Technical Tip: How to enable split-tunneling in Windows 10/11 (L2TP/PPTP VPN)

In this example, L2TP was used.

All traffic from this machine is going through the FortiGate.

To enable split-tunneling:

1. Go to L2TP properties in Control Panel\Network and Internet\Network Connections.

2. Then on the VPN Connection Properties window, go to the Networking tab, select Internet Protocol Version 4 (TCP/IPv4), and select Properties.

3. On the Internet Protocol Version 4(TCP/IPv4) Properties, select Advanced.

4. Deselect the Use default gateway on the remote network box and try to reconnect to the VPN.

Result:

A split-tunnel route has automatically been created to its respective classful address.

For Windows 11:

1. Open the search bar and look for the settings:
                                                                           
                                                                                         
2. Go to Network & Internet and VPN:
                                                               
                                                                                       
3. Select the VPN connection and select Advanced Options:
                                                                    
                                                                         
4. On the VPN selected, select Edit on More VPN properties:
                                                                                          
    
5. In the Properties menu, go to Networking, select Internet Protocol Version 4 (TCP/IPv4), and select Properties:
                                                                                 
                                                                                    
6. Once in the Advanced TCP/IP Settings, go to IP Settings and unselect the Use default gateway on remote network option:
                                                                           

Note 1:
This method will prevent the VPN from injecting the default route using the VPN tunnel interface, but it will also not add any other routes that have been advertised using DHCP option 121. To enable split-tunneling to other local subnets:

• After adding the subnets using DHCP option 121, enable the 'dhcp-ipsec' option in the IPsec phase2 configuration with the following commands:

config vpn ipsec phase2-interface
    edit <tunnel_phase2_name>
       set dhcp-ipsec enable
    next
end

Note 2:

PPP (Point to Point Protocol) is the foundation for L2TP, which uses IPCP (IP Control Protocol) to negotiate the IP address. Since IPCP historically did not transmit a subnet mask, Windows implemented Classful Networking logic as a fallback mechanism:

• Class A (10.0.0.0 to 10.255.255.255) Windows adds a route to 10.0.0.0 with a mask of 255.0.0.0 (/8).
• Class B (172.16.0.0 to 172.31.255.255) Windows adds a route with a mask of 255.255.0.0 (/16).
• Class C (192.168.0.0 to 192.168.255.255) Windows adds a route with a mask of 255.255.255.0 (/24).

If this behavior causes conflicts (for example, if the local network is also using the 10. x.x.x range), check the 'Disable class-based default route' box in the Advanced TCP/IP settings (IPv4) of the VPN connection:

Related articles:

Technical Tip: Split tunneling on L2TP/IPsec VPN between FortiGate and Windows 10.

Technical Tip: Resolving internet connectivity issues with L2TP.