Windows VPN Hijacks Default Route — Configure Split Tunneling with Static Routes
By default, a Windows VPN client sets itself as the default gateway, forcing all traffic (including general internet) through the tunnel. This can cripple local network access and degrade browsing performance. The fix is to disable 'Use default gateway on remote network' in the VPN's IPv4 advanced properties and add a persistent static route for the target remote subnet via the VPN gateway.
Indicators
- All internet traffic is routed through the VPN once connected
- Local LAN resources (printers, NAS, local gateway) become unreachable while VPN is active
- Noticeably slow general internet performance when VPN is connected
- User only needs to reach a specific remote subnet (e.g., 192.168.123.0/24) but everything is tunnelled
- 'route print' shows a 0.0.0.0/0 route via the VPN interface taking precedence
Likely causes
- VPN connection configured to use the remote gateway as the default route (default Windows behaviour)
- VPN server does not push specific/classless static routes to the client
- No persistent client-side route exists for the target remote subnet
- Split tunnelling not enabled on the client VPN profile
Diagnostic steps
-
Connect the VPN and run 'route print' to confirm a 0.0.0.0/0 default route is being installed via the VPN interface.
-
Open Network Connections (ncpa.cpl), right-click the VPN connection and choose Properties.
-
On the Networking tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties, then Advanced.
-
On the IP Settings tab, uncheck 'Use default gateway on remote network' and click OK to save.
-
Reconnect the VPN, then run 'ipconfig' and 'route print' to identify the VPN-assigned client IP and gateway for the tunnel interface.
-
From an elevated Command Prompt, add a persistent route for the target subnet, e.g.: route -p add 192.168.123.0 mask 255.255.255.0 <vpn-gateway-ip>
-
Verify with 'ping' or 'tracert' that traffic to the target subnet uses the VPN while general internet traffic still uses the local default gateway.
Resolution path
- Disable 'Use default gateway on remote network' in the VPN's IPv4 advanced properties
- Reconnect the VPN and identify the VPN-assigned gateway IP
- Add a persistent route for the target destination network via the VPN gateway using 'route -p add'
- Validate that only target traffic flows through the VPN and other traffic egresses locally
- Optionally wrap the route command in a batch file to automate after each VPN reconnect
Prevention
- Standardise new Windows VPN profiles with the default gateway option disabled (split tunnelling)
- Maintain a documented batch script containing the required route commands per site
- Always use persistent routes (-p) so configuration survives reboots
- Where the VPN concentrator supports it, push specific classless static routes from the server side to remove client-side configuration
- Document the remote subnet and VPN gateway IP in the client onboarding guide
Tools
- Windows Network Connections (ncpa.cpl)
- route command (route add / route print)
- Elevated Command Prompt
- ipconfig
- Optional batch script for post-connect automation