How to selectively route network traffic through VPN on Mac OS X Leopard?

98

81

I don't want to send all my network traffic down to VPN when I'm connected to my company's network (via VPN) from home. For example, when I'm working from home, I would like to be able to backup all my files to the Time Capsule at home and still be able to access the company's internal network.

I'm using Leopard's built-in VPN client. I've tried unchecking "Send all traffic over VPN connection." If I do that I will lose access to my company's internal websites be it via curl or the web browser (though internal IPs are still reachable). It'd be ideal if I can selectively choose a set of IPs or domains to be routed through VPN and keep the rest on my own network. Is this achievable with Leopard's built-in VPN client? If you have any software recommendations, I'd like to hear them as well.

newtonapple

Posted 2009-07-16T06:44:59.677

Reputation: 1 083

2

The first solution will only work on a PPP VPN. The following solution will work on a Cisco VPN (and other types nothing specific to Cisco) http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn

– dr jimbob – 2014-04-07T04:20:53.463

Answers

88

Create the file /etc/ppp/ip-up with following content:

#!/bin/sh
/sbin/route add <SUBNET> -interface $1

replacing <SUBNET> with subnet, you want to route through VPN (for ex. 192.168.0.0/16)

execute as root:

chmod 0755 /etc/ppp/ip-up

This file will be executed each time you connect to VPN.

The parameters given to the script:

  • $1: The VPN interface (e.g. ppp0)
  • $2: Unknown, was 0 in my case
  • $3: IP of the VPN server
  • $4: VPN gateway address
  • $5: Regular (non-vpn) gateway for your lan connections

Aleksei Balandin

Posted 2009-07-16T06:44:59.677

Reputation: 896

4What happens if I have two or more VPN connections configured? How do I distinguish among them in /etc/ppp/ip-up so I can add the routes accordingly? Will the friendly VPN name be passed as the 6th argument (ipparam)? – Kal – 2014-09-16T01:19:43.743

Saved time here :) – Hatem Alimam – 2015-10-07T10:50:03.013

1The parameters $1 till $5 — which are a little different for OS X 10.9 which has a $6 — can be found in your pppd man page: $ man -P 'less -p " /etc/ppp/ip-up"' pppd – Pro Backup – 2016-04-09T18:17:42.227

Works on Yosemite as answered, and removes routes after disconnect. Nice! – Zayne S Halsall – 2016-09-06T10:39:09.053

I had to run the chmod again for some reason, I've done this fix a while back, but stopped working. Running the chmod fixed it again. – Anriëtte Myburgh – 2016-10-24T10:17:06.760

2/etc/ppp/ip-up doesn't get called on my system; MacOS 10.13. I did a similar script that logs execution, it has root:staff ownership and 0755 mod. Invoking it manually does execute the script. My VPN connection is an L2TP over IPSec and Configure IPv4 is set to Using PPP. I tail -f the logs and Connecting or Disconnecting the vpn doesn't do anything with /etc/ppp/ip-up. – GabLeRoux – 2017-10-28T17:56:10.087

I've made a gist with my logging script here: https://gist.github.com/GabLeRoux/c7d4c9046d9b5ec7bce822426613912a let me know if someone knows a solution. At least I managed to skip "Send all traffic over VPN connection" with following answer: https://superuser.com/a/121259/55267

– GabLeRoux – 2017-10-28T18:10:05.663

This will still let me connect to devices on my LAN, but no longer allows the DNS on my LAN to be used. So I can ping 192.168.0.1, but I can't ping myfirewall. (Even if I use "ping myfirewall.mylan.lan" with mylan.lan as a search domain in my Settings and have 192.168.0.1 set up as the first DNS server in Settings.) – Tango – 2018-11-27T15:19:38.977

Does this depend on the VPN type? Will it work on IKEv2 VPNs? – Kevin C. – 2019-02-07T17:48:32.277

1The tip of Aleksei worked for me. I am only wondering whether the first line (#!/bin/sh) is doing anything. Isn't it commented out. I am asking this since I am describing this for use at our company and the simpler the better :-)

Thanks,

Edgar – Edgar Wieringa – 2011-02-22T15:59:07.293

1@EdgarWieringa: converted your answer to a comment. Hope that's better! :) – studiohack – 2011-02-22T15:59:39.460

6

@Edgar - no. That first line is special. http://en.wikipedia.org/wiki/Shebang_(Unix)

– James Moore – 2011-05-23T20:42:49.407

James is right, but of course in the case of a shell script, it's not necessary. If a shebang isn't present, the OS will send it to the shell anyway. :-) – Benson – 2011-09-22T20:52:11.050

6On 10.7/Lion, I had better luck with:

/sbin/route add 172.16.0.0/16 -interface $1

The arguments I saw ip-up getting are: $1 = VPN interface, e.g. 'ppp0' $2 = '0' (not sure what this value is) $3 = Your VPN IP $4 = VPN public gateway IP address $5 = Normal default gateway for ethernet/wifi – Gabe Martin-Dempesy – 2011-12-07T17:18:01.983

I wonder.. Would this method also work with the built-in VPN On a jailbroken iOS device? I always feel dirty messing with /etc on my iPad. – mralexgray – 2013-02-07T06:33:10.233

This works wonderfully on Lion. I struggled with this for days. Thanks Aleksei. – Anriëtte Myburgh – 2013-03-27T23:21:55.090

Mountain lion seems to be the same params, -interface $1 as well as just $4 should work well – tutuDajuju – 2013-08-23T05:08:46.140

11

I wanted to do a similar thing. Connect the VPN and then route an additional network via that VPN. I ended up with the following bit of Applescript:

-- Connect Work VPN

tell application "System Events"
    tell network preferences
        tell current location
            tell service "Work"
                connect
                tell current configuration
                    repeat until get connected = true
                        delay 1
                    end repeat
                end tell
            end tell
        end tell
    end tell
end tell

set gateway to "192.168.1.1"

do shell script "route add 172.16.0.0/16 " & gateway with administrator privileges

You need to change "Work" to the name of your VPN connection, 192.168.1.1 to your gateway address, and 172.16.0.0/16 to the address of the network to which you wish to route. Additional networks can be added by repeating the final line with different addresses.

Martin Hilton

Posted 2009-07-16T06:44:59.677

Reputation: 1 386

1So 192.168.1.1 is your router on the VPN, or the router on the LAN? And don't you have to set the default route back to your LAN? – Jack M. – 2010-06-16T17:14:33.303

1(Minor addition, for those who wonder about this IP address: just like the questioner talked about, 172.16.0.0/16 is a private address space just like 10.x.x.x and 192.168.x.x. So, it is in fact part of the VPN, and not some external web site or whatever.) – Arjan – 2009-10-21T09:48:07.187

8

There is a hidden feature in Network Preferences on MacOS: you can sort interfaces.

Open System Preferences -> Network -> Click the gear bottom left -> Set service Order...

<code>Set service Order...</code> VPN Ordering

It's critical that you have your network interfaces sorted into the order you want them to be used. If you want ALL non-LAN data to go to the VPN, put the VPN interface at the top. Sort like this

  1. VPN
  2. Ethernet
  3. Airport

Not like this:

  1. Airport
  2. Ethernet
  3. VPN

This way, no need to check the following setting in Session Options:

Send all traffic over VPN connection

✅ Tested on L2TP VPN connection

user31513

Posted 2009-07-16T06:44:59.677

Reputation:

I don't think this answers the question, unless the OP is backing up to Time Machine via Ethernet and connecting to the company network view Airport (Wireless connection) – Josh Newman – 2010-04-15T17:53:24.003

It really wold be the main answer! Thanks very much, it would be impossible to figure out! – Andre Soares – 2016-01-30T01:45:03.503

1This does work for L2TP IPSec VPNs, but does NOT work for Cisco IPSec VPNs. Cisco IPSec VPNs are not available in the "Set Service Order" dialog – goofology – 2018-04-12T00:32:44.897

1I used the ppp startup trick, but it didn't work until I moved my vpn connection below the wireless connection. This is a valid answer. – Arosboro – 2012-08-11T14:41:25.830

1

I have had a look online to see if I can find anything, and as far as I can understand you seem to want to be able to use your computer like normal, while also being able to connect to internal company websites, so, you may need to set up a custom routing table.

This link apparently only applies to 10.4, but the command line stuff may still work.

Alexis Hirst

Posted 2009-07-16T06:44:59.677

Reputation: 1 121

Asked: 2009-07-16T06:44:59.677

Viewed: 108 346 times

Active: 2017-10-28T19:33:47.307