How to solve the problem that VPN route settings cannot access the Internet

Source: Internet
Author: User

This article describes in detail how to solve the problem that vrovpn VPN cannot access the Internet. This article provides some solutions. I believe this article will help you.

In the process of configuring VPN routes, we will encounter many problems. It is a common problem that you cannot access the Internet. Here we will introduce the solution. VPN virtual private network technology, for remote access to the company's information resources, compared with the dial-up connection service has been recognized by the majority of users, is gradually replacing the dial-up connection service in practical use.

VPN can provide high-level remote access services and provide a secure communication mechanism for users and infrastructure. In this article, I will analyze in detail the problems that often occur during VPN route settings. Believe in VPN route settings? Users who remotely access the company's intranet from clients have encountered this problem. That is, after your vro is connected successfully, even though you can access the headquarters company's Intranet, you cannot access the Internet, after reading my detailed introduction below, you can understand that this is caused by VPN route settings.

1) Why VPN clients cannot access the Internet

We know that the VPN Client is connected to the VPN Server through the Internet, that is, the physical access to the Internet through the VPN is feasible. Why can't I access the Internet after a VPN connection is established? Many users know that the route table has changed, therefore, you can cancel the "use the default gateway on a remote network" option in "Advanced TCP/IP Settings" of the VPN connection to access the Internet. Although this method seems feasible on the surface, it solves a VPN route setting problem, but it may bring new routing problems, or even bring serious security risks to the company's intranet. The initial goal of Using VPN is to ensure security. As a result, the company's network may face external attacks due to the use of VPN, this leaves us from our original intention.

So how can we solve this problem better and securely? Below I will first make a preliminary study on the route of the VPN Client, so that you can have a more comprehensive understanding of this knowledge point. We have analyzed and thought it was a VPN route setup problem. Now we can identify the problem from the route table changes before and after the VPN connection. You can perform actual operations according to my instructions, so that you will be more impressed When Using VPN remote access. Before the VPN is not connected, enter route? Print command, the current route table item appears, connect to VPN, and run route again? Print command to compare the difference between the two commands. You can see that there are several more routes after the connection in the command line window, there are two more important routes. In the displayed result, the third and tenth rows of ActiveRoutes have one, which is called route1) 0.0.0.0 ??? 0.0.0.0 ??? 150.0.1.226 ?? 150.0.1.226 ???? 1; the other is route2) 218.70.201.62 ?? 255.255.255.255 ?? 150.0.1.43 ?? 150.0.1.41 ?? 20. Note that some IP addresses in the routes may be slightly different.

Here, the 150.0.1.226 of route1 is the IP address obtained by the VPN Client from the VPN Server, while the 150.0.1.41 of route2 is the IP address of the client Nic, and 218.70.201.62 is the public IP address of the VPN Server. You can also see that the original route metric value in the rightmost column has increased and is higher than the metric value of the new route route1, so that the original route will become invalid, what works now is route1, which has a lower metric value. So far, the new route route1 has been used for Internet access. This route routes the packets to the scheduler port of the VPN, then, the VPN port data is sent to the remote VPN Server route2). This process will cause the site to be inaccessible to the Internet. This is the reason why the VPN connection cannot access the Internet.

2) How to encapsulate and encrypt VPN data packets and transmit them securely

Now let's take a look at the route decision-making and packet encapsulation process of the VPN Client. As we all know, a VPN Virtual Interface is a virtual point-to-point Link interface. When a VPN Virtual Interface receives a packet, it encapsulates the packet obtained from the network layer into a PPP point-to-point data frame for encryption and other operations, then it is sent to the gateway, where the gateway is the VPN Client, so the encapsulated PPP point-to-point data frame is returned to the local machine for further processing. This processing is actually a re-encapsulation process.

So why do we need to encapsulate it again? Because the frames encapsulated for the first time can only be transmitted through the Virtual VPN interface, if you want to transmit data through the actual interface, you must encapsulate the data again on the actual link layer. Before it is finally encapsulated as a link layer data frame, it is necessary to perform other multi-level encapsulation on the PPP data frame encapsulated for the first time. Because the specification cannot directly encapsulate PPP frames in another link layer frame, some headers need to be added between them, the simplest PPTP encapsulation is to add a GRE header and IP header before the PPP frame.

When encapsulated into the network layer, such as the IP header, a route decision is required. This is because the data packet must be explicitly sent to the VPN Server in the distance, and it will find a route to the VPN Server in the distance. When a VPN connection is established, a route2 route to the VPN Server is created at the same time. The IP data packets in PPTP or L2TP format are encapsulated again and sent to the specified interface of the route for processing. For an Ethernet interface, the packet is added with the Ethernet header. For a point-to-point interface, a point-to-point link header is added and sent to the physical network. In this case, route2 specifies the interface 150.0.1.41, which is the NIC interface. Therefore, it adds an Ethernet frame header and then sends it to the physical network.

(3) solutions for Using VPN to access the Internet

I just want to explain one thing in the above three paragraphs: to use a VPN connection, the data packets transmitted through the VPN connection must first arrive at the VPN Virtual Interface for processing. If the VPN Virtual Interface is bypassed, because the packets connected to this VPN are directly sent to the Internet without being encrypted, your VPN security is not guaranteed.

Now let's take a look at the route table of the VPN Client After the VPN connection. The default route does not change. A classified network route entry corresponding to the VPN port IP address is added: 150.0.0.0 255.255.0.0 150.0.1.226 150.0.1.226. Assume that you access the 192.168.0.0/24 subnet of the remote company intranet through a VPN connection. According to the above route table, only the first default route is matched. The default VPN route settings are directly sent to 192.168.0.0/24 after the local network adapter arrives at the gateway, because the router on the Internet will not forward packets to the private network, in this way, you can avoid external access to the company's intranet and ensure Intranet security. Therefore, if the "use the default gateway on the remote network" option is selected and the default route is used, no routing and security problems mentioned above will occur.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.