Not having split tunnel VPN is a deal breaker

JCKelly
JCKelly Posts: 8  Freshman Member
First Comment Third Anniversary
edited April 2021 in Nebula
Overall, I've been happy with the Nebula lineup but the lack of a split tunnel VPN client is driving me away from using the Gateway.  It's a shame because the single pane of glass management has been fantastic.  Please reconsider this crucial omission.

Comments

  • Zyxel_Chris
    Zyxel_Chris Posts: 705  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @JCKelly
    I assume you're using L2TP tunnel and you wanna traffic can pass through to the tunnel when access to the remote LAN site and can go through via local interface card directly when access to the internet? Please correct me if I'm wrong.
  • JCKelly
    JCKelly Posts: 8  Freshman Member
    First Comment Third Anniversary
    yes, that is correct.

    An SSL VPN setup would be even better
  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    HI @JCKelly

    I assume it can be done using the rouitng metric option on the client device.

    But i agree it is great to have it on the Nebula center.


    Regards

  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    This is also a deal breaker for us. We must be able to force split tunneling.
  • TAPTech
    TAPTech Posts: 167  Master Member
    First Comment Friend Collector Sixth Anniversary Nebula Gratitude
    We are using split tunnelling with USG and ATP devices and would really like the option on the NSG line up too! 
    +1
  • Zyxel_Chris
    Zyxel_Chris Posts: 705  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    May I know both of your scenario is using L2TP over IPSec? If it is the case then the routing behavior is actually relevant to the end device, uncheck "default gateway on remote network" (in the advanced of ) then add the routing in Windows manuall, for instance "route add <LAN IP in peer> mask <submask> <Your L2TP IP in this host>" should work.

    In TCP/IPv4 properties>Advanced


    Add the route manually


  • TAPTech
    TAPTech Posts: 167  Master Member
    First Comment Friend Collector Sixth Anniversary Nebula Gratitude
    I'm using L2TP/IPSec.  It's adding the route that is the problem.  With USG and ATP devices we do not need to add this route.  We can push a script to many endpoints using our RMM tool and the VPN works great on USG and ATP.  For the NSG units, we need to keep the box checked and route all traffic over the VPN.  This is an issue if the VPN network has limited bandwidth.
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    Ideas master First Comment Friend Collector Third Anniversary
    We need to force this behavior centrally.
    There is situation at customer site, f.ex when they are using external people to connect to their servers. They do not want the person who connects to the vpn to be able to use full tunnelig since they have a lot of polices which depens on the wan-adress. If people outside the organization which uses vpn get browse with this WAN ip, they can be able to bypass other security lines.

    Please create a ticket/policy in Nebula (on user level) which says the connection will be split-tunneling or not. We can do this with most other firewalls, f.ex the free Pfsense.
  • Zyxel_Chris
    Zyxel_Chris Posts: 705  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Thanks for your input and understood for the request, we'll put it in our feature queue. :)

  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited April 2020
    This has been a never ending question for all vendors and the answer seems to be always the same:
    https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN
    https://forum.netgate.com/topic/104711/split-tunnel-with-l2tp-over-ipsec-in-pfsense/2
    https://community.ui.com/questions/Split-tunnel-VPN/98043267-96c5-4eac-877c-fa54eff13b9c
    L2TP remote VPN split tunneling are up to client settings as the routes need to be configured, and cannot be 'forced' by the firewall device.

    There are other ways to avoid the issue of having internet traffic through VPN and maybe include this on Nebula will be fantastic, such as creating a script/bat file that configures the routes and can be run in the client devices.
    Alternatively, it will be useful to have an option to automatically create firewall rules to allow VPN network access to LAN only, denying other traffic. This can be manually done now but a little automation will be nicer  :). I know this means the client will not have internet access at all while connected but then users need to be instructed on what to do in their devices.
    "You will never walk along"

Nebula Tips & Tricks