This post explains how to implement and validate the "no split tunneling" requirement (SC.L2-3.13.7) from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 using a combined approach of VPN server/client configuration and Mobile Device Management (MDM) policy controls so small businesses can protect Controlled Unclassified Information (CUI) and meet Compliance Framework obligations.
What SC.L2-3.13.7 requires and why it matters
SC.L2-3.13.7 mandates that remote access sessions must not permit split tunneling — all traffic from a device with access to CUI must be directed through your corporate network (full-tunnel). In practice this means disabling client-side options that allow some traffic to flow directly to the internet or local networks while other traffic goes over the VPN. For Compliance Framework auditors this is a binary control: either your devices are configured to force all traffic through the enterprise VPN (and you can demonstrate enforcement), or you are not compliant.
How to configure VPN servers and clients (practical steps)
On the VPN server and client side enforce "tunnel all" routing and DNS configuration so that no outbound traffic or DNS queries bypass the tunnel. Example server/client settings: for OpenVPN server.conf add push directives: push "redirect-gateway def1 bypass-dhcp" and push "dhcp-option DNS 10.0.0.10" to force default route and corporate DNS. For WireGuard set AllowedIPs = 0.0.0.0/0, ::/0 on the client peer configuration to route all IPv4/IPv6 traffic through the server. For classic IPSec/IKEv2 clients use server or profile options labelled "Force all traffic through tunnel", "Disable split tunneling" or set traffic selectors that match 0.0.0.0/0. On Windows you can create an Always On VPN profile and ensure SplitTunneling is disabled; a simple client-side PowerShell example for native Windows VPN (where supported) is: Add-VpnConnection -Name "CorpVPN" -ServerAddress "vpn.example.com" -SplitTunneling $false (requires admin and appropriate VPN plugin).
Vendor/service examples for small businesses
Small businesses often use a mix of appliances and cloud services: OpenVPN Access Server — enable "Redirect Internet traffic" in user VPN settings (or add push redirect-gateway); WireGuard — set AllowedIPs to 0.0.0.0/0; Cisco AnyConnect — in the ASA/ASAv/ISE profile, ensure "Allow Local LAN Access" is false and use group-policy settings to disable split tunneling; AWS Client VPN — set --split-tunnel false when you create the endpoint (AWS CLI: create-client-vpn-endpoint --split-tunnel false ...). These practical examples are directly applicable to a small office: pick the option that matches your existing stack and use the push/allowed IP/redirect options to implement full-tunnel behavior.
MDM policy configuration: enforce, lock, and audit
MDM is the enforcement plane — use it to deploy profiles that make the VPN both automatic and immutable by users. For Microsoft Intune create a VPN profile (Device-level VPN or Always On) that connects automatically, disallows user modification, and sets "Disable split tunneling" or equivalent. For iOS/macOS via Jamf or Apple MDM use a device-level VPN with "Enable VPN" Always On and set AllowPartialNetworkAccess = false in the payload so the OS does not permit bypass. Android Enterprise supports "Always-on VPN" with "Lockdown" mode which prevents users from disabling the VPN; use it on managed devices and block installation of secondary VPN apps. Additional MDM tasks: deploy device certificates for authentication (EAP/TLS) to prevent credential copying, restrict local admin rights, and mark the VPN configuration as non-removable so users cannot re-enable split tunneling or create local exceptions. Document the profile names and versions in your Compliance Framework evidence binder.
Testing, monitoring, and validation
Validate the configuration programmatically and manually: on macOS/Linux check the routing table (netstat -rn or ip route) to ensure default route points to VPN interface; on Windows use route print or Get-NetRoute. Confirm DNS is resolved by corporate DNS: nslookup example.com and verify the DNS server IP is your resolver. Do an external IP check (curl https://ifconfig.co) before and after VPN to verify the public IP is the enterprise gateway. Automate periodic checks with a simple script or use endpoint telemetry in your EDR/Mobile Threat Defense product to record VPN state and route tables to a SIEM. Capture screenshots and logs (VPN connection logs, MDM deployment history) to supply as Compliance Framework evidence during an audit. Also run DNS and WebRTC leak tests for browsers to ensure no data is leaking around the tunnel.
Risks of not implementing no split tunneling
Allowing split tunneling exposes CUI to direct internet paths: a compromised client on public Wi‑Fi can exfiltrate files or be used as pivot point to attack the corporate network while the VPN still appears connected. Attackers can bypass corporate inspection (DLP, IDS/IPS) and DNS filtering if traffic leaves the device locally. From a compliance and contractual perspective, non‑implementation risks audit failure, loss of government contracts, and regulatory penalties. For a small business this can mean immediate operational impact and reputational damage if customer or government data are leaked.
Compliance tips and best practices
Operationalize the control: maintain a device inventory tied to MDM enrollment, require MDM for any device that accesses CUI, use conditional access so only compliant, MDM-enrolled machines can establish VPN sessions, and enforce MFA on VPN authentication. Keep a documented exception workflow (time-limited, risk-reviewed) for true technical exceptions and log all approvals. Periodically review VPN profiles after OS updates — mobile OS vendors change VPN APIs and a macOS or iOS update can silently change behavior. Finally, combine full-tunnel VPN with endpoint security (patching, EDR) and network controls (NAC, VLAN segmentation) to reduce blast radius if a device is compromised.
Summary: To meet SC.L2-3.13.7 under the Compliance Framework you must configure VPN servers/clients to route 0.0.0.0/0 through the enterprise gateway (OpenVPN push redirect-gateway, WireGuard AllowedIPs, IPSec traffic selectors), lock those configurations via MDM (Always On, lockdown/lockdown VPN), validate routes/DNS and monitor logs, and document the setup and testing for auditors; doing so eliminates split-tunnel bypass, reduces exposure of CUI, and supports proof of compliance during assessments.
