Full Tunnel VPN with Broad Exceptions

StunningTwo1235 · March 6, 2025, 10:54pm

I am trying to do a full tunnel VPN with broad exceptions. I have setup a Sophos XG with a full Tunnel IPSec VPN. I need all traffic to go other the VPN with the exception of Teams/Zoom/Youtube/Office 365. Traffic from these sites need to go from the users gateway and not the XG.

I have been told to use route.exe. So I would use the command route add 208.65.153.238 255.255.255.255 192.168.0.254. This would route the traffic from Youtube(208.65.153.238) over the gateway (192.168.0.254). I understand I would have to do this for every IP address😭.

The issue with the above only works if the users stays in the same place (gateway doesn’t change) and they are all using the same gateway address.

Is there a way to script a way to force traffic over the LAN/WiFi for specific IP addresses in stead of the VPN.

HolyCowEveryNameIsTa · March 6, 2025, 10:54pm

You need a split tunnel… but the problem is that you are never going to keep up with the IP’s that Teams/Zoom/Youtube/O365 uses.

The right and pretty much only way to do split tunnel is force traffic to go back through the VPN for specific sites and services that and leave the rest to go out their internet.

Side note, we have been seeing a push by insurance agents and auditors to not have split tunnel VPNs anymore for security purposes and to move to always on VPNS.

Morkoth-Toronto-CA · March 6, 2025, 10:54pm

I support small businesses, MSP style. Mostly Fortinet FortiGate firewalls.

What you’re looking for generically is a full-tunnel, with Negative Routing. The Firewall itself has to be somewhat intelligent but the VPN client has to actually do the routing.

In the FortiGate world this is called “Application-based split tunnel”. It’ll require a fortigate firewall and FortiClient (vpn client) that’s EMS managed.

Fortigate has an “ISDB - Internet Service Database” – things like “Office365”, “Teams”, “Skype”, “Zoom” – that are lists of the IPs that the cloud providers run their stuff on. They maintain those lists so you don’t have to – really, you’ve got zero chance of doing this on your own, sadly.

I’m sure PaloAlto with GlobalProtect will also do it. I’d wager CheckPoint will, Cisco/FirePower … maybe?

Best place to ask about this stuff is r/networking, honestly. Search there for “Negative Route” and see what pops up.

Good luck!

Razgriz959 · March 6, 2025, 10:54pm

I would say your best bet in this case would be to have a PAC file. Now if you have never done them before they can be a bit of a bear to figure out and to be fair scoping out and bypassing MS is… problematic. You may be better off with a solution like Zscaler Internet Access, Cisco Umbrella, Webtitan, etc. Personally, I deployed Zscaler and it works like a charm.

If you are stuck with a PAC file here is a site I found useful when making my PAC file for Zscaler for my oddball sites. Link

er07m · March 6, 2025, 10:54pm

Been trying to figure this one out myself!!!

210Matt · March 6, 2025, 10:54pm

I wonder if your insurance would be happy with a DNS filtering service like Umbrella to cover the remote users (along with AV)

HolyCowEveryNameIsTa · March 6, 2025, 10:54pm

No because you are losing a lot of functions that a good edge device has beyond just web filtering. They want us to treat remote devices exactly like on-prem devices. Always-on-VPNs add another layer of protect against malicious access points and other MitM techniques.