymous on Mon, 03/26/2012 - 22:06.
The most effective thing I came across so far was to manually add entries to the routing table so I could reach those IPs using the VPN, the rest would still use my ISP's gateway. Simply create a batch file and enter the necessary IPs like this: route add xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy where xxx defines the IP you would like to reach using the VPN connection, yyy is the VPN connections host IP, then simply executing this file will do the trick.
Submitted by Anonymous on Sun, 11/07/2010 - 08:19.
Thanks very much. Very helpful. I googled and bing'd a long time before I found your article. Solved the problem of internet connection while connected via vpn to remote database (Windows XP SP3). Gan Davnarrain