Understanding how split tunneling works with OpenVPN Access Server

A basic, personal VPN service, such as Private Tunnel, routes the user’s traffic to the Internet through an encrypted VPN tunnel . Someone might use the personal VPN service to protect themselves on public Wi-Fi or to get around geographic content restrictions. Business VPNs are different, however. While companies may provide them to remote workers to protect them on public Wi-Fi, more often, the real purpose is to obtain secure access to the business’s private network resources.

What if you have a VPN that can’t handle the load? You may want to enable split tunneling. With split tunneling, traffic not destined to your private network does not go through the VPN. That’s one reason you may want to set it up.

Here’s more information on what it is, why you would want to set it up, and how to do that with OpenVPN Access Server.

What is split tunneling?

When a VPN client connects to OpenVPN Access Server, it creates a tunnel. Data transferred is encrypted, through the Internet to the VPN server and connected to your Internal LAN. OpenVPN Access Server can be configured to route all traffic destined to the internet and not just the internal LAN through that tunnel as well.

Your employee is connected to the VPN and enters google.com into their browser.. The web traffic might follow this (simplified) route:

  1. From their laptop, it goes to their home router
  2. Then it crosses over the Internet inside of the VPN tunnel
  3. To the VPN server on your Internal LAN
  4. That sends it through the business’s router and internet connection
  5. And to google.com, then back the way it came to the laptop

When you set up split tunneling, only traffic that is destined for the subnets on your Internal LAN will go through the VPN tunnel. Other traffic will go through your employee’s normal Internet connection.

Here’s a basic diagram of how traffic flows when split tunneling is enabled on OpenVPN Access Server:

Why would I want to set up split tunneling?

  • Avoid overwhelming your internet connection by transmitting all received internet data from VPN
  • May allow users to access their LAN devices while connected to VPN
  • Less taxing on VPN server
  • Faster Internet response for employees

What are the possible risks of split tunneling?

  • By excluding certain traffic from the encryption of the VPN, a third party (such as an Internet Service Provider) could access that traffic
  • If you need to enforce business security policies on employee Internet traffic, such as anti-virus, anti-spam, and content filtering, you cannot do this with split tunneling

How do I set it up in OpenVPN Access Server?

In the Admin Web UI, you can start split tunneling with a simple click of a toggle button. Under Configuration > VPN Settings > Routing, switch “Should client Internet traffic be routed through the VPN?” to No. Once set to ‘no’, traffic destined to your private networks will traverse the VPN. Other traffic will bypass the VPN.

In addition to this setting, you also need to define the private subnets clients need access. You can do this under Configuration > VPN Settings > Routing by specifying the subnets in the input field with the label: “Specify the private subnets to which all clients should be given access (one per line)”