Consuming VPN connection only inside application and only on specific HttpWebRequests

Oct 12, 2010 at 6:12 PM

Hi to all,

this is my second discussion in only 2 days. Sorry for stressing you so much!

As the title say, I need to consume a VPN connection only inside my own application and only on specific HttpWebRequests. Unchecking "Use default gateway on remote network" setting in the Advanced TCP/IP Settings does the job; I can see that my web browser still use the default internet connection even if inside my application a vpn connection has been established.

The problem is that when I run HttpWebRequests, the connection manager still use the default internet connection instead of the vpn connection. I know that the connection manager of HttpWebRequest class automatically select the better/faster connection, but for this request I need the vpn connection, even if slower. Probably there's a missing setting in the dotras dialer or in the httpWebRequest, but sincerely I really don't know where to search.

I tried to enumerate all active connections through "RasConnection.GetActiveConnections()", but I don't see any option that allow me to use desired connection for the http request.

Thanks again for your help

Private Sub Dialer_DialCompleted(ByVal sender As System.Object, ByVal e As DotRas.DialCompletedEventArgs) Handles Dialer.DialCompleted
        If (e.Cancelled) Then
            Me.StatusTextBox.AppendText("Cancelled!")
        ElseIf (e.TimedOut) Then
            Me.StatusTextBox.AppendText("Connection attempt timed out!")
        ElseIf (e.Error IsNot Nothing) Then
            Me.StatusTextBox.AppendText(e.Error.ToString())
        ElseIf (e.Connected) Then
            Me.StatusTextBox.AppendText("Connection successful!")

            'Connect to myipaddress.com to verify the connection used by looking the reported ip address
            Dim req As HttpWebRequest = DirectCast(WebRequest.Create("http://www.myipaddress.com/"), HttpWebRequest)

            'retrieve the response
            Dim resp As HttpWebResponse = DirectCast(req.GetResponse(), HttpWebResponse)
            Dim stream_in As New StreamReader(resp.GetResponseStream)
            Dim response As String = stream_in.ReadToEnd() 'Here is my problem. Response should contain the ip address of my vpn connection instead of my default internet connection
            stream_in.Close()
End Sub
Coordinator
Oct 12, 2010 at 9:49 PM

This isn't a DotRas issue, it's a networking problem. You need to leave the checkbox for the default gateway checked if you want communication to go over the VPN. By not checking the box you're causing a split tunnel, which means you'd need to handle the routing manually or change the remote network settings. The easiest (and most secure) means to fix your problem would be to keep the checkbox checked.

DotRas has no ability to handle network routing, as it is outside the scope of the project.

Oct 13, 2010 at 12:20 AM

Leaving the default getaway checked has been the first option I tried to use. When enabled everything work like a charm and all httpwebrequests are sent through the vpn established connection. The problem is that the vpn connection also become enabled on all the other applications (web browsers, e-mail client, etc) while I need to consume this connection exclusively inside my own application, leaving all of the rest with the defaut internet connection.

I'm not an expert, buy may be that if I find a way to get the port number used for the vpn connection, I could continue to handle the connection directly inside the HttpWebRequest.

DotRar.RasConnection return lot of useful information about the target vpn connection, but I still didn't found a way to get the port number used for the connection. I can intercept the "RasConnectionState.PortOpened" event, but no way to know what the port number is. Look like some users of the forum succesfully extracted it using wmi queries (http://dotras.codeplex.com/Thread/View.aspx?ThreadId=219006 , http://dotras.codeplex.com/Thread/View.aspx?ThreadId=81268).

I also tried this approach but failed. Probably the reason could be that in my case the device name/type is different ("WAN Miniport (PPTP)/VPN"). I tried with different wmi queries and classes, got lots of informations except the port number. I will continue testing wmi queries, but don't think I will sucess.

I see that in the work list there's a new feature that allow DotRas to return the port number used for the connection. Any chance to get a preview or at least to know how it should work?

About security...to be honest I really don't have any idea on how security could be affected unchecking the default getaway. I also don't like this approach, but actually seem to be the only one option that give me more chances to reach my goal. What I can tell you is that this vpn connection don't require any authentication and I don't send or receive any sensitive data trough it.

Thanks again

Coordinator
Oct 13, 2010 at 2:53 AM

"When enabled everything work like a charm and all httpwebrequests are sent through the vpn established connection. The problem is that the vpn connection also become enabled on all the other applications (web browsers, e-mail client, etc) while I need to consume this connection exclusively inside my own application, leaving all of the rest with the defaut internet connection."

That's what VPN tunnels are supposed to do. Since you don't know what I'm talking about with split tunnelling here is an excerpt from Wikipedia on the subject...

"A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network. When split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC." - Source: http://en.wikipedia.org/wiki/Split_tunneling

As far as not requiring any authentication on your VPN connection, you must be completely insane. A simple port sniffer would expose the remote access server, and the attacker would have instant access to your network. But I digress, this project has nothing to do with networking directly, it is simply a wrapper to the Windows RAS API so .NET developers can programmatically access it without having to write all of the interop code themselves.

"... but no way to know what the port number is. Look like some users of the forum succesfully extracted it using wmi queries"

Those discussions were trying to locate the COM port for a POTS modem, not the port the VPN tunnel is going through.

"I see that in the work list there's a new feature that allow DotRas to return the port number used for the connection."

That work item is primarily intended to be for modems. I have no idea what all I'm going to put into it. Also, I have not done any research on that work item yet (which is evident by the lack of comments or status changes in the item since it was created), I merely put it there for an idea to be implemented at a later date.

Good luck with what you're trying to accomplish, but as of this post I'm considering this discussion closed.

Oct 15, 2010 at 5:40 PM

Thanks for your precious and useful informations. The vpn connection is a free one that I just use for experiments. Once done and found the right code I will have to find a reliable and secure connection that require authentication.

Unfortunately split tunneling is the only one option available unless I have enough hardware to create a virtual machine where I can run desired connection. About the work item, I have a router and therefore the new features will be useless in my case.

I don't want to disturb you anymore as it is clearly that the rest of what I'm trying to accomplish don't involve dotras anymore.

Thanks