Split-Tunneling on Windows 10 or 11 using the Native VPN Client

network

#windows #powershell

Introduction

In some use cases the integrated Windows vpn client might fit your needs. Some vpn options however can’t be configured through the default settings. One of those options is “split-tunneling”. I will show you how to enable and configure it. Most advanced features can be configured using Powershell.

Setting up a VPN Connection

A new vpn connection can be created through the Windows settings -> vpn or using Powershell. In this example I will show you how to create a new connection using Powershell. The required settings depend on your vpn provider/firewall vendor.

In this example I’m using IKEv2: 

Add-VpnConnection -Name 'Test-VPN' -ServerAddress 'test-fw.lab.local' -TunnelType 'IKEv2' -EncryptionLevel 'Required' -AuthenticationMethod Eap -RememberCredential

This command will create a vpn connection named “Test-VPN” using “IKEv2” as a vpn type and “Eap” as an authentication method. The server address can be either a domain name or ip address.
For more information and additional configuration options please refer to the following section: Additional Information and Links

Configure Split-Tunnel Settings

In the following steps you need to provide the vpn connection name. The vpn connection name needs to match the name provided in the previous step.

List all VPN Connections (Optional)

If you are unsure about the correct vpn name you can use the following command to list all available vpn connections:

Get-VpnConnection

Enable Split-Tunneling

After setting up and your vpn connection you can now enable split-tunneling:

Set-VpnConnection -Name 'Test-VPN' -SplitTunneling $True

Set VPN Routes

Once split-tunneling is enabled we need to tell the vpn connection which networks or hosts should be routed through the vpn.
This can be done with the following command:

Add-VpnConnectionRoute -ConnectionName "Test-VPN" -DestinationPrefix 172.22.22.0/24

Now every destination of subnet 172.22.22.0/24 gets routed through the vpn connection named “Test-VPN”.

List Active VPN Routes

Unfortunately there is not currently a direct cmdlet available to list routes associated with a connection.
You can use the following command to list all routes for the specified connection:

(Get-VpnConnection -ConnectionName "Test-VPN").routes

To get an idea what multiple routes would look like I added another one beforehand.
The output lists all active routes:

DestinationPrefix : 172.22.22.0/24
InterfaceIndex    :
InterfaceAlias    : Test-VPN
AddressFamily     : IPv4
NextHop           : 0.0.0.0
Publish           : 0
RouteMetric       : 1
PolicyStore       :

DestinationPrefix : 172.22.23.0/24
InterfaceIndex    :
InterfaceAlias    : Test-VPN
AddressFamily     : IPv4
NextHop           : 0.0.0.0
Publish           : 0
RouteMetric       : 1
PolicyStore       :

Remove VPN Routes

You can also remove a vpn route by specifying the “Connection Name” and “Destination Prefix”: 

Remove-VpnConnectionRoute -ConnectionName "Test-VPN" -DestinationPrefix "172.22.23.0/24"

Remove VPN Connection

Removing the complete vpn connection is also possible with the following command:

Remove-VpnConnection -Name "Test-VPN" -Force

Additional Information and Links

You can find all available configuration options at docs.microsoft.com.

Conclusion

Split-Tunneling can be enabled quite easily using Powershell. For large installations these tasks can also be automated by creating Powershell scripts which include all required settings. These scripts could then be used to configure multiple clients.