In this article

This article explains how to configure remote access VPNs (e.g., Palo Alto, SonicWall, AnyConnect, OpenVPN) to work smoothly with the Windows Roaming Client. When both are running, Windows may route DNS incorrectly, leading to issues such as:

• Content not being blocked
• User policies not applying
• DNS resolution failures
• Complete loss of internet access

The recommended setup is a split-tunnel VPN configuration, which allows the Roaming Client and VPN to run together without conflicts. If needed, we also provide troubleshooting steps for disabling the Roaming Client and routing VPN traffic through DNSFilter resolvers.

Run Roaming Client and VPN at same time

In corporate settings it's common to use a VPN to connect employees to the organization's intranet while also enforcing filtering policies through DNSFilter. 

We recommend configuring the VPN to use split-tunnel routing. This setup ensures DNS traffic is filtered through DNSFilter while still allowing secure access to local resources over the VPN.

Option one: Reprioritize metric values

Reprioritizing the Network Interface Card (NIC) primary metric to a lower value than the VPN interface causes Windows to prioritize DNS from the primary network adapter. 

Some VPNs automatically set their metric values to lowest upon running. Disable or account for this setting based on the VPN client used.

1. From Windows, navigate to the Network Connections Settings (right-click on Start or use the Windows search bar)
2. Select the Ethernet Interface connected to the network
3. Right-click and select Properties
4. Select Internet Protocol Version 4 (TCP/IPv4)
5. Select Properties
6. Select Advanced
7. Tab to IP Settings
8. Uncheck Automatic Metric
9. Set a specific metric value for the Ethernet interface, e.g. 10. This metric value should be lower than the VPN interface's metric value
10. Select OK to save the changes
11. Close all open windows

The metric value is is now reset and the Roaming Client and VPN should run together as expected. 

Option two: Set the VPN DNS resolver destination

Setting the VPN config DNS resolver to our loopback IP address 127.0.0.2 will direct DNS traffic through the Roaming Client. Steps to do this vary depending on the manufacturer, so see their manual or documentation for guidance. 

After setting VPN DNS configuration, add local domain and resolver IP addresses to the app dashboard configuration. This forces the agent to forward any requests using that local domain to the specified IP resolvers. 

Forward VPN traffic through DNSFilter resolvers

DNS traffic is not resolved through the Roaming Client when running a full tunnel VPN. Full tunnel configurations route all traffic through the VPN network resolvers, bypassing the Roaming Client and it's filtering policies (one of the ways users can circumvent network security settings). 

Though our first recommendation is to follow the split tunnel configurations above, a workaround to maintain full tunnel routing is to setup DNS Forwarding on the VPN network. This will apply a filtering policy even while connected to the VPN. 

✍️ Roaming Client capabilities like per-user filtering and reporting would be lost in this configuration. DNS Forwarding is a blanket policy for the network instead of devices. 

1. Setup a Site and enter the VPN's egress IP in the IPs/DNS Hostname field
2. Forward the VPN traffic to DNSFilter's resolvers (103.247.36.36 & 103.247.37.37). Accomplish this in the VPN's DNS settings, which vary by manufacturer 

The Site's filtering policy will now apply to the VPN traffic. 

Ignore the network adapter when it recognizes a VPN

It is possible to disable the Roaming Client while using a full tunnel routing VPN, either as a desired outcome—the VPN offers trusted security so the agent isn't necessary while connected—or while troubleshooting policy settings as a temporary fix.  

Option one: Use DNSFilter setting

DNSFilter offers a setting to tell the Roaming Client to ignore the network adapter when it recognizes a VPN in use. 

This setting recognizes Palo Alto (PANGP), Fortinet, SonicWall, Anyconnect, and some VPNs that feature "VPN" in the adapter name/description. 

Follow these steps to configure the Roaming Client to ignore the adapter.  

1. From the DNSFilter dashboard, navigate to Deployments and select Sites
2. Select the Site to edit
3. Toggle on Disable Roaming Clients for conflicting VPN agents 

Repeat these steps for each applicable network Site.

Option two: Edit the advanced registry 

For Windows Roaming Client version 3.0.0 and later, configure full tunnel VPN interface exclusions in the appsettings.overrides.json file as shown below:

"LoopbackProxy": {
  "IgnoredVpnInterfaceNames": [
    "vpn1",
    "sonicwall2"
  ],
  "IgnoredVpnInterfaceDescriptions": [
    "vpn1",
    "sonicwall2"
  ]
}

Manually edit the Roaming Client registry if the VPN client isn't recognized by the DNSFilter app's disable feature (steps above). 

1. Open the Roaming Client command prompt
2. Enter these two commands. Edit the Adapter Name to match the VPN's name in lower case. e.g. If the VPN's name is 'CorporateVPN' edit 'Adapter Name' to 'corporatevpn'

   • 
     Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String
     Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String        

   • 
     Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String
     Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String

3. Restart the Roaming Client. The VPN will revert back to its standard DNS resolver and DNSFilter will no longer resolve any DNS queries associated with the VPN