In this article
Network admins use these steps to configure remote access VPNs (e.g. Palo Alto, SonicWall, Anyconnect, OpenVPN, etc.) to continue filtering with the Windows Roaming Client without interruption or issue. This conflict has to do with how Windows routes DNS resolvers when a VPN is in use.
Commonly reported issues while using a VPN include
- Content not blocked
- User-level policies not applied
- No DNS resolution
- No internet access
We recommend running the Roaming Client and VPN at the same time with a split tunnel VPN configuration, but also offer troubleshooting steps to disable the Roaming Client and set VPN traffic to resolve through DNSFilter resolvers.
Recommendations on 3rd party software
DNSFilter's first priority is to support our customers to deploy and maintain our product. Our Support Engineers work hard to understand 3rd party software and how to troubleshoot settings so that all services work as expected, but we cannot guarantee a solution for every product on the market.
This article serves as general guidance and DNSFilter can not endorse or validate 3rd party software. Testing is always encouraged. Contact the vendor of your VPN for further information.
Run Roaming Client and VPN at same time
In corporate settings it's common to use a VPN to connect employees to the organization's intranet while also enforcing filtering policies through DNSFilter.
We recommend configuring the VPN for split tunnel routing to keep secure internet access and local resources. This achieves the goal to filter DNS traffic through DNSFilter while still using the VPN.
Option one: Reprioritize metric values
Reprioritizing the Network Interface Card (NIC) primary metric to a lower value than the VPN interface causes Windows to prioritize DNS from the primary network adapter.
Some VPNs automatically set their metric values to lowest upon running. Disable or account for this setting based on the VPN client used.
- From Windows, navigate to the Network Connections Settings (right-click on Start or use the Windows search bar)
- Select the Ethernet Interface connected to the network
- Right-click and select Properties
- Select Internet Protocol Version 4 (TCP/IPv4)
- Select Properties
- Select Advanced
- Tab to IP Settings
- Uncheck Automatic Metric
- Set a specific metric value for the Ethernet interface, e.g. 10. This metric value should be lower than the VPN interface's metric value
- Select OK to save the changes
- Close all open windows
The metric value is is now reset and the Roaming Client and VPN should run together as expected.
Option two: Set the VPN DNS resolver destination
Setting the VPN config DNS resolver to our loopback IP address 127.0.0.2 will direct DNS traffic through the Roaming Client. Steps to do this vary depending on the manufacturer, so see their manual or help center for guidance.
After setting VPN DNS configuration, add local domain and resolver IP addresses to the app dashboard configuration. This forces the agent to forward any requests using that local domain to the specified IP resolvers.
Forward VPN traffic through DNSFilter resolvers
DNS traffic is not resolved through the Roaming Client when running a full tunnel VPN. Full tunnel configurations route all traffic through the VPN network resolvers, bypassing the Roaming Client and it's filtering policies (one of the ways users can circumvent network security settings).
Though our first recommendation is to follow the split tunnel configurations above, a workaround to maintain full tunnel routing is to setup DNS Forwarding on the VPN network. This will apply a filtering policy even while connected to the VPN.
✍️ Roaming Client capabilities like per-user filtering and reporting would be lost in this configuration. DNS Forwarding is a blanket policy for the network instead of devices.
- Setup a Site and enter the VPN's egress IP in the IPs/DNS Hostname field
- Forward the VPN traffic to DNSFilter's resolvers (103.247.36.36 & 103.247.37.37). Accomplish this in the VPN's DNS settings, which vary by manufacturer
The Site's filtering policy will now apply to the VPN traffic.
Ignore the network adapter when it recognizes a VPN
It is possible to disable the Roaming Client while using a full tunnel routing VPN, either as a desired outcome—the VPN offers trusted security so the agent isn't necessary while connected—or while troubleshooting policy settings as a temporary fix.
Option one: Use DNSFilter setting
DNSFilter offers a setting to tell the Roaming Client to ignore the network adapter when it recognizes a VPN in use.
This setting recognizes Palo Alto, SonicWall, Anyconnect, and some VPNs that feature "VPN" in the adapter name/description.
Follow these steps to configure the Roaming Client to ignore the adapter.
- From the DNSFilter dashboard, navigate to Deployments and select Sites
- Select the Site to edit
- Toggle on Disable Roaming Clients for conflicting VPN agents
Repeat these steps for each applicable network Site.
Option two: Edit the advanced registry
Manually edit the Roaming Client registry if the VPN client isn't recognized by the DNSFilter app's disable feature (steps above).
- Open the Roaming Client command prompt
- Enter these two commands. Edit the Adapter Name to match the VPN's name in lower case. e.g. If the VPN's name is 'CorporateVPN' edit 'Adapter Name' to 'corporatevpn'
-
Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String
-
Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String
-
- Restart the Roaming Client. The VPN will revert back to it's standard DNS resolver and DNSFilter will no longer resolve any DNS queries associated with the VPN
Contact Support for additional troubleshooting
If the above steps do not resolve the issue, check out our Community for other brand-specific support or send the following information to our Support team for review:
- A description of the issue
- VPN brand and/or setup (split or full tunnel)
- Logs files with and without the VPN running
- Screenshots of the browser error if there is an internet connectivity issue
Comments
0 comments
Article is closed for comments.