Editor's note: when building a VPN network, when your VPN connection is successful, although you can access the internal network of the Headquarters Company, you cannot access the Internet. What is the problem?
VPN virtual private network technology, for remote access to the company's information resources, compared with the dial-up connection service has been recognized by the majority of users, is gradually replacing the dial-up connection service in practical use. VPN can provide high-level remote access services and provide a secure communication mechanism for users and infrastructure. In this article, I will analyze in detail the problems that often occur during the use of VPN.
Believe in VPN? Users who remotely access the company's intranet from clients have encountered this problem. That is, after your VPN connection is successful, even though you can access the headquarters company's Intranet, you cannot access the Internet, after reading my detailed introduction below, you can understand that this is caused by the settings on the route.
(1) Why VPN clients cannot access the Internet
We know, VPN? The client connects to the VPN Server over the Internet, that is, the physical access to the Internet through the VPN can be achieved. Why can't I access the Internet after a VPN connection is established? Many users know that the route table has changed, therefore, you can cancel the "use the default gateway on a remote network" option in "Advanced TCP/IP Settings" of the VPN connection to access the Internet. Although this method seems feasible on the surface and solves a routing problem, it may bring new routing problems and even bring serious security risks to the company's intranet. The initial goal of Using VPN is to ensure security. As a result, the company's network may face external attacks due to the use of VPN, this leaves us from our original intention.
So how can we solve this problem better and securely? What should I do first? A Preliminary Study on the client routing enables you to have a comprehensive understanding of this knowledge point. We have analyzed and thought it is a routing problem. Now we can identify the problem from the route table changes before and after the VPN connection. You can perform actual operations according to my instructions (see figure 1). This will make you more impressed when you need to use VPN for remote access. Before the VPN is connected, enter the route print command, the current route table item appears, connect to the VPN, and run the route print command again to compare the difference between the two commands. You can see that there are several more routes after the connection in the command line window, there are two more important routes. In the displayed result, the third and tenth rows of the active routes have one, namely, route1. 0.0.0.0 0.0.0.0 150.0.1.226 150.0.1.226 1; the other one (route2) 218.70.201.62 255.255.255.255 150.0.1.43 150.0.1.41 20. Note that some IP addresses in the routes may be slightly different.
Figure 1 route changes before and after a VPN connection
Here, the 150.0.1.226 of route1 is the IP address obtained by the VPN Client from the VPN Server, while the 150.0.1.41 of route2 is the IP address of the client Nic, and 218.70.201.62 is the public IP address of the VPN Server. You can also see that the original route metric value in the rightmost column has increased and is higher than the metric value of the new route route1, so that the original route will become invalid, what works now is route1, which has a lower metric value. So far, the new route route1 has been used for Internet access. This route routes the packets to the scheduler port of the VPN, then, the VPN port data is sent to the remote VPN Server (route2), which will cause the site to be inaccessible to the Internet, this is why the VPN connection cannot access the Internet.
(2) How to encapsulate and encrypt VPN data packets and transmit them securely
Now let's take a look at the route decision-making and packet encapsulation process of the VPN Client. As we all know, a VPN Virtual Interface is a virtual point-to-point Link interface. When a VPN Virtual Interface receives a packet, it encapsulates the packet obtained from the network layer into a PPP point-to-point data frame for encryption and other operations, then it is sent to the gateway, where the gateway is the VPN Client, so the encapsulated PPP point-to-point data frame is returned to the local machine for further processing. This processing is actually a re-encapsulation process.
So why do we need to encapsulate it again? Because the frames encapsulated for the first time can only be transmitted through the Virtual VPN interface, if you want to transmit data through the actual interface, you must encapsulate the data again on the actual link layer. Before it is finally encapsulated as a link layer data frame, it is necessary to perform other multi-level encapsulation on the PPP data frame encapsulated for the first time. Because the specification cannot directly encapsulate PPP frames in another link layer frame, some headers need to be added between them, the simplest PPTP encapsulation is to add a gre header and IP header before the PPP frame.
When encapsulated into the network layer, such as the IP header, a route decision is required. This is because the data packet must be explicitly sent to the VPN Server in the distance, and it will find a route to the VPN Server in the distance. When a VPN connection is established, a route (route2) that arrives at the VPN Server is created at the same time, and IP data packets in PPTP or L2TP format are encapsulated again and sent to the specified interface of this route for processing. For an Ethernet interface, the packet is added with the Ethernet header. For a point-to-point interface, a point-to-point link header is added and sent to the physical network. In this case, route2 specifies the interface 150.0.1.41, which is the NIC interface. Therefore, it adds an Ethernet frame header and then sends it to the physical network.
(3) solutions for Using VPN to access the Internet
I just want to explain one thing in the above three paragraphs: to use a VPN connection, the data packets transmitted through the VPN connection must first arrive at the VPN Virtual Interface for processing. If the VPN Virtual Interface is bypassed, because the packets connected to this VPN are directly sent to the Internet without being encrypted, your VPN security is not guaranteed.
Now let's take a look at the route table of the VPN Client After the VPN connection. The default route does not change. A classified network route entry corresponding to the VPN port IP address is added: 150.0.0.0 255.255.0.0 150.0.1.226 150.0.1.226 1 (see the fourth line in Figure 2 active routes ). Assume that you access the 192.168.0.0/24 subnet of the remote company intranet through a VPN connection. According to the above route table, only the first default route is matched. The default route is sent directly to 192.168.0.0/24 after the local network adapter arrives at the gateway, because the router on the Internet will not forward packets to the private network, in this way, you can avoid external access to the company's intranet and ensure Intranet security. Therefore, if the "use the default gateway on the remote network" option is selected and the default route is used, no routing and security problems mentioned above will occur.
Figure 2: "using the default gateway on a remote network" is not canceled before using the VPN safely
For example, many users cancel the "use default gateway on a remote network" option. Although the remote subnet can be reached over the Internet, the data is not encrypted because the VPN virtual port is bypassed, data security cannot be guaranteed. This is not a real VPN, so canceling this option is not desirable. To back up, even if you assign the IP address of the 192.168.0.0/24 subnet to the VPN Client, If you cancel the "use the default gateway on the remote network" option, a routing problem may occur, because all data packets sent to the local subnet are routed to the remote subnet. To avoid this routing problem on the client, we should not assign the IP range for the VPN Client to be the same as the network range of the client.
After reading so much, I started with the article saying that if you cancel the "use the default gateway on a remote network" option, it will bring new routing problems and even security risks. So how can we solve this problem? If you do not cancel this option, you cannot access both the Intranet and Internet. This is indeed a dilemma. There is no uniform configuration for this problem. Different network environments can only be used in different solutions. Currently, canceling the "use the default gateway on a remote network" option will certainly cause security problems. We can only try not to cancel it. for users who want to access the company's intranet through a VPN connection and need to access the Internet, I suggest using this method-configure them to access the Internet through proxy, for example, set them to use HTTP proxy, which is provided by most proxy servers. In addition, if the IP address of the VPN Client and the NIC of the VPN Server are in the same logical subnet and only access this logical subnet, in this case, you can cancel the "use default gateway on a remote network" option.
Conclusion
As I have mentioned above, I am tired of writing. You may not be very clear about the implementation steps. This does not matter, as long as you understand the basic principles of VPN data packets need to be encapsulated and encrypted before transmission and secure access to the Internet, I wrote this article.
To sum up, only the proxy server, VPN Client IP address, and VPN Server NIC are in the same logical subnet, you can cancel the "use default gateway on a remote network" option. As for the general situation, it is better to use VPN with caution. I think we access the network for the same purpose-to ensure the security of the company's network first. It is hoped that the majority of users will be able to use the VPN Virtual Private Network smoothly.