What to do when an Undesired route is added after VPN is up

After dialing up a VPN connection, the VPN client will get a virtual IP from the VPN server and add a corresponding route on its routing table. The route is usually the LAN network of the VPN server. For instance, if the VPN client gets an IP 192.168.66.100 and gets the netmask 255.255.255.0 with the DHCP Inform/Ack packet, it will add the route 192.168.66.0/24 via the VPN interface after the VPN is up.

However, unexpected routes may sometimes be added to the PC’s routing table, and it may cause some routing issues. It could be related to the “Disable Class based route addition” option in Windows.

We can find the option in the Advanced TCP/IP Settings page of the VPN adapter connection via Control Panel >> All Control Panel Items >>Network Connections.

If the VPN client on Windows has the option "use default gateway on the remote network" disabled and the option "add routes based on classes" enabled, after obtaining the IP from the VPN server, Windows will add the corresponding route automatically to the VPN interface.

-10.x.x.x (class A) will automatically create a static route up to 10.0.0.0/8 through the tunnel

-172.x.x.x (class B) will automatically create a static route to 172.x.0.0/16 through the tunnel

-192.168.x.x (class C) will automatically create a static route to 192.168.x.0/24 through the tunnel.

However, the automatically added route is not always correct. When the VPN server’s network is 172.16.1.x/24, not 172.16.x.x/16, it creates unnecessary routes and may conflict with the local network if it is 172.16.2.x/24. We can enable the “Disable Class based route addition” option for this situation.

When the VPN server assigns a Static IP to the VPN client, the “Disable Class based route addition” option needs to be unchecked. If it is not unchecked, the VPN client will only get a route with its IP 192.168.66.201/32. An alternative solution is to use the More Route option in DrayTek Smart VPN Client to add routes manually.

Smart VPN Client version 5.6.4 supports the disable class route option. It is disabled by default, to remain the behavior with the previous version. Disable the disable class route option means the class route will be added when VPN is up.

Note:The class based route addition has also advantages.

Supposing the central office and branches uses 10.0.x.0/24 and they are connected LAN to LAN tunnels (branches to central)

Remote dial in user (disabled use default gateway) can connect to central router and have access to all branches because of additional route 10.0.0.0/8.