We finally replaced our 5 year old 300 MHz Pentium Firewall/Gateway for the office network with a cute little m0nowall. Besides now having a nice web based interfaced for setting up firewall rules, the m0n0wall comes with built in VPN capabilities (IPSec and PPTP). Therefore we can connect to the office network from home and securely connect to the datacenter (even though almost all important connections are SSL or SSHed anyway, but it’s more reassuring, especially if you’re on an untrusted network)
Setting VPN over PPTP up on OS X is also super easy with the help of “Internet Connect”, but it sets a default route to the gateway. Good, if you’re on a completely untrusted network like a conference wireless network. Bad, if you just want to connect securely to the office network, but not want to let each and every download go through the office.
But there’s a solution to this, which I found on macosxhints (way down in the comments).
First create a file in /etc/ppp/peers/ called the same as your VPN config, in my case, this is /etc/ppp/peers/bitflux. Then write just “nodefaultroute” into that file. This prevents creating a new default route.
Now you have to add the routing to your network. Edit (or create) /etc/ppp/ip-up and put something like the following into that
#!/bin/sh<br/>BXVPNIP="192.168.84.2";<br/>if [ $IPREMOTE = $BXVPNIP ] <br/>then<br/> /sbin/route -n add -net 212.55.202 $IPREMOTE > /tmp/ppp.log 2>&1<br/> /sbin/route -n add -net 192.168.84 $IPREMOTE > /tmp/ppp.log 2>&1<br/>fi<br/>
and make this file executable (the “if” is not really needed, btw). Now, the next time you connect to the VPN, only packets to 212.55.202.xxx and 192.168.84.xxx go through the VPN network, the rest still goes over your “normal” route, therefore avoiding unnecessary traffic on the office router.
If you want to add some networks or IPs temporarily to the VPN route, just do:
sudo /sbin/route -n add -net 220.127.116.11 192.168.84.2<br/>
(192.168.84.2 is the IP of the VPN gateway)
Checking your routing table can done with the following command:
Hope that helps anyone and if not, at least I know where to look at next time :)
Internet Connect 1.4.2 has
Connect Menu -> Options…
|X| Send all traffic over VPN connection
Unchecking should do the same.
m0n0wall and Mac OS X makes a great VPN combo.
Exactly what I was looking for. Thanks!
There is a problem with the DNS setting then.
Normally /etc/resolv.conf is changed to your VPN gateway’s DNS settings.
If you use one of the solutions above, /etc/resolv.conf is not changed anymore and you cannot resolve internal host names behind your VPN gateway.
I tried to patch /etc/resolv.conf in /etc/ppp/ip-up and ip-down. However, only the commands host and dig run successfully afterwards. All other DNS resolvers, for example using ping or telnet did not see the changed /etc/resolv.conf!
That has something to do with the lookupd on MacOS but I cannot get lookupd to re-read /etc/resolv.conf.
Great tip! As for now i’m using Lonnies tips, but i guess i’m gonna get in trouble when i get home since i use pretty much the same A-class subnet as we do at work.
I’d love to know the solution to what Holger is discussing – that’s my exact problem and is the last piece in the puzzle of getting my mac seamlessly onto my corporate vpn
After looking over these and the macosxhints, i created the ip-up and ip-down files to get the correct routing established and had a minor problem. the dest gateway that $IPREMOTE appears to return is the external address of the vpn server. The link is established over a secondary 192.168 address class and I would need to be able to return the
address on either my side or the remote side of the vpn. any thoughts?
Eactly the issue I was having. The “nodefaultroute” works great, thanks!!
I didn’t use $IPREMOTE to set my remote routes though, this is what I did with /etc/ppp/ip-up and it works great (OSX 10.4.9):
# Corporate VPN: xxx.xxx.xxx.xxx/28
/sbin/route add xxx.xxx.xxx.xxx -interface ppp0 -netmask 255.255.255.240
I want all network traffic to go through the VPN. That’s easy. But, what happens if the VPN connection fails? Is the “local” default route restored and traffic silently starts using this route?
I have a VPN that I want to use for all traffic. Even though the machine has a route to the Internet. If the VPN goes down I want all traffic to cease. Starting the VPN does update the default route but what happens when the VPN fails?
Hi, I’ve used your instructions on my Powerbook running Tiger and it works fine with VPN and my local Internet connection.
I just got a Macbook running Leopard and tried to do the same with nodefaultroute and the ip-up routes but it doesn’t seem to be working. And Leopard doesn’t have Internet Connect anymore. The VPN settings are on Network System Preferences.
Do you have another way to do it on Leopard?
On Leopard there is a checkbox which enables or disables setting of the default route via the VPN. It is in the advanced settings and called something like “Send all traffic through the VPN”.
HOWEVER, this only works if the order of the network configurations (“Ethernet”, “AirPort”, “Firewire”, …) is so that your VPN comes AFTER the interface you’re connected to the internet. You can change the order by clicking on the little cog icon next to the +/- icons.
If your VPN comes before the Ethernet or AirPort then the default route will always be set to the VPN regardless of whether you ticked that little checkbox.
:) But wait – there is more.
For each VPN connection you can configure DNS servers. Those are only configured in the /etc/resolv.conf when the VPN connection is sorted above the Ethernet and not below.
So the net result is: You can have VPN with properly configured DNS servers but the default route will always be the VPN
you have the VPN without the default route via the VPN but also no DNS.
In my case I’d need VPN with DNS and no default route. So I’m screwed :)
This may help in updating DNS. It doesn’t change precedence, per se, but it lets you create domain-specific entries, which is most commonly what you’d need for a VPN:
Basically the VPN is screwed on Leopard. We have L2TP and had PPTP VPN before and also it connects it was never was able to get DNS working. more over once i connect to vpn even ping to google doesn’t work. i don’t have send all traffic through vpn gateway checked.
i would love to go back to Tiger, but need iPhone sdk!
rubbish, where is just works behaviour.
Can anyone help me with thorough instructions on creating a new virtual host from the top of the new configuration screen? I want to find more info on host aliases for virtual host to tie traffic from the port to the application. Also how do i use them with
What should be the permissions of the directory peers, ppp and the files to work properly? i created everything like it is but it doesn’t work automaticallyl
I found that in Snow Leopard, the ppp connection order (#1) caused it to be the default route while connected (regardless of the “send all traffic” option). Moving it below the ethernet/firewall options fixed this.
Also, after a Snow Leopard upgrade from Leopard, my PPTP VPN broke … it connected, but route was broken w/ no response when pinging hosts on remote network.
Turned out that some NAT service was semi-on – the resolution was to start & stop internet sharing in the Sharing pane of System Preferences. (the /Library/Preferences/SystemConfiguration/com.apple.nat.plist was configured NAT/enabled = 1 even though the preference pane showed internet sharing as turned off)(deleting this plist also resolved
I search all over the net, and there you were, with the full solution to the dead VPN issue, also could not ping and rdc etc to any of the other vpn hosts. Deleted the plist you mentioned and reboot: voila, everything came to life!
thanks for sharing your insight!
I’m facing a problem. How do I setup my routes if I want all traffic to go through the VPN except local traffic (aka 192.168.0.x)using Leopard 10.5.8
THANKYOU! Works great on Tiger :-)
I use Snow Leopard Built in Cisco VPN option. When I connect to that, I can no longer get mail in mail.app, or chat in iChat etc. I can of course get my email and chat through a browser. Are these instructions above for fixing that to allow not VPN traffic to pass through?