Routing Traffic in Windows

Right, so you have a nice VPN setup with a VPN (I have used OpenVPN) but you want to route all your traffic via the VPN. Here I will try and explain how to do just that.

First you need to find your current default gateway and the IP address of your VPN server. Here we will be using VPN.SERVER.IP.ADDR, NEW.DEFAULT.GATEWAY.IPADDR and OLD.DEFAULT.GATEWAY.IPADDR. To find your default gateway open a command prompt (in windows 7 run as administrator because we need to make changes to the routing table later).

type route print then press enter.

C:\>route print
*** lots of stuff ***
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.20       25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0     192.168.1.20    192.168.1.20       20
*    192.168.10.0    255.255.255.0    192.168.40.81   192.168.40.82       1   *
     192.168.30.0    255.255.255.0    192.168.40.81   192.168.40.82       1
     192.168.40.0    255.255.255.0    192.168.40.81   192.168.40.82       1
    192.168.40.80  255.255.255.252    192.168.40.82   192.168.40.82       30
    192.168.40.82  255.255.255.255        127.0.0.1       127.0.0.1       30
   192.168.40.255  255.255.255.255    192.168.40.82   192.168.40.82       30
      192.168.1.0    255.255.255.0     192.168.1.20    192.168.1.20       25
     192.168.1.20  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255     192.168.1.20    192.168.1.20       25
        224.0.0.0        240.0.0.0    192.168.40.82   192.168.40.82       30
        224.0.0.0        240.0.0.0     192.168.1.20    192.168.1.20       25
  255.255.255.255  255.255.255.255    192.168.40.82   192.168.40.82       1
  255.255.255.255  255.255.255.255    192.168.40.82           10003       1
  255.255.255.255  255.255.255.255     192.168.1.20    192.168.1.20       1
Default Gateway:      192.168.1.1
===========================================================================
Persistent Routes:
  None

C:\>_

From now on wherever I say OLD.DEFAULT.GATEWAY.IPADDR I actually mean the numbers after "Default Gateway:" in this example it is 192.168.1.1.

In the above I have starred an entry, all addresses that start with 192.168.10. are on my corporate network so I know that the gateway for those addresses is where I want to send all my packets! I will use this address (192.168.40.81) for NEW.DEFAULT.GATEWAY.IPADDR.

First I need to add a route so that I don't try and send the encrypted VPN packets to the VPN server via the VPN... that would simply not work.

route add VPN.SERVER.IP.ADDR mask 255.255.255.255 OLD.DEFAULT.GATEWAY.IPADDR

Then delete the current default route

route delete 0.0.0.0 mask 0.0.0.0 OLD.DEFAULT.GATEWAY.IPADDR

Now add the default route to go via the VPN

route add 0.0.0.0 mask 0.0.0.0 NEW.DEFAULT.GATEWAY.IPADDR

To make this clear and skip the confusing names I used this is the same thing but using the IP addresses from the above screenshots instead of the substitute names.

route add 173.194.78.99 mask 255.255.255.255 192.168.1.1
route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1
route add 0.0.0.0 mask 0.0.0.0 192.168.40.81

If you do not know the IP address of your VPN server ask your friendly systems administrator, Ted is always happy to help. Especially when he knows you will screw it up late on a Saturday night and call him whilst he is eating to have him fix it for you.

DNS Problem

IMPORTANT SECURITY CONCERN: In normal circumstances your DNS traffic will NOT be routed through the VPN your DNS servers from the VPN will be listed but Windows will choose which one to query thus generating DNS leakage... not so great but might not matter depending on what you are trying to do. I suggest that you look into setting a static IP address on your network and not including a DNS server... naturally this has its own problems. If there is any way to do this with netsh, please let me know.