Dynamic routing of a DCHP VPN connection

One of my clients is setting up two new VPNs — one is a connection between two office locations, and the other is the ability for users to dial in from home.

So, in either of the offices, we don’t care about reaching the single-PC VPN machines, but those machines do need to be able to reach computers at both offices. This article covers the routing situation for single-PC clients.

For hardware, we chose the SonicWall TZ100 as our appliances; one in each office. They’re pretty nice — they do VPNs,firewall, Antivirus, Spam, automatic failover/load balancing. They also provide L2TP Services, which work pretty well with the Windows Native VPN client.

We will have a couple of subnets, and a couple of VPN users; that’s a somewhat more complicated IP situation than the default situations provide. Our active subnets are:
192.168.1.x (main office),
192.168.2.x (remote office), and
192.168.4.x (VPN DHCP pool).

So, on a client PC, we want to route any traffic intended for those subnets to go through the VPN, any other network traffic we want to go out through the regular internet connection.

I was quite surprised to find out how difficult this is to pull off!

I finally settled on using WSCRIPT to accomplish that. You have to create the VPN connection item yourself, but then you can run a script connect the VPN, query the system for the IP address and set the routing.

Of course, you first need to create a stock Windows VPN connection. Then you have to set the Windows VPN item to disable the “make this gateway the default”. Then, you’ll need to use a bunch of ROUTE ADD commands to manually add the routes to the routing table.

However, the catch to that is that you need the IP address that the VPN provides, so that you can tell the computer which IP address to use as the route. There is no elegant way to get this information. There are a few WMI classes that look promising: Win32_NetworkAdapterConfiguration and Win32_NetworkAdapter. However, they only return the hard-coded IP address (or 0.0.0.0 if it’s DHCP) of the adapter, so that’s not useful.

My next thought was to fetch that information out of the registry. When the connection is made, that IP address is stored in the Registry, but only in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{someGUID}. That key is identified with a GUID; you’d think that GUID would match up with something else in the system, but I sure couldn’t find it. I don’t mind using GUIDs in scripts, but trying to write a script that you can give to an end-user that requires them to locate and enter a GUID is a bad idea.

SO, there’s a lot of non-attractive options out there. I did find a piece of code on the web that ran IPConfig and piped it into an array, parsing it to pull out the IP addresses returned for any adapters connected to the machine. Piping the output of a utility into a string and parsing it is error-prone — who knows if Windows 8 will change out IPConfig works. But I don’t think there were any other options. I modified it somewhat to pull the IP address for a specified adapter:

That was the hard part. Now for the rest of the code.

As you can see, it calls the “rasdial” command, which is the command that loads and runs a VPN connection. (It sure would be nice if such a command could be modified with a parameter to return the IP address, but no such luck.) Then once the connection is established, we fetch the IP address, clear the existing route table entries, and add the new ones.

And that’s it. Feel free to use this; hopefully it’ll save you a little time somewhere.

If anyone feels like adding, or pointing people to, a script to create the VPN connection in the first place, I’d be delighted to see it.

Full Source: