In this article
Network admins use these steps to configure remote access VPNs (e.g. Palo Alto, SonicWall, Anyconnect, OpenVPN, etc.) to continue filtering with the Windows Roaming Client without interruption or issue. This conflict has to do with how Windows routes DNS resolvers when a VPN is in use.
Commonly reported issues while using a VPN include
- Content not blocked
- User-level policies not applied
- No DNS resolution
- No internet access
We recommend running the Roaming Client and VPN at the same time with a split tunnel VPN configuration, but also offer troubleshooting steps to disable the Roaming Client and set VPN traffic to resolve through DNSFilter resolvers.
Recommendations on 3rd party software
At DNSFilter, our top priority is ensuring that customers can successfully deploy and maintain our product. While we make every effort to understand third-party software and ensure compatibility across services, we cannot guarantee a solution for every product available.
This article provides general guidance, and DNSFilter does not officially endorse or validate third-party software. We strongly recommend testing configurations before implementation. If you encounter difficulties, we encourage you to explore our Community and consult the VPN vendor, as there may be configuration details or settings we've overlooked with the VPN solution.
Run Roaming Client and VPN at same time
In corporate settings it's common to use a VPN to connect employees to the organization's intranet while also enforcing filtering policies through DNSFilter.
We recommend configuring the VPN for split tunnel routing to keep secure internet access and local resources. This achieves the goal to filter DNS traffic through DNSFilter while still using the VPN.
Option one: Reprioritize metric values
Reprioritizing the Network Interface Card (NIC) primary metric to a lower value than the VPN interface causes Windows to prioritize DNS from the primary network adapter.
Some VPNs automatically set their metric values to lowest upon running. Disable or account for this setting based on the VPN client used.
- From Windows, navigate to the Network Connections Settings (right-click on Start or use the Windows search bar)
- Select the Ethernet Interface connected to the network
- Right-click and select Properties
- Select Internet Protocol Version 4 (TCP/IPv4)
- Select Properties
- Select Advanced
- Tab to IP Settings
- Uncheck Automatic Metric
- Set a specific metric value for the Ethernet interface, e.g. 10. This metric value should be lower than the VPN interface's metric value
- Select OK to save the changes
- Close all open windows
The metric value is is now reset and the Roaming Client and VPN should run together as expected.
Option two: Set the VPN DNS resolver destination
Setting the VPN config DNS resolver to our loopback IP address 127.0.0.2 will direct DNS traffic through the Roaming Client. Steps to do this vary depending on the manufacturer, so see their manual or help center for guidance.
After setting VPN DNS configuration, add local domain and resolver IP addresses to the app dashboard configuration. This forces the agent to forward any requests using that local domain to the specified IP resolvers.
Forward VPN traffic through DNSFilter resolvers
DNS traffic is not resolved through the Roaming Client when running a full tunnel VPN. Full tunnel configurations route all traffic through the VPN network resolvers, bypassing the Roaming Client and it's filtering policies (one of the ways users can circumvent network security settings).
Though our first recommendation is to follow the split tunnel configurations above, a workaround to maintain full tunnel routing is to setup DNS Forwarding on the VPN network. This will apply a filtering policy even while connected to the VPN.
✍️ Roaming Client capabilities like per-user filtering and reporting would be lost in this configuration. DNS Forwarding is a blanket policy for the network instead of devices.
- Setup a Site and enter the VPN's egress IP in the IPs/DNS Hostname field
- Forward the VPN traffic to DNSFilter's resolvers (103.247.36.36 & 103.247.37.37). Accomplish this in the VPN's DNS settings, which vary by manufacturer
The Site's filtering policy will now apply to the VPN traffic.
Ignore the network adapter when it recognizes a VPN
It is possible to disable the Roaming Client while using a full tunnel routing VPN, either as a desired outcome—the VPN offers trusted security so the agent isn't necessary while connected—or while troubleshooting policy settings as a temporary fix.
Option one: Use DNSFilter setting
DNSFilter offers a setting to tell the Roaming Client to ignore the network adapter when it recognizes a VPN in use.
This setting recognizes Palo Alto (PANGP), Fortinet, SonicWall, Anyconnect, and some VPNs that feature "VPN" in the adapter name/description.
Follow these steps to configure the Roaming Client to ignore the adapter.
- From the DNSFilter dashboard, navigate to Deployments and select Sites
- Select the Site to edit
- Toggle on Disable Roaming Clients for conflicting VPN agents
Repeat these steps for each applicable network Site.
Option two: Edit the advanced registry
Manually edit the Roaming Client registry if the VPN client isn't recognized by the DNSFilter app's disable feature (steps above).
- Open the Roaming Client command prompt
- Enter these two commands. Edit the Adapter Name to match the VPN's name in lower case. e.g. If the VPN's name is 'CorporateVPN' edit 'Adapter Name' to 'corporatevpn'
-
Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String Set-ItemProperty -Path HKLM:\SOFTWARE\DNSFilter\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String
-
Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfacesNames’ -Value 'ADAPTER NAME' -Type String Set-ItemProperty -Path HKLM:\SOFTWARE\DNSAgent\Agent -Name ‘IgnoreVpnInterfaces’ -Value ‘true’ -Type String
-
- Restart the Roaming Client. The VPN will revert back to it's standard DNS resolver and DNSFilter will no longer resolve any DNS queries associated with the VPN
Comments
0 comments
Please sign in to leave a comment.