Using Task Scheduler in Windows to add static routes when VPN tunnel connects (e.g. L2TP)

Security Gateway Articles and How to's
Post Reply
Posts: 611
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Using Task Scheduler in Windows to add static routes when VPN tunnel connects (e.g. L2TP)

Post by Peter » 16 Aug 2016, 10:22

This How-to applies to:
  • Windows 7 and up.

The main purpose of a VPN connection (e.g. L2TP/IPsec or PPTP) is to access a specific network or networks using an encrypted connection but by default everything is sent through the tunnel. This means that as long as the VPN connection is connected even surf traffic on the internet will be attempted to be sent through the tunnel. By using split tunnelling the VPN connection will only be used when the desired network(s) is to be accessed, meaning normal surf traffic will use the normal ISP connection outside the VPN connection. This saves a lot of bandwidth and management on the VPN terminator side as well as making it easier for the person using the VPN connection to work, they are able to surf the internet while at the same time being able to stay connected to e.g. their work site without the need to constantly connect or disconnect the VPN.

There are many ways to solve this particular problem and there are other How-To's on this forum that provide ways to implement it, this method will use the Task Scheduler in Windows to make it automatically setup static routes when the user initiates/starts the VPN connection.


Before we start with the scheduler, open the IPv4 properties on the VPN connection and remove the checkbox for the "User default gateway on remote network". We want to manually specify the routes used to avoid everything being sent into the VPN connection.
Picture_5.png (24.22 KiB) Viewed 3337 times
Once that is done, we can now continue on to the Task Scheduler.
1. Open Windows Task Scheduler and create a new task.
Picture_1.png (17.44 KiB) Viewed 3341 times
2. At General page Select Run with highest privileges as route modifications does not work with normal user permissions.
Picture_2.png (6.69 KiB) Viewed 3341 times
3.1 Go to the "Triggers" tab.
3.2 Click new…
3.3 Begin the task: On an event
3.4 Select Custom from Settings
3.5 Click New Event Filter…
Picture_3.png (40.71 KiB) Viewed 3341 times
4. Select the XML tab
4.1 Select edit query manually
4.2 Paste the following data:

Code: Select all

  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[Provider[@Name='RasClient'] and (Level=4 or Level=0) and (band(Keywords,36028797018963968)) and (EventID=20225)]]</Select>
Note: Exact QueryList may be subject to change depending on operating system and Windows updates, but hopefully not :mrgreen:
Note-2: The above syntax works if you only have ONE VPN connection.

5. Create a script file (e.g. bat file) that contains the static routes that we want to use, example:

Code: Select all

@echo off
Route delete mask
Route delete mask
Route add mask
Route add mask is the gateway address inside the VPN tunnel.

6. And finally, go to the Actions tab and add the newly created script's location
Picture_4.png (31.4 KiB) Viewed 3341 times
We would like to thank Matti Nykyri for the details making this article possible.

Post Reply