How to connect to a specific IP address ONLY via a VPN?

Hi,

I am trying to setup my computer to connect to a specific IP address
only through my work VPN. The IP address is a public address with a
Web server open to the Internet. When accessing this Web server, I
want to ALWAYS go through my work VPN, never access it directly from
my home. In short, I want the server to see only my workplace's IP
address, never my home IP.

It is OK for me to open the VPN connection manually. Setting up the
route through the VPN is relatively easy: I just do "ROUTE -p ADD
xxx.yyy.0.0 MASK 255.255.0.0 gateway IF zz". By disabling the "Use the
default gateway of the remote server" setting, I can access the
specific IP address through the VPN and the rest of the Internet
through my home connection.

However, when the VPN connection is not open, I want to block access
to this IP address. I tried adding a bogus ROUTE, but Vista is clever
enough to try other routes if the first one doesn't work. It is
important for this blocking to work automatically. For example, if the
VPN connection terminates unexpectedly while I am browsing the Web
site in question, I don't want any packets to sneak onto the server
unnoticed.

Any idea how to best implement this kind of functionality in Windows
Vista Pro? I'd prefer built-in systems, but if not possible, third-
party tools are an option too.

- Mikko

"Mikko" <(E-Mail Removed)> wrote in message
news:ccc6d810-6263-4c68-9eee-(E-Mail Removed)...
> Hi,
>
> I am trying to setup my computer to connect to a specific IP address
> only through my work VPN. The IP address is a public address with a
> Web server open to the Internet. When accessing this Web server, I
> want to ALWAYS go through my work VPN, never access it directly from
> my home. In short, I want the server to see only my workplace's IP
> address, never my home IP.

There is nothing to do. It already *will* go through the VPN. That is the
way VPN works,..as soon as the VPN goes active is becomes the default
gateway of all traffic from the connected Host. If the VPN uses the
Windows DUN then make sure that "Use gateway on remote network" remaines
*enabled*.

You also cannot be using a Proxy Server in your house, that will cause it to
bypass the VPN.

A static Route against a VPN Interface is impossible with a workstation OS.
You can not set a Static Route against a Dynamic & Virtual Internface,...of
which the VPN Interface is both "virtual" and "dymanic". Only RRAS in a
Server OS (like Server 2003) can do a Static Route against a VPN Interface.

Since you may have screwed up the Route Table while attempting this you need
to fix that by opening a Command Prompt and typing "route /f" and then
reboot.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

On Feb 17, 9:22*pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> There is nothing to do. It already *will* go through the VPN.

This wasn't the issue in my original post, the issue is the following:

> > However, when the VPN connection is not open, I want to block access
> > to this IP address.

This is the part I'm having trouble with.

> A static Route against a VPN Interface is impossible with a workstation OS.

I think your information is outdated. :-) I had no problem setting
static routes with the ROUTE ADD command. I am using Windows Vista
Professional.

- Mikko

"Mikko" <(E-Mail Removed)> wrote in message
news:67606499-6cbe-489a-a1d4-(E-Mail Removed)...

I think your information is outdated. :-) I had no problem setting
static routes with the ROUTE ADD command. I am using Windows Vista
Professional.

---------------------------------------

I don't mess with Vista.
We have no copies of it at work (by choice) and have only one copy at home
on a laptop. I don't use it much and don't go deep into it when I do. I
still spend most of my time at home using an old beat up Desktop machine
with XP,...and half the time I use the Laptop I use XP inside of VirtualPC
so the Vista is only the host the run the VirtualPC. If the hardware had XP
drivers I would roll it back to XP.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Mikko" <(E-Mail Removed)> wrote in message
news:67606499-6cbe-489a-a1d4-(E-Mail Removed)...
On Feb 17, 9:22 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> There is nothing to do. It already *will* go through the VPN.

This wasn't the issue in my original post, the issue is the following:

> > However, when the VPN connection is not open, I want to block access
> > to this IP address.

This is the part I'm having trouble with.

> A static Route against a VPN Interface is impossible with a workstation
> OS.

I think your information is outdated. :-) I had no problem setting
static routes with the ROUTE ADD command. I am using Windows Vista
Professional.

- Mikko

"Mikko" <(E-Mail Removed)> wrote in message
news:67606499-6cbe-489a-a1d4-(E-Mail Removed)...
On Feb 17, 9:22 pm, "Phillip Windell" <philwind...@hotmail.com> wrote:
> There is nothing to do. It already *will* go through the VPN.

> This wasn't the issue in my original post, the issue is the following:

> > However, when the VPN connection is not open, I want to block access
> > to this IP address.

As far as I know that is just not possible.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Replying to myself:

> However, when the VPN connection is not open, I want to block access
> to this IP address.

So far the best solution I can come up with is as follows:

1. Find an open-source proxy server and install it locally.

2. Install a new browser (Opera) that is always used to access the IP
address in question. Set the proxy server in this browser to the
locally installed one.

3. Modify the proxy server sources so that before passing any requests
on, it checks whether the VPN connection is open. If it is, it passes
the request on. The routing table must have been separately modified
to pass connections to the specific IP address through the VPN. If the
VPN connection is closed, the proxy rejects all requests.

This is probably a feasible solution, but I don't like it. For one, it
doesn't really enforce the connection through the VPN. If the routes
are wrong, data may slip by to the server directly from my home
connection.

Unless anyone can suggest any better solutions (including 3rd party
software), I think I'll have to start implementing this one.

- Mikko

Still replying to myself:

> > However, when the VPN connection is not open, I want to block access
> > to this IP address.
>
> So far the best solution I can come up with is as follows:
>
> 1. Find an open-source proxy server and install it locally.
>
> 2. Install a new browser (Opera) that is always used to access the IP
> address in question. Set the proxy server in this browser to the
> locally installed one.
>
> 3. Modify the proxy server sources so that before passing any requests
> on, it checks whether the VPN connection is open. If it is, it passes
> the request on. The routing table must have been separately modified
> to pass connections to the specific IP address through the VPN. If the
> VPN connection is closed, the proxy rejects all requests.

I got this working, and it works better than I anticipated. The proxy
I use is Perl HTTP::Proxy and a simple script built around it. My
script does ping -i 1 (TTL=1) to the destination for every request
before passing the request on. If the replying address is the VPN's
gateway, the proxy passes the request on, otherwise it responds 403
Forbidden.

This works dynamically so that if the VPN goes down, the proxy stops
sending requests immediately. It is impossible to bypass the proxy by
accident. Plus it has the added benefit of filtering out ads from the
target site.

- Mikko