Configure Network Settings > Mobile VPN Tunnels > Mobile VPN with PPTP > Options for Internet Access Through a Mobile VPN with PPTP Tunnel

Options for Internet Access Through a Mobile VPN with PPTP Tunnel

You can enable remote users to get access to the Internet through a Mobile VPN with PPTP tunnel. This option affects your security because this Internet traffic is not filtered or encrypted. You have two options for Mobile VPN with PPTP tunnel routes: default-route VPN and split tunnel VPN.

Default-Route VPN

The most secure option is to require that all remote user Internet traffic to be routed through the VPN tunnel to the Firebox. The traffic is then sent from the Firebox back to the Internet. With this configuration (known as default-route VPN), the Firebox is able to examine all traffic and provide increased security, though it uses more processing power and bandwidth. With default-route VPN, a dynamic NAT policy on your Firebox must include the outgoing traffic from the remote network. This allows remote users to browse the Internet when they send all traffic to the Firebox.

For more information about dynamic NAT, see Add Network Dynamic NAT Rules.

If you run the route print or ipconfig commands after you start a Mobile with PPTP tunnel on a computer with Microsoft Windows installed, you see incorrect default gateway information. The correct information is located on the Details tab of the Virtual Private Connection Status dialog box.

Split Tunnel VPN

Another configuration option is to enable split tunneling. This option enables users to browse the Internet, but does not send Internet traffic through the VPN tunnel. Split tunneling improves network performance, but decreases security because the policies on your Firebox are not applied to the Internet traffic. If you use split tunneling, we recommend that each user computer have a software firewall enabled.

Default-Route VPN Setup for Mobile VPN with PPTP 

In the Windows PPTP client, the default setting for a PPTP connection is default-route. Your Firebox must be configured with dynamic NAT to receive the traffic from a PPTP user. Any policy that manages traffic to the Internet from behind the Firebox must be configured to allow the PPTP user traffic.

When you configure your default-route VPN:

  • Make sure that the IP addresses you have added to the PPTP address pool are included in your dynamic NAT configuration on the Firebox.
    From Policy Manager, select Network > NAT.
  • Edit your policy configuration to allow connections from the PPTP-Users group through the external interface.
    For example, if you use WebBlocker to control web access, add the PPTP-Users group to the proxy policy that has WebBlocker enabled.

Split Tunnel VPN Setup for Mobile VPN with PPTP

On the user computer, edit the PPTP connection properties to not send all traffic through the VPN.

For Windows 10, you must use Windows PowerShell to edit the VPN connection settings:

  1. In the Windows search bar, type powershell.
  2. In the search results, select Windows PowerShell.
    The PowerShell command interface window appears.
  3. To see the list of VPNs, type the get-vpnconnection command.
    The configuration of all available Windows VPNs appears in the PowerShell window.
  4. Find the name of the PPTP mobile VPN connection to change, for example My Mobile VPN.
  5. To enable split tunneling for this VPN connection, type set-vpnconnection -Name "My Mobile VPN" -SplitTunneling $true.
  6. To disable split tunneling for this VPN connection, type set-vpnconnection -Name "My Mobile VPN" -SplitTunneling $false.
  7. To exit PowerShell, type exit.

For Windows 8:

  1. From the Windows 8 Charms menu, select Settings.
  2. Click Change PC Settings.
  3. Select Network.
    The Connections list appears.
  4. In the Connection list, right-click the VPN connection name.
  5. Select View connection properties.
    The VPN Properties dialog box appears.
  6. Select the Networking tab.
  7. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  8. On the General tab, click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  9. On the IP Settings tab, clear the Use default gateway on remote network check box.

For Windows 7:

  1. Select Control Panel > Network and Internet > Connect to a network.
  2. Right click the VPN connection.
  3. Select Properties.
    The VPN properties dialog box appears.
  4. Select the Networking tab.
  5. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  6. On the General tab, click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  7. On the IP Settings tab, clear the Use default gateway on remote network check box.

For Windows XP:

  1. Select Control Panel > Network Connections and right-click the VPN connection.
  2. Select Properties.
    The VPN properties dialog box appears.
  3. Select the Networking tab.
  4. Select Internet Protocol (TCP/IP) and click Properties.
    The Internet Protocol (TCP/IP) Properties dialog box appears.
  5. On the General tab, click Advanced.
    The Advanced TCP/IP Settings dialog box appears.
  6. On the General tab, clear the Use default gateway on remote network check box.

About PPTP Routes

PPTP routes are defined by the user computer. If you do not select the Use default gateway on remote network check box, the computer routes traffic through the VPN tunnel only if the traffic destination is the same as a route through the VPN on the computer.

Most user computers set the route dependent on the apparent subnet class of the virtual IP address. For example, a virtual IP address of 10.0.10.25 is part of the RFC-1918 standard class A subnet 10.0.0.0/8, so the computer creates a route to that entire subnet for the VPN connection. This behavior could vary dependent on the computer OS and OS version.

See Also

Add Network Dynamic NAT Rules

Give Us Feedback     Get Support     All Product Documentation     Technical Search