Microsoft VPN Server - How is VPN traffic routed between Server and Client?

Simon Belmont 20 Reputation points
2024-02-20T09:33:26.7666667+00:00

We are trying to implement an Always On VPN Server solution with Microsoft VPN Servers. The VPN server is dual homed and we have a separate subnet for the VPN clients. (The IP addresses below are just examples)

VPN Server Internet Facing Nic: 172.168.10.7 (Gateway is configured on this Nic)

VPN Server Internal Network Nic: 172.169.10.70 (no Gateway is configured on this Nic, only persistent static routes)

VPN Subnet for Clients: 10.0.0.0/24

Static IP Pool configured on the VPN Server: 10.0.0.5-10.0.0.250

VPN Server RAS (Dial-In) Interface: 10.0.0.5

There is a static route configured on the VPN server, that routes traffic from the internal network facing nic to the VPN subnet for clients, route add 10.0.0.0 mask 255.255.255.0 172.169.10.1 -p

From the client we have manually created a VPN profile, and are able to connect to the VPN server just fine. The client receives the IP address 10.0.0.8, and since force tunneling is the default configuration, all traffic goes through 10.0.0.8

First hop is 10.0.0.5 (VPN Server's RAS (Dial-In) Interface)

The problem is that we are not able to access any internal resources from the VPN client. Using Wireshark on the VPN server, we are able to see that the VPN client's IP is trying to access internal resources through the VPN server.

From the VPN server itself, we are able to access all internal resources through the 172.169.10.70 interface. The network people say that network routing and FW openings are fine, and everything should function. But yet the communication from the VPN client to internal resources fails.

How is this communication supposed to occur, what could be misconfigured here?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,796 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,227 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,363 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
551 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sedat SALMAN 14,065 Reputation points MVP
    2024-02-20T12:57:50.76+00:00

    When configuring a Microsoft VPN server for traffic routing between the server and client, especially in an Always On VPN setup, the routing can be approached in two main configurations: split tunneling and force tunneling. In a split tunnel configuration, specific routes are directed over the VPN while all other traffic uses the physical (local) network interface. This setup is ideal for allowing access to internal resources without routing all the client's internet traffic through the VPN, thus reducing bandwidth on the VPN server. Routes can be defined using the VPNv2 configuration service provider (CSP), allowing for detailed control over which traffic goes through the VPN​. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/vpn-routing Force tunneling, on the other hand, routes all client traffic through the VPN. This approach is often used for enhanced security, ensuring that all client traffic is inspected and filtered according to the organization's policies before accessing the internet. Force tunneling is achieved by manipulating routing entries to ensure that VPN routes have a lower metric than those for other interfaces, effectively directing all traffic through the VPN by default​. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/vpn-routing For troubleshooting, it's critical to ensure the VPN server has the necessary routes to internal resources and that clients are configured with routes to these internal networks. This setup ensures traffic can flow from the VPN clients to internal resources as intended. If access issues persist, verifying the correct configuration of both server and client routing, checking for any network policy server (NPS) policy misconfigurations, and ensuring proper certificate deployment are good steps​​​. https://directaccess.richardhicks.com/2019/08/19/always-on-vpn-and-rras-with-single-nic/ https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-remote-access-vpn-and-aovpn-guidance Lastly, understanding the core components of your Always On VPN infrastructure and ensuring correct configurations on both server and client sides are crucial for a functional setup. For detailed troubleshooting steps and configurations, consulting the provided Microsoft documentation and resources can offer more in-depth guidance​. https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-remote-access-vpn-and-aovpn-guidance

    0 comments No comments

  2. Karlie Weng 18,521 Reputation points Microsoft Vendor
    2024-02-22T01:57:05.1333333+00:00

    Hello, Try to ping the internal server or device by IP address and check if you can get to file shares using IP\path. We can use traceroute to check the routing on the vpn client when connected – if it has a route to the internal servers/resources via the vpn.

    ---If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.