Forum Discussion
VPN Split Tunneling
I work for an organisation of roughly 70 people. Around 50 of those people use Linux (Ubuntu 22.04). We use OpenVPN on all devices (Linux, macOS and Windows). The incidence of Teams-related glitches, particularly for Linux users, has spiked recently. They mainly relate to calls dropping, and other video related issues, but also relate to things like statuses being incorrect, notifications not working and other irritating issues.
Teams "just works" for about half of our people but disgruntlement is increasing and I need to improve the user experience.
It feels like step 1 is to implement VPN split tunneling such that any VPN-related issues are bypassed. I have seen a guide on the MS website for how to configure this but it's not obvious to me how to test if any changes we make have actually worked. I'm concerned that I may need to start faffing around with wireshark or something like that to see what's happening under the hood. Are there any easy ways to see (logs in the Teams Admin Center showing the IP addresses from which connections are originating, for example) if VPN config changes have worked for all the different interactions that Teams has with the MS mothership, particularly when users are using Teams in their browser, or do I need to start faffing around with browser developer tools/wireshark or something like that, and maybe run wireshark on both the "inside" and the "outside" of my VPN device and see that the traffic really is bypassing the VPN?
2 Replies
Absolutely use split tunnel!
Don't worry about the Teams addresses, just send Corp traffic to the Corp network and the remainder to the Internet. That's a pretty common solution these days.
VPN requires your traffic to get encrypted, slowing it down. And then routing to the office adds at least two hop and possibly going over a slower link.
But most importantly, you don't get the benefit of geoDNS. If a user was in Europe and your office in US, that's an obnoxiously slow route as opposed to the Europe use jumping on Microsoft network in one or two hops and taking extremely fast connectivity to your tenant
Hi Guybrush,
You are right that Microsoft recommends avoiding running real-time communications traffic over a VPN.
You can do a traceroute to follow the path of the traffic to the MS Teams Endpoints. This traffic should not pass your VPN device.
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams
