Thanks for these information . Is there any configuration document to have Client VPN split tunneling for Android and IPhone or any other smartphones .

or can you recommend any App to do this split tunneling.

Also interested in this. Require split tunnel functionality on android

I find this not very satisfying as I don't want to manually enroll routes on every single client, no matter if it is possible by scripting or not.

Will there be a solution for the routes to be pushed by the VPN DHCP Server via L2TP? It should be possible with DHCP option 121 / 249.

Would using a 3rd party DNS service like Google Cloud DNS solve this? https://cloud.google.com/dns/

When connecting to the VPN you need a local DHCP Server issuing an IP and via DHCP options push the routes that are activated in the Meraki dashboard, so split tunnelling is possible. I don't see how a cloud based DNS would help in that case?

That's what I thought too, but reading further into the Google Cloud DNS and it says this:

When to use Cloud DNS

DNS is a hierarchical distributed database that lets you store IP addresses and other data, and look them up by name. Google Cloud DNS lets you publish your zones and records in the DNS without the burden of managing your own DNS servers and software.

It also mentions Split horizon DNS and lists the ability to manage domain resolution to public IP and domain resolution to internal (private) IP.

Link: https://cloud.google.com/dns/docs/overview

That sure is a nice feature for certain cases, but DNS resolution is not the problem with split tunneling, but the static routing is. As long as the client doens't know that for example 172.0.0.0/8 should go through the tunnel (which Meraki advises to put manually in the routing table of the client) it will try to use the standard interface and not the VPN device and thus fail to reach the host within the 172.0.0.0/8 network.

One sure can activate the the VPN device to be the standard gateway, but then ALL traffic will go through VPN which (for us) is not desirable. We only want to have business traffic going through the VPN tunnel and the rest of the (private) traffic go through the users private connection.

Hey DSchn, ahh so cloud DNS won't work then. So, to achieve split tunnels for local and public domain routing with Meraki equipment, you either have to have your own on-prem DNS server or make the DNS settings manually on the clients?

DNS doesn't have to do anything with VPN at all, at least not regarding split tunneling/routing.

can we automate the routes needed to add into client station and push it from meraki??

>can we automate the routes needed to add into client station and push it from meraki??

Push from Meraki, no.

Automate via AD group policy, yes.