AOVPN-SSTP-force- tunnel connected successfully but no internet access

Question

Hi everybody,

It seems that I hit the wall on this issue, we have deployed AOVPN on W2K19, using SSTP-User tunnel with force tunneling. Clients are able to connect with no issues, they are able to access all local resources, applications, etc. but they are unable to access Internet. Just a note, we have tested "Split tunneling" and everything works OK. Unfortunately, due to our internal security policies we must have "force-tunneling" in place, we understand the disadvantages, but security has more priority.

By the way, we have deployed AOVPN following MS best practices. meaning 2 NICs, one Internal with no default gateway and using our internal DNS servers and added static routes to access our internal resources and the second NIC, hosted in the DMZ for external access with a default gateway (pointing to our NGFW-Cisco ASA) and no DNS servers.
Also, we have changed the metric value of these 2 interfaces assigning the lowest value to the local interface. And on the NGFW we have a NAT rule for the private-DMZ IP pointing to our public IP and allows traffic on port 443. and just in case note that the VPN-RAS server has internet access.

All the clients are Windows 10 and we have tested versions from 1803 to 1909 with no success. Also, as one of the troubleshooting steps, I have added a static route on the VPN-RAS server to access Google DNS-8.8.8.8 and after that the VPN client as able to ping that specific IP only, but I don't think this is the proper way to address this issue, it would be crazy to add static routes to access internet in this way.

What am I missing? Thanks in advance....

Answer 1

Please note that this issue has been addressed, we were missing one feature in our deployment. We have installed the routing feature, configured the NAT interface and everything is working as expected.

Thanks.