How to VPN on demand Mac OS X?

I'm trying to configure the Snow Leopard's VPN on demand service without success

VPN on demand screenshot

I've tried the following domain+configuration pairs but none of them have worked:

domain.net default
*.domain.net default

My goal is that each time I go to www.domain.net with Safari, ssh server1.domain.net or everything else on this domain.net the connection will be established trough the VPN !

I've tried plenty of different configs but it has never worked so far...

Kami

Posted 2010-02-09T13:12:48.323

Reputation: 3 108

Wow, I didn't know snow leopard did VPN on demand. I wish windows did it (apart from the more complex direct access...) – Christopher Edwards – 2010-05-07T17:29:52.790

There's another configuration section for VPN where you can add your password to the keychain. Make sure that's already set up--in my experience VPN-on-demand will only trigger if the initial connection fails, so this might not work if your server responds to both public and private connections. – NReilingh – 2010-07-29T15:57:31.427

there is a way to indicate that an answer is not useful. It's done by downvoting. The answers you suggested to delete are off-topic, sure, but they don't qualify as offensive or worthy of deletion. They just should be downvoted. – Gnoupi – 2010-08-14T06:46:07.743

Could this topic help? It suggest you must not be able to connect to that host without VPN for it to work.

– Daniel Beck – 2011-01-26T14:53:23.520

this is not 100% related, but somewhat: http://superuser.com/questions/265861/start-a-network-connection-from-shell-osx/265992#265992 ... it's obviously only part of a solution to get some kind of VPN on demand, of course.

– Dan Rosenstark – 2011-04-03T06:58:33.347

Answers

As I discovered after some testing: VPN on demand on OS X doesn't work with configuration "Default"!

Solution:

Add a minimum one named configuration on the VPN interface which you use for connecting. Then everything works fine - it's simple like that!

Andres

Posted 2010-02-09T13:12:48.323

Reputation: 31

It works only with OS X built-in apps like Safari/Mail and like Gareth said, Default doesn't work, you should create a new configuration – Haytham Elkhoja – 2011-07-23T12:17:06.550

Another requirement is that the triggering domain must be a hostname that can not be resolved using public DNS according to http://apple.stackexchange.com/questions/19681/vpn-on-demand-does-it-ever-work#29531 And even then VPN on demand is likely to only function using applications developed by Apple.

– Pro Backup – 2013-07-30T14:01:01.483

At least on Sierra, it is possible to create a VPN on demand profile (mobileconfig file) as for iOS (reference here), and import this into macOS. After that, a VPN connection will appear in the network settings with an on-demand checkbox.

However, it does not seem to work exactly as expected. In my case, I've setup an IPSec on-demand VPN using OnDemandRules with Domains to connect whenever my LAN domain is not available. Now the VPN connection seems to be automatically established whenever the local domain names cannot be reached. Yet, I would expect it to connect only when I actively try to connect to one of those domains.

In addition to that, the VPN behaves differently from my iPhone in that, on my Mac, all traffic is sent through the VPN (all tunneled), while on the iPhone it is only the traffic to my local net that is sent through the VPN (split tunneling).

not2savvy

Posted 2010-02-09T13:12:48.323

Reputation: 261

Apparently this works only if you're using certificate-based authentication.

What is VPN on demand, and how do I get it to work with iOS?

The VPN connection is made whenever the device tries to connect to certain domains. Specific apps don't need to do anything; as soon as they try to access such a server the VPN connection is initiated.

Visit this support page for information about how to use the Configuration Utility to create a configuration profile that sets up VPN On Demand.

JM.

Posted 2010-02-09T13:12:48.323

Reputation: 11

1This appears to be a solution for iOS while the OP is requesting for Snow Leopard. – James Mertz – 2012-07-19T06:19:51.603

-4

I've not found a true "on-demand" solutions for ssh tunnels. Here is the definition (to me):

A host (whether local or remote) has a listening service on port XXX
A client (again, local or remote) connects to port XXX
Host then initiates a pre-defined ssh connection to another host and sets up appropriate port forwarding, authentication typically handled for the client.
The client is then able to use that connection based on the port forwarding.

As near as I can tell there is no software that currently enables the "on-demand" part; as defined by a service that is actively listening for connections. You can obviously start a service that creates the tunnel, but that is of course a manual operation.

Currently my solution is using launchd to keep an ssh connection open all the time. I used this blog post to craft my own solution: http://chris.improbable.org/2008/05/21/mac-quickie-tunnel-your-traffic-using-openssh-and/

If you update your question I could probably help you roll your own, again, this is a dedicated solution not "on-demand".

As an alternative to this, you can look as SSH Tunnel Manager or the afore mentioned TunnelBlick to start tunnels manually.

Mutant

Posted 2010-02-09T13:12:48.323

Reputation: 153

2On-demand VPN is a feature that is advertised in Mac OS X; however, judging from this question and by searching on the web, it doesn't work properly for many people in Snow Leopard. I've tested it myself and it doesn't behave as it should. – Stephen Jennings – 2010-05-10T14:26:29.463

3This doesn't address the question. In my work environment, I need to connect to the VPN before I can initiate any sort of ssh connection. – Doug Harris – 2010-05-10T15:08:41.383

1Completely useless ...

I love the part If you update your question I could probably help you roll your own, again, this is a dedicated solution not "on-demand". I'm still laughing on this. – Studer – 2010-05-23T22:02:49.907