Unifi USG VPN Split Tunnel

[Mainstay]

Hi All,

Just set up a Ubiquiti USG and configured the VPN connection as per https://help.ubnt.com/hc/en-us/arti...P-Remote-Access-VPN-with-USG-as-RADIUS-Server

I can connect from home (W10Pro) to my office, but ALL traffic is routed through the work network, including content that should route through my home internet.

I CAN access work resources and I CAN access home resources.

I have tried:
• modifying my IPv4 metrics (no change in behavior)
• unchecking "Use Default Gateway on remote network" - remote resources are not accessible

I believe I need to add a static route to correct this issue, but want to check with the UBNT gurus (and VPN experts) on how I should PROPERLY solve this problem.

Adding a static route to my local machine is fine, but it means one more step / consideration for future systems.

My home network is 10.0.1.1 and my office is 192.168.1.1 and my VPN is 192.168.4.1.

Thank you for reading this and for any and all recommendations.

--Matthew

 

[HCHTech]

Is this a site-to-site vpn between 2 USGs? I know when you create a site-to-site with Sonicwalls, there is a specific option to allow split tunnel or not. If it isn't a site-to-site, then the Windows networking would control that, I think. I assume you found this thread on the unifi forums....

 

[YeOldeStonecat]

In your VPN dial up adapter on the client rig, drill down into advanced TCP/IP properties and uncheck the box or "Use default gateway on remote network".

 

[Mainstay]

uncheck the box or "Use default gateway on remote network".

If I do, no traffic is routed from the office site and I cannot access any remote resources.

Is this a site-to-site vpn between 2 USGs?

No - simple client to office network.

 

[YeOldeStonecat]

If I do, no traffic is routed from the office site and I cannot access any remote resources.

Somethings not right...that's only the "gateway" settings..which routes traffic to/from DIFFERENT networks than what you're on. A gateway is an onramp to another network (such as the internet). LAN access should still happen (and a VPN is LAN access on both sides).

 

[HCHTech]

No - simple client to office network.

When I have this setup with a Sonicwall, the control of whether to have split tunneling or not is in the VPN settings of the Sonicwall, NOT in the settings of the client software. This makes sense as it would be more secure that way. I would grind through the settings on the USG and look for the one that controls this.

Here is a snippet from their forums which might be of some help:
===
the answer to the question you asked above about how to get traffic routed over the VPN is ...

• configure the PPTP VPN client in the GUI
• in the "Remote subnets" box, whatever you put in there will get routed over the VPN connection
• this remote subnets thing is the thing that controls what is routed over the VPN, and what goes direct to the ISP
• so if you put 0.0.0.0/0, then everything will go over the VPN. As someone mentioned, 0.0.0.0/0 is a "last resort", a wildcard, match everything kind of route
• as another example, if you only put in 35.164.166.21/32 (or maybe /30, not sure what will work) then only requests to ubnt.com (I pinged that to get the IP address, there may be others) will get routed over the VPN
• you can keep adding remote subnets till the cows come home (or the routing table & USG RAM fills up), but given that it is IP addressed based and not domain based it is of limited value

This "remote subnets" functionality was designed to link defined networks that you control and not for what we're trying to achieve, so I understand that UBNT may take some time to catch up to what we need
===

 

[Mainstay]

just re-setup the USG from scratch and will test the VPN again.

I had read that original thread but did not see this extra snippet you have posted. Am going to try that again. Thank you!