Constraining Internet Traffic Over VPN Connection

Sep 10, 2010 at 12:00 PM

Hello

I have successfully been using the DotRas library to create a VPN connection to our service (it works great!).  However I have noticed a strange issue - basically once the VPN connection has been established all internet traffic then goes over the VPN!  This is not what I want to happen.  I only want data that is directed to the internal VPN network (i.e. VPN internal IP address 192.200.0.101) - hence all traffic that is directed to 192.200.0.101 should go via the VPN, but all other internet traffic should be directed to my default internet connection.  Can you explain how I can acheive this?

NOTE: I have successfully created a VPN (PPTP) connection manually but I get slightly different options to the connection that is created using the DotRas library.  Specifically - the VPN PPTP Connection I manually created I get the option "I am already connected to the internet" (via the Options tab) - I can set this to checked and this prevents the internet traffic from using the VPN connection.  However, the VPN PPTP connection created via the DotRas library does not have this field on Options tab - therefore I can not request that the internet traffic not be routed via the VPN.

Here are some observations:

1. The VPN PPTP Connection I manually create appears under the "Connection Manager" section within the "Control Panel --> Network Connection" panel.  However, the DotRas created VPN PPTP Connection appears in the "Virtual Private Network" section under the "Control Panel --> Network Connection" panel.  I am not sure why and I do not know if this affects things...

2. The DotRas VPN PPTP Connection (Properties --> Options Tab) does not have the field "I am already connected to the internet" -  hence all internet traffic is being routedvia the VPN.

I hope I have given you enough information to assist me with my problem.  Ultimately all I want is for traffic that is directed to IP 192.200.0.101 to be routed via the VPN and all other traffic to be routed via my default internet connection.

Thanks in advance.

Regards

Spencer

Sep 10, 2010 at 12:16 PM

FYI:  Here is the source code that I am using to create a VPN connection.  It references several constants but im sure you will understand:

                // check if the VPN connection already exists
                bool ConnectionExists = false;
                foreach (RasEntry entry in mainForm.RasPhoneBook1.Entries)
                {
                    if (entry.Name == Constants.const_VPN_ENTRY_NAME)
                    {
                        ConnectionExists = true;
                        break;
                    }
                }

                bool ConnectionActive = false;
                if (!ConnectionExists)
                {
                    // get the server
                    ResourceData serverData = rm.GetData(Core.Base.Constants.cons_ENTITY_TYPE_USER_PREF, "-1", Core.ResourceManager.ResourceConstants.VPN_SERVER);

                    // create a new VPN connection
                    RasEntry entry = RasEntry.CreateVpnEntry(Constants.const_VPN_ENTRY_NAME, serverData.AsString, RasVpnStrategy.Default, RasDevice.GetDeviceByName("(PPTP)", RasDeviceType.Vpn, false));

                    try
                    {
                        mainForm.RasPhoneBook1.Entries.Add(entry);
                    }
                    catch (Exception ex)
                    {
                        //Exception: Connection Already Exists?
                        Core.Logging.DebugLog.LogException(ex);
                    }
                }
                else
                {
                    // check if the connection is active
                    foreach (RasConnection connection in mainForm.RasDialer1.GetActiveConnections())
                    {
                        if (connection.EntryName == Constants.const_VPN_ENTRY_NAME)
                        {
                            ConnectionActive = true;
                            break;
                        }
                    }
                }

                if (!ConnectionActive)
                {
                    if (UtilityFunctions.InternetAvailable())
                    {
                        try
                        {
                            // get the user
                            ResourceData userData = rm.GetData(Core.Base.Constants.cons_ENTITY_TYPE_USER_PREF, "-1", Core.ResourceManager.ResourceConstants.VPN_USER);

                            // get the password
                            ResourceData PwordData = rm.GetData(Core.Base.Constants.cons_ENTITY_TYPE_USER_PREF, "-1", Core.ResourceManager.ResourceConstants.VPN_PASSWORD);

                            mainForm.RasDialer1.EntryName = Constants.const_VPN_ENTRY_NAME;
                            mainForm.RasDialer1.PhoneBookPath = RasPhoneBook.GetPhoneBookPath(RasPhoneBookType.AllUsers);

                            if (async)
                            {
                                //dials async at the same time as plug-in loads (should be enough time to connect before login)
                                mainForm.RasDialer1.Timeout = 60000;
                                mainForm.RasDialer1.DialAsync(new System.Net.NetworkCredential(userData.AsString, PwordData.AsString));
                            }
                            else
                                mainForm.RasDialer1.Dial(new System.Net.NetworkCredential(userData.AsString, PwordData.AsString));
                        }
                        catch (Exception ex)
                        {
                            //Exception: Connection Does not exist?
                            Core.Logging.DebugLog.LogException(ex);
                        }
                    }
                }

The above code is designed to check to see if the VPN exists on startup - if it does not then it is automatically created, once created the connection is established.
Best Regards
Spencer
Coordinator
Sep 10, 2010 at 2:15 PM

This isn't a problem with DotRas, it's how you have your VPN connection configured. You need to turn off the RemoteDefaultGateway option for the entry.

entry.Options.RemoteDefaultGateway = false;

You just need to set that option before adding the entry to the phonebook, or by calling Update on the entry after the entry has been added to the phonebook.

Sep 10, 2010 at 3:04 PM
Edited Sep 10, 2010 at 3:04 PM

Hi Jeff

I created a simplified application and I tried to do as you stated:

            this.rasPhoneBook1.Open();

            RasEntry entry = RasEntry.CreateVpnEntry("My VPN", "xxx.xxx.xxx.xxx", RasVpnStrategy.PptpFirst, RasDevice.GetDeviceByName("(PPTP)", RasDeviceType.Vpn, false) );
            entry.Options.RemoteDefaultGateway = false;

            try
            {                
                this.rasPhoneBook1.Entries.Add(entry);
            }
            catch (Exception ex)
            {
                this.statusTextBox.AppendText(string.Format("Exception: Connection Already Exists?\r\n"));
            }

However the is an issue:

Error 1 Static member 'DotRas.RasEntryOptions.RemoteDefaultGateway' cannot be accessed with an instance reference; qualify it with a type name instead C:\Development\Projects\c#\VPN DotRas\DotRas\DotRas\Form1.cs 23 13 DotRas
Error 2 The left-hand side of an assignment must be a variable, property or indexer C:\Development\Projects\c#\VPN DotRas\DotRas\DotRas\Form1.cs 23 13 DotRas

Basically from what I can see "Options" has no attribute property called "RemoteDefaultGateway".  Possibly I have done something wrong, please advise...

Best regards

Spencer

Sep 10, 2010 at 3:11 PM

Hi Jeff,

Thanks for your help - you set me on the right path.  I fixed the issue as follows:

                   entry.Options = entry.Options & ~RasEntryOptions.RemoteDefaultGateway;

I assume that is the correct method?

Thanks again

Spencer

Coordinator
Sep 10, 2010 at 4:21 PM

If you're using the 1.1 version of the SDK, yes. The 1.2 SDK redesigned that piece to make it more developer friendly.