Creating a Split Tunnel VPN Connection

Creating a split tunnel VPN connection in Linux

A split tunnel VPN connection is one in which the user is able to access dissimilar security domains, such as the Internet and a local LAN or WAN
at the same time, using the same or different network connections. Source: Split Tunneling

To give in example and to put this in context for Impact Radius, this technique will allow you to access internal Estalea / Impact Radius services
(JIRA, Confluence, Stash, Bamboo, etc..) over the VPN, while having your normal Internet traffic flow through the home / office connection
normally, without going through the VPN.

This is especially useful for those employees not working in the U.S., because that is where the VPN server is based, and without this technique
all of your traffic would need to transit to the U.S. and back to your country of origin, vastly slowing down your experience.

Note: This guide is written from Linux Mint 17, however it should work for Ubuntu and most other popular Linux distros that use the same Network
management interface.

Disclaimer: This guide is correct and accurate at time of writing, things such as IP addresses and domain names may change over time, hence
this guide may eventually become out of date if not kept up-to-date.

Outcome
After following this guide you should have a working split tunnel VPN connection to the Impact Radius VPN server. This will allow you to access
internal VPN-only services, without the disadvantages (mainly speed) associated with tunneling all of your internet traffic through the VPN.

This guide explicitly allows you to access:

1. Anything on the 10.x.x.x range of IP addresses, this includes:

a. JIRA (10.2.10.20)
b. Confluence (10.2.10.21)
2. Bamboo (bamboo.impactradius.com -> 72.5.92.22)
3. Stash (stash.impactradius.com -> 23.23.175.166)

It also assumes that you are connecting to the Impact Radius VPN concentrator at connect.impactradius.com

Instructions

1. Open the Networking System Settings View

This can be done a couple different ways:

1. Click on the Network Manager tray applet and select Network Settings, or
2. Click on Menu, type the word network, then press enter or select the Network menu item that comes up.

When you have opened this view you will see something similar to the following image.
2. Add a new PPTP VPN connection
Next click on the + button on the lower left of the window, this will start the process of adding a new connection.

At the first prompt you will be asked to select an interface, this should be set to VPN by default, make sure it is, set it if not, and then click Create.

Next you will be prompted to select the connection type.

It should be set to Point-to-Point Tunneling Protocol (PPTP) by default, ensure that it is, set it if not, and then click Create
3. Configure the VPN Basics
A new window should now have appeared allowing you to configure your new VPN connection.

You need to do the following:

1. Ensure you are on the VPN tab.

2. Set the Connection Name field to whatever you like, but something like IR Partial is preferable.
3. Set the Gateway field to connect.impactradius.com
4. Set the username and password fields to the values you have received from TechOps.

Your VPN configuration window should now look something like this:

4. Configure the VPN Advanced Options

Now you will need to configure the advanced options of the connection by clicking on the Advanced button to the lower right of the window.

Once the PPTP Advanced Options window has opened, do the following:

1. Deselect the PAP, CHAP and EAP options listed under Authentication. You should only have MSCHAP and MSCHAPv2 selected.
2. Select the Use Point-to-point encryption (MPPE) option.
3. Select 128-bit (most secure) for Security.
4. Select Allow stateful encryption.
5. Finally click OK.

You should have the following, before clicking the OK button.

5. Set the basic IPv4 settings
For the next step, click on the IPv4 tab to the top right of your active window.
Next add the following entries to the Additional DNS servers field.

1. 10.2.3.29
2. 10.2.3.106

These are the primary domain name servers (DNS) for Estalea.

Then add the following to the Additional search domains field:

1. estalea.net
2. impactradius.net
3. impactradius.com

You should now have something like this:

6. Configure the IPv4 Routes
Now is the important part, without this the "split tunnel" effect will not work, and all of your internet traffic will be routed through the VPN!

Click on Routes button to bring up the window that will allow you to configure custom routes for this VPN connection.

Next, tick both of the boxes that you see, i.e:

1. Ignore automatically obtained rules

2. Use this connection only for resources on its network

7. Add custom IPv4 routes

Next you need to add custom routes so that your internet traffic that is meant for locations within the VPN will actually be sent through it.

Click on the Add button, then enter one of the entries below, proceed until you have added all of them.

Address Netmask Gateway

10.0.0.0 255.0.0.0 216.52.252.68

23.23.175.166 255.255.255.255 216.52.252.68

72.5.92.22 255.255.255.255 216.52.252.68

You should end up with the following once you are complete.

Note: If there are other internal services that you need to access through the VPN you can add routes for them here as well. Just find the IP
address of the service, and add it as above.

8. Finishing up
Click the OK button on the Routes window, then click Save on the main VPN configuration window, as below.
Your new VPN connection is now setup, and your Networking window should now have an entry for your new VPN connection, IR Partial
VPN in this case.

9. Connecting to the VPN

You can activate your new VPN connection in a few different ways, such as:

1. Clicking on the Networking Manager system try applet, and then clicking on IR Parital under VPN Connection
2. Clicking on the on/off switch button for the IR Partial connection in the Networking window.

Once the VPN connection has been established successfully you will see a new, solid, connection icon containing a small lock displayed for your
Network Manager tray applet.

10. Verifying your connection

In order to ensure that your VPN connection has been setup and established correctly, you should attempt to visit the internal sites for JIRA,
Confluence, Stash and Bamboo, and make sure that they work correctly.

Also, verify that your normal internet traffic works properly and that it isn't routed over the VPN. You can do this with tools such as traceroute a
nd mtr, or you can use the online service at IP Chicken.

The result should be the public IP address of your home / office internet connection, and not the IP address of the VPN concentrator in the US.

You should see something like this:

If you see the following, it means that you have not configured your VPN connection correctly. Please follow this guide again carefully, or contact
someone on the TechOps team for assistance.

OSX
The same kind of thing can be achieved on a Mac by using a couple of tricks. The first is the actual routing of VPN traffic. When you uncheck the
box for "send all traffic through VPN tunnel" you'll be left with whatever DNS resolution you used to have and only a specific route for the VPN.

Routing

OSX will run a script when the VPN tunnel is set up. this is /etc/ppp/if-up. There's a corresponding hook for ip-down as well if you need it.
We'll use this script to set up routes for all traffic that needs to traverse the firewall. Become root and use your favorite editor to create the file:

/etc/ppp/ip-up
#!/bin/sh

/sbin/route add 10.0.0.0/8 -interface $1

/sbin/route add 72.5.92.22 -interface $1
/sbin/route add 23.23.175.166 -interface $1

Remember to make it executable with chmod +x /etc/ppp/if-up.

In the script $1 is the name of the VPN tunnel interface
(typically "ppp0"). $4 and $5 would be the near end and far end IP addresses of the VPN tunnel respectively, but we
won't need those. The routes are:

10/8 for everything VPN related.

23.23.175.166 for stash.impactradius.com
72.5.92.22 for bamboo.impactradius.com
As you can imagine the two specific IP addresses are subject to change, so beware you may have to tweak this in the future.
DNS

As long as you are in the office the name resolution should work just fine. The DNS resolvers will know about
addresses like "splunk.estalea.net". However when you are at home or at a hotel the DNS resolvers will be blissfully
unaware. We can manually set DNS properties on the VPN tunnel in the "DNS" tab on the same screen where we
choose if all traffic goes through the tunnel. Make it look like this:

The overall DNS setup publishes everything impactradius.com internet-wide, so we need not deal with those. However estalea.net and
impactradius.net are published only internally, so those are the ones we need to deal with specially for our VPN setup. The name servers are the
same as you will typically use in the office. Tellingly they have 10/8 addresses, which mean we need the VPN routing to be able to talk to them.
Note that the resolvers are in effect here whether we have the VPN tunnel active or not, so there may be cases where this could cause weird
errors. In practice I haven't had any issue though.

Again, hardcoding name server addresses like this sets us up for failure the next time tech-ops decide to change the IP addresses of the
resolvers, but in the last 8 years that hasn't happened. If it happens I'm sure we will hear about it.

Troubleshooting

Over the years I have had various settings, of which the following is still active on my laptop. If you run into problems
with the split VPN setup you may want to try the following:

1: To see what OSX thinks about name resolution right now run scutil --dns. It may not all make sense, but the
output of that command is very useful to whoever will try to help you troubleshoot.

2: It may be that you VPN needs to be preferred over wifi. See https://support.apple.com/kb/PH14006.

3: OSX will consult files in /etc/resolvers to augment the standard name resolution mechanism. Each file will
look like a typical resolv.conf with IP addresses for applicable DNS servers. The name of each file is the domain for
which those settings apply. In short:

/etc/resolvers/estalea.net
nameserver 10.2.3.22
nameserver 10.2.3.29
nameserver 10.8.4.9

/etc/resolvers/impactradius.net
nameserver 10.2.3.22
nameserver 10.2.3.29
nameserver 10.8.4.9