How to Access Your Local LAN While Connected to FortiClient VPN

**Published by TangleTecs · Managed IT & Networking**

*Reading time: ~6 minutes*

The Problem

You connect to your company VPN using FortiClient and suddenly your local network goes dark. Your NAS drive disappears. Your printer stops working. You cannot reach your router admin page. Your local file shares are gone.

This is one of the most common frustrations IT teams and remote workers run into and it has a specific cause: **full-tunnel VPN routing**.

By default, FortiClient routes all your internet traffic through the VPN tunnel. This means your machine stops talking directly to local devices and instead sends everything, including local network requests, through the corporate network first. The result: your LAN becomes unreachable.

This guide explains exactly why this happens and three ways to fix it.

Why This Happens: Full Tunnel vs Split Tunnel

When FortiClient connects, it pushes a default route (`0.0.0.0/0`) through the VPN tunnel. This is called **full tunneling**: every packet, regardless of destination, gets sent over the VPN.

**Split tunneling** is the alternative. Instead of routing everything through the VPN, only traffic destined for the corporate network goes through the tunnel. Everything else, including local LAN traffic, takes the normal direct path.

Full tunnel:  Your PC -> VPN -> Corporate Network -> Internet/LAN (broken)
Split tunnel: Your PC -> VPN -> Corporate Network (work traffic only)
              Your PC -> Router -> LAN devices (local traffic works)

There are two ways to solve this: configure split tunneling on the FortiGate (the right long-term fix), or apply a local workaround on your machine (useful when you do not control the VPN server).

Method 1: Enable Split Tunneling on the FortiGate (Recommended)

If you manage the FortiGate firewall, this is the cleanest solution. You configure the VPN tunnel to only route traffic destined for your corporate subnets, leaving everything else on the local path.

Steps (FortiGate Admin Console)

1. Log into your FortiGate admin console

1. Go to **VPN -> SSL-VPN Portals** and select your portal

1. Under **Tunnel Mode**, find the **Split Tunneling** option

1. Set it to **Enabled Based on Policy Destination**

1. Define your routing address (your corporate subnet, e.g. `10.0.0.0/8` or `192.168.10.0/24`)

1. Save and apply the policy

Once applied, FortiClient will only tunnel traffic destined for those defined subnets. All other traffic, including your local LAN, routes normally.

Method 2: Add a Static Route Manually (Windows)

If you do not have access to the FortiGate, or you need a quick fix while waiting for your IT team to configure split tunneling, you can add a static route manually on your Windows machine after the VPN connects.

Find Your Local Gateway and Subnet

Before the VPN connects (or disconnect temporarily), open Command Prompt and run:

ipconfig

Note down:

• Local IP address (e.g. `192.168.1.45`)

• Subnet mask (e.g. `255.255.255.0`)

• Default gateway (e.g. `192.168.1.1`)

Add the Static Route

Once the VPN is connected, open Command Prompt as Administrator and run:

route add 192.168.1.0 mask 255.255.255.0 192.168.1.1

To make the route persist across reboots:

route add -p 192.168.1.0 mask 255.255.255.0 192.168.1.1

Verify It Worked

route print
ping 192.168.1.1

Method 3: Add a Static Route on macOS / Linux

macOS

netstat -rn | grep default
sudo route -n add -net 192.168.1.0/24 192.168.1.1

Linux

ip route show default
sudo ip route add 192.168.1.0/24 via 192.168.1.1

Summary

The cleanest long-term solution is to configure split tunneling on the FortiGate itself. If you manage VPN infrastructure and want help designing a secure split-tunnel policy, contact TangleTecs.

Related Tools

Use our free [Port Checker](https://www.tangletecs.com/tools/networking#port-checker) and [Ping tool](https://www.tangletecs.com/tools/networking#ping) to diagnose connectivity issues on your local network or through the VPN.