2 PCs on local LAN, but trafik goes through SE VPN!

[PizzaProgram]

Remote Server:
version = 5.02 DE
SecureNAT enabled, but gateway + DNS empty !! (no internet access to clients enabled)
10.100.16.1

PC1 + PC2 Clients:
version = 5.02 DE
OS = Windows7 32bit
Local wired LAN, ZTE ISP router : 192.168.1.64 + .1.65 DHCP
SE VPN - FIX IP manually set: 10.111.16.11 + .16.12
Gateway empty, DNS empty

Goal:
- remote support from my PC3 (VNC + RDP) connected as client too.
- not disturbing local LAN communication of PC1 + PC2 !

Problem:
- Since I've installed SE client to both PCs,
- If PC1 is trying to connect to PC2's database (by PC name, on port 3050 )
- the traffic goes through 10.111.16.x (VPN99)
- instead of then normal, 100MBit local LAN (192.168.1.x) !!!

Tried to :
Set metric manually to 1111 (automatic metric turned off)
but did not help :-(

I'm out of ideas.
Had to turn OFF SE VPN client on one of the PCs, as long it is not solved.
(Luckily the old OpenVPN is still up, so I can still connect to those PCs that way...)

[PizzaProgram]

Code: Select all

10.8.173.0	255.255.255.0	10.8.173.9	10.8.173.10	10	Indirect	Static Route	6 394	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:53	No	
10.8.250.0	255.255.255.0	10.8.173.9	10.8.173.10	10	Indirect	Static Route	6 394	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:53	No	
10.8.251.0	255.255.255.0	10.8.173.9	10.8.173.10	10	Indirect	Static Route	6 394	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:53	No	
0.0.0.0	0.0.0.0	192.168.1.1	192.168.1.65	20	Indirect	Static Route	6 402	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:45	No	
130.158.6.110	255.255.255.255	192.168.1.1	192.168.1.65	20	Indirect	Static Route	5 209	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:43:38	No	
193.201.184.175	255.255.255.255	192.168.1.1	192.168.1.65	20	Indirect	Static Route	5 209	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:43:38	No	
10.8.173.8	255.255.255.252	10.8.173.10	10.8.173.10	266	Direct	Static Route	6 400	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:47	No	
10.8.173.10	255.255.255.255	10.8.173.10	10.8.173.10	266	Direct	Static Route	6 400	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:47	No	
10.8.173.11	255.255.255.255	10.8.173.10	10.8.173.10	266	Direct	Static Route	6 400	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:47	No	
224.0.0.0	240.0.0.0	10.8.173.10	10.8.173.10	266	Direct	Static Route	6 404	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:43	No	
255.255.255.255	255.255.255.255	10.8.173.10	10.8.173.10	266	Direct	Static Route	6 404	TAP-Windows Adapter V9	00-FF-F1-F2-D5-11	{F1F2D511-F956-4AF7-BBE6-B04D07AC2954}	29	PcPincerVPN	2023.03.10. 22:23:43	No	
192.168.1.0	255.255.255.0	192.168.1.65	192.168.1.65	276	Direct	Static Route	6 402	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:45	No	
192.168.1.1	255.255.255.255	192.168.1.65	192.168.1.65	276	Direct	Static Route	5 209	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:43:38	No	
192.168.1.65	255.255.255.255	192.168.1.65	192.168.1.65	276	Direct	Static Route	6 402	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:45	No	
192.168.1.255	255.255.255.255	192.168.1.65	192.168.1.65	276	Direct	Static Route	6 402	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:45	No	
224.0.0.0	240.0.0.0	192.168.1.65	192.168.1.65	276	Direct	Static Route	6 404	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:43	No	
255.255.255.255	255.255.255.255	192.168.1.65	192.168.1.65	276	Direct	Static Route	6 404	Intel(R) 82579LM Gigabit Network Connection #3	FC-4D-D4-2D-DF-8F	{AAB174C0-B5D3-455B-B594-3E29EBD36422}	28	Helyi kapcsolat 2	2023.03.10. 22:23:43	No	
127.0.0.0	255.0.0.0	127.0.0.1	127.0.0.1	306	Direct	Static Route	6 407	Software Loopback Interface 1					2023.03.10. 22:23:40	No	
127.0.0.1	255.255.255.255	127.0.0.1	127.0.0.1	306	Direct	Static Route	6 407	Software Loopback Interface 1					2023.03.10. 22:23:40	No	
127.255.255.255	255.255.255.255	127.0.0.1	127.0.0.1	306	Direct	Static Route	6 407	Software Loopback Interface 1					2023.03.10. 22:23:40	No	
224.0.0.0	240.0.0.0	127.0.0.1	127.0.0.1	306	Direct	Static Route	6 407	Software Loopback Interface 1					2023.03.10. 22:23:40	No	
255.255.255.255	255.255.255.255	127.0.0.1	127.0.0.1	306	Direct	Static Route	6 407	Software Loopback Interface 1					2023.03.10. 22:23:40	No	
10.111.16.0	255.255.255.0	10.111.16.11	10.111.16.11	1367	Direct	Static Route	6 397	VPN Client Adapter - VPN99	5E-03-A3-1A-E2-6F	{039B277B-1A62-4B19-A7B3-983A83B4B3FF}	30	PcPincerVPN2	2023.03.10. 22:23:50	No	
10.111.16.11	255.255.255.255	10.111.16.11	10.111.16.11	1367	Direct	Static Route	6 397	VPN Client Adapter - VPN99	5E-03-A3-1A-E2-6F	{039B277B-1A62-4B19-A7B3-983A83B4B3FF}	30	PcPincerVPN2	2023.03.10. 22:23:50	No	
10.111.16.255	255.255.255.255	10.111.16.11	10.111.16.11	1367	Direct	Static Route	6 397	VPN Client Adapter - VPN99	5E-03-A3-1A-E2-6F	{039B277B-1A62-4B19-A7B3-983A83B4B3FF}	30	PcPincerVPN2	2023.03.10. 22:23:50	No	
224.0.0.0	240.0.0.0	10.111.16.11	10.111.16.11	1367	Direct	Static Route	6 404	VPN Client Adapter - VPN99	5E-03-A3-1A-E2-6F	{039B277B-1A62-4B19-A7B3-983A83B4B3FF}	30	PcPincerVPN2	2023.03.10. 22:23:43	No	
255.255.255.255	255.255.255.255	10.111.16.11	10.111.16.11	1367	Direct	Static Route	6 404	VPN Client Adapter - VPN99	5E-03-A3-1A-E2-6F	{039B277B-1A62-4B19-A7B3-983A83B4B3FF}	30	PcPincerVPN2	2023.03.10. 22:23:43	No	

As you can see, "VPN Client Adapter - VPN99" has the highest metric now.

[solo]

How do you know it goes through SE VPN? On PC1, try:

• connect with IP, not PC name
• disconnect OVPN "TAP-Windows Adapter V9"
• disable/stop "Routing and Remote Access" service

?

[shakibamoshiri]

If I understood you correctly, you want to access two other PCs without interfering their local connectivity ?
If true
you need a way of implementing split tunneling not full tunneling which means machine X "default route" should not be changed.
Also notice that split tunneling usually are managed at server side not client side.
If you go with client side, then you have to configure it manually.
For SE using SE clients is not a bad idea to achieve your goal but you face these issues you have now :)

solution 1
Reverse SSH port forwarding from client side to managerial side
In this solution a client can share its network completely or partially (over a port) for others
I have used it to do RDP to other people Windows machines (teamviewer , etc ha ha ha -- they use the same technique)
If clients are behind NAT or FW, then a relay server is needed

solution 2
WireGuard peer-2-peer network
In this solution you setup N WGs on N machines and will set "allow-routes" to the clients IP not full route "0.0.0.0/0"
it is more manual but not hard to implement
Many overlay network solution nowadays are using WG
If clients are behind NAT or FW, then a relay server is needed

solution 3
OpenConnect client-server
For enterprise OC is the best free VPN servers since supports
- per user configuration
- per group configuration
- has hooks for automation
and split tunneling works really well at server side and users (clients) do not need to do anything.

solution 4
SoftEther VPN server per machines
You can install N SE servers on N machines and connect them together over a single HUB same subnet using cascade connection.

[PizzaProgram]

Thank you for the tips!

How do you know it goes through SE VPN?

It is obvious. My POS pizzaprogram connects + loads the database data 20x slower.
> tracert PC2 command shows the way through 10.111.xxx

connect with IP, not PC name

No go. I MUST connect with name ! Otherwise I would not need to open this topic. :-D
(I have No control of the routers, nor the IP range, DHCP, etc. of local LANs. Setting Fix IP on the client PC would be suicide if any of that would change and nobody could set back to DHCP as long as I can re-connect from 300Km away anywhere in the country.)

disconnect OVPN "TAP-Windows Adapter V9"

According to the current routing table it has nothing to do with that, but I'll give a try...

boot it in "Safe Mode with Networking"

I have restarted the PC several time remotely. Can not access booting procedure from far away, also a "waiter girl" or a cook can not assist ... ;-)
Anyway I don't really understand how that would bring us more near to a permanent solution?
My clients need to work on those PCs in "normal mode" where everything works.

My question is:

• - How is it possible that windows is ignoring local LAN with low metric,
• - and why is it resolving the name of the other PC through the SE VPN as soon as I connect with SE?

I repeat: everything works perfect IF I disconnect from SE VPN !

It seems that if somehow SE software overrides the default metric behaviour...

• - What are those "windows optimisations" that is SE is performing on first install ?

It seems that if somehow SE software overrides the default metric behaviour...

• - What are those "windows optimisations" that is SE is performing on first install ?

[PizzaProgram]

OFF
... my internet connection was down, but now the browser has sent the message I've wrote 12+ hours ago.
Currently that msg. was not allowed to show by a moderator yet, so I can't edit yet.

Since then:
- the original msg I've replied to was edited
- there is a new, more detailed answer

[solo]

Anyway I don't really understand how that would bring us more near to a permanent solution?
My clients need to work on those PCs in "normal mode" where everything works.

Really simple, a diagnostic test which on conclusion may lead to a fix, not a solution of course.

Next, select "Disable NetBIOS over TCP/IP" in the SE vNIC's advanced properties.

?

[PizzaProgram]

If I understood you correctly, you want to access two other PCs without interfering their local connectivity ?

YES ! :-)

Thank you for the long answer!
I'll investigate these possibilities one by one.

Fact:
All the clients (pizza PCs) are behind a local NAT + usually plus the ISP is also using NAT, so there is no way to "direct IP" connection.
That's why I started renting a VPS with public fixed IP, so each client can connect to it from everywhere.
(Even the bosses of those pizzerias from they laptop, wherever they travel.)

At first site:

1. OpenConnect seems to be a great solution
- but I couldn't see a MAC / iOS gui client to it (yet)
- I like SoftEther's GUI much more than writing server-side scripts, like these:
https://gitlab.com/openconnect/recipes/ ... ion-pam.md
managing / writing routing tables of 100 separate groups with different hierarchy seems to be an impossible task at first sight.

2. installing Server to each 200+ clients ... and make all the setup for those one by one...
At first it seems to be a frighteningly overwhelming job, but I think about it. Also

3. So the solution maybe this way:
machine X "default route" should not be changed.

OK, but how do I set this up from server side ?
- Route Push function of the SecureNAT ?
- Is that function works with client's Fix IP ? or only at DHCP?

(I mean won't it interfere with the concept of: "setting the FIX IPs from client side" as @solo suggested, and I'm currently doing until the DHCP problem is fixed? )

[PizzaProgram]

select "Disable NetBIOS over TCP/IP" in the SE vNIC's advanced properties.

THANKS !
Seems to be a great idea !
I do not fully understand what that protocol is doing, but:
- Can I still RDP into that PC after I've disabled it through SE VPN?


But I will test it ...

[solo]

select "Disable NetBIOS over TCP/IP" in the SE vNIC's advanced properties.

THANKS !
Seems to be a great idea !
I do not fully understand what that protocol is doing, but:
- Can I still RDP into that PC after I've disabled it through SE VPN?

But I will test it ...

No problem with RDP.

Do it on both SE PCs and either reboot them or run "nbtstat -R" before concluding its effectiveness.

[PizzaProgram]

@solo

Thank you VERY VERY much for all the help so far!

I have:

• disabled NetBIOS over TCP
• disabled IPv6
• also unchecked "Register connection address to DNS"
• also unchecked "Search using LMHOSTS"
• RESTARTED both PCs (there was no "nbtstat" command found)

But the connection STILL GOES THROUGH the SE VPN ! :-(((

[solo]

there was no "nbtstat" command found

Impossible, it is included in EVERY version of Windows. Search the system folders for it.

Next, on the SE adapter unbind everything except for IPv4. Reboot. If still a problem, post "nbtstat -c"

?

[PizzaProgram]

I have no idea how to do an "unbind"
... but I need a bit of sleep first :-D it's 05:40 AM worked the whole night long.

Also the restaurant just opened, so they need the PC now to work on it.
Will continue this afternoon, ca 8-12 hours later.
______________________________________
I have started to disable all kinds of things at Group Sec. policy.
We'll see, if THAT helps

group-security-policy.png

[solo]

Like this

bindings.png

[solo]

the restaurant just opened, so they need the PC now to work on it.

The pizza shop had closed for sure by now, you can resume the tests :-)

[PizzaProgram]

Thanks for the picture!
That last one config I may still try later, if that won't disable RDP.

OFF:
But currently I have a government project to finish first.
Our autocratic politicians made a new law, to forcing us to build in to our restaurant program a: "data collection" routine, until end of this month, which must send everything to their server within 1 minute ... All foods, quantity, prices, payment type, times in ms, tip, whatever has been ordered anywhere.
They did that to hotel programs 2 years ago, forcing everyone who enters to show their ID or passport, even if you rent a room for 1 hour with someone, and the owner must scan it via webcam, sending all data to the government immediately.
Since 10 years I started to hate living here at Central Europe / Hungary. Cheated voting system, all TV channels are regulated, no real news, 27% VAT, 48% tax + other hidden taxes, etc.