In some use cases the integrated Windows vpn client might fit your needs. Some vpn options however can’t be configured through the default settings. One of those options is “split-tunneling”. I will show you how to enable and configure it. Most advanced features can be configured using Powershell.
Setting up a VPN Connection
A new vpn connection can be created through the Windows settings -> vpn or using Powershell. In this example I will show you how to create a new connection using Powershell. The required settings depend on your vpn provider/firewall vendor.
In this example I’m using IKEv2:
Add-VpnConnection -Name 'Test-VPN' -ServerAddress 'test-fw.lab.local' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -RememberCredential
This command will create a vpn connection named “Test-VPN” using “IKEv2” as a vpn type and “Eap” as an authentication method. The server address can be either a domain name or ip address.
For more information and additional configuration options please refer to the following section: Additional Information and Links
Configure Split-Tunnel Settings
In the following steps you need to provide the vpn connection name. The vpn connection name needs to match the name provided in the previous step.
List all VPN Connections (Optional)
If you are unsure about the correct vpn name you can use the following command to list all available vpn connections:
After setting up and your vpn connection you can now enable split-tunneling:
Set-VpnConnection -Name 'Test-VPN' -SplitTunneling $True
Set VPN Routes
Once split-tunneling is enabled we need to tell the vpn connection which networks or hosts should be routed through the vpn.
This can be done with the following command:
Add-VpnConnectionRoute -ConnectionName "Test-VPN" -DestinationPrefix 172.22.22.0/24
Now every destination of subnet 172.22.22.0/24 gets routed through the vpn connection named “Test-VPN”.
List Active VPN Routes
Unfortunately there is not currently a direct cmdlet available to list routes associated with a connection.
You can use the following command to list all routes for the specified connection:
(Get-VpnConnection -ConnectionName "Test-VPN").routes
To get an idea what multiple routes would look like I added another one beforehand.
The output lists all active routes:
DestinationPrefix : 172.22.22.0/24 InterfaceIndex : InterfaceAlias : Test-VPN AddressFamily : IPv4 NextHop : 0.0.0.0 Publish : 0 RouteMetric : 1 PolicyStore : DestinationPrefix : 172.22.23.0/24 InterfaceIndex : InterfaceAlias : Test-VPN AddressFamily : IPv4 NextHop : 0.0.0.0 Publish : 0 RouteMetric : 1 PolicyStore :
Remove VPN Routes
You can also remove a vpn route by specifying the “Connection Name” and “Destination Prefix”:
Remove-VpnConnectionRoute -ConnectionName "Test-VPN" -DestinationPrefix "172.22.23.0/24"
Remove VPN Connection
Removing the complete vpn connection is also possible with the following command:
Remove-VpnConnection -Name "Test-VPN" -Force
Additional Information and Links
You can find all available configuration options at docs.microsoft.com.
Split-Tunneling can be enabled quite easily using Powershell. For large installations these tasks can also be automated by creating Powershell scripts which include all required settings. These scripts could then be used to configure multiple clients.