Example: Exclude Traffic from the VPN
Tunnel on Windows Endpoints
To exclude traffic from the VPN tunnel after establishing
the VPN connection, reference the following script from a command
registry entry for a post-vpn-connect event. This enables you to
selectively exclude routes and to send all other traffic through
the VPN tunnel.
As a best practice, delete any exclude network routes that
were previously added before adding the new exclude routes. In most
cases, when a user moves between networks (such as when switching
between Wi-Fi and a local network) the old network routes are automatically
deleted. In the event that the old network routes persist, following
this best practice ensures that traffic destined for the exclude
routes will go through the gateway of the new network instead of
the gateway of the old network.
For a script that you can copy and paste,
REM Run this script (route_exclude) post-vpn-connect.
REM Add exclude routes. This allows traffic to these network and hosts to go directly and not use the tunnel.
REM Syntax: route_exclude <network1> <mask1> <network2> <mask2> ...<networkN> <maskN>
REM Example-1: route_exclude 10.0.0.0 255.0.0.0
REM Example-2: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0
REM Example-3: route_exclude 10.0.0.0 255.0.0.0 192.168.17.0 255.255.255.0 192.168.24.25 255.255.255.255
REM Initialize 'DefaultGateway'
REM Use the route print command and find the DefaultGateway on the endpoint
@For /f "tokens=3" %%* in (
'route.exe print ^|findstr "\<0.0.0.0\>"'
) Do if not defined DefaultGateway Set "DefaultGateway=%%*"
REM Use the route add command to add the exclude routes
if "%1" =="" goto end
route delete %1
route add %1 mask %2 %DefaultGateway%