# [SOLVED] PPTP split-tunneling broken?

## The_Great_Sephiroth

I have a MAJOR issue with my work laptop. Whenever I connect to a remote location via PPTP VPN by way of Network Manager in KDE4, I lose all Internet connectivity. In Windows I can select "Do not use default gateway on remote network" and all is good. I have been to the PPTP routes tab and checked "Only use for resources on this connection", but I still lose everything. How can I setup my PPTP connections to to only work for addresses on that remote network?

*UPDATE*

For those reading this thread for a solution, it can be found here!

----------

## The_Great_Sephiroth

Is this possible with Linux? It seems to be broken on Debian Wheezy also, which tells me it is a long-standing bug or that it cannot work, despite having options for it.

----------

## szatox

Well, I'm not that much into PPTP and NM to know all the tricks there, but there is iptables as well. So... it surely is possible. It just may be a bit lower level than you would like.

What should this setup look like? You have some IP range you want to tunnel over VPN with the rest bypassing it?

----------

## The_Great_Sephiroth

The way it works on Windows and Apple is that if I access a host/ip on the remofe network, it is routed through the tunnel. If I access anything else, it is not routed through said tunnel. Currently, everything is routed through the tunnel.

----------

## The_Great_Sephiroth

There is a bug! I am not sure if the bug exists in pppd or Network Manager. On my VPN properties in Network Manager if I check "Use thie connection only for resources on this network", nothing is reachable when I connect. After some checking, I discovered that a route was not being added. Here is what happens when I connect tot he VPN.

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.4.254      0.0.0.0         UG    100    0        0 enp0s25

10.0.2.201      *               255.255.255.255 UH    0      0        0 ppp0

10.0.4.0        *               255.255.255.0   U     0      0        0 enp0s25

10.0.4.0        *               255.255.255.0   U     100    0        0 enp0s25

cpe-75-191-161- 10.0.4.254      255.255.255.255 UGH   0      0        0 enp0s25

loopback        *               255.0.0.0       U     0      0        0 lo

```

Now, if I manually enter sudo route add -net 10.0.0.0/22 ppp0, I get this.

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         10.0.4.254      0.0.0.0         UG    100    0        0 enp0s25

10.0.0.0        *               255.255.252.0   U     0      0        0 ppp0

10.0.2.201      *               255.255.255.255 UH    0      0        0 ppp0

10.0.4.0        *               255.255.255.0   U     0      0        0 enp0s25

10.0.4.0        *               255.255.255.0   U     100    0        0 enp0s25

cpe-75-191-161- 10.0.4.254      255.255.255.255 UGH   0      0        0 enp0s25

loopback        *               255.0.0.0       U     0      0        0 lo

```

Now everything works! By default data uses my network, but if the resource is at the other office, I am routed through my VPN. Where should I report this bug and should I report NM or pppd?

----------

## szatox

 *Quote:*   

>  You have some IP range you want to tunnel over VPN with the rest bypassing it?

 

 *Quote:*   

> sudo route add -net 10.0.0.0/22 ppp0

   :Rolling Eyes:  10.0.0.0/22

I'd report it to NM developers, it's clearly configuration issue. And if somehow it isn't, they should know their stuff well enough to notice it, while pppd should no even know or care what is managing it.

----------

## The_Great_Sephiroth

Yes, /22, as in, 255.255.252.0. This give the remote network (main office) 10.0.0.1-10.0.3.254 as a usable range. These are used for various things in-house. So no, that was not a typo. When you need more than 254 addresses, it is the only way to go!

Now, I will try to report this to the best of my ability. Should I report it to the Gentoo devs and let it go up though?

*EDIT*

Just for fun, here is a network break-down!

10.0.0.1-200 - Servers (Mostly virtualized ones)

10.0.0.200-250 - Physical XenServer systems, normally with dual NICs

10.0.1.1-10.0.1.250 - Static workstations

10.0.2.1-200 - Dynamic devices such as laptops or mobile phones

10.0.2.201-250 - VPN IP addresses

10.0.3.1-100 - Static printing/scanning devices

10.0.3.101-200 - Static SIP/H323 phones

10.0.3.201-250 - Reserved

Remember, this is our MAIN office. Lots of goodies here we do not have at remote locations. Remote locations have VPN tunnels into the main office for access to servers and such.

----------

## The_Great_Sephiroth

Alright, this is NOT a bug. After reading, and doing some remembering, PPP is only aware of the device on the other end. When you check that box, you have to enter the route you want for the remote network. I did this under the "Routes" box for this particular network connection and all is good. Basically, you add a route for 10.0.0.0 with the netmask of 255.255.252.0 and set the metric to 22, and each time the connection comes up, it routes only packets destined for that network through the VPN. Everything else goes through my default gateway at my location.

To summarize:

Create the PPTP VPn connection and set everything up

Go to the IPv4 tab and change to Routes with the drop-down

Check "Use only for resources on this connection" to avoid changing your default gateway

Click the "Add" button and type in the network IP and the netmask of the remote network

Leave the "Gateway" at 0.0.0.0 and set the metric value to CIDR (in my case, 22)

Enjoy PPTP working correctly!

Hope this helps somebody else!

----------

