Routing connections through VPN based on hostname (not IP range)

This bugs me immensly.

I need to connect to client's network through VPN. But I definitely do not want to send all the traffic through client's network so this option is out of question. What I need basically is for the OS to know that all client's network subdomains (*.example.com) need to go through the VPN connection.

I tried a couple of options:

Changing order of services and setting the VPN on top, but this works the same as "Send all traffic over VPN connection".
Using "VPN on Demand" option from network advanced options, but this feature is quite rubbish to be honest. Seems to work only in Safari (?!) and it doesn't route the connection, but it basically triggers the OS to connect to the selected VPN.

The reason I need it to work based on hostnames rather than IP range is simple - my client has a lot of servers inside his network and it's impossible for me to remember all IPs. They are all within a range, but this doesn't help me remembering.

Another option would be to put the VPN connection on the bottom of network services and untick "Send all traffic..." and then put all known hostnames in hosts file, but considering there could be hundreds of servers (therefore hostnames and ips too) it ridiculous job. And if new server appears on the network I'd need to edit the hosts file again. Sisyphean labours.

However this works on Windows very simply. If a hostname is not available through default network interface, then it seems to try VPN connection and this works brilliantly.

So, how can I achieve that on Mac, then?

I know client's internal DNS addresses if that is of any help (like directing a certain domains through a different DNS)?

PS. Using latest version 10.6.6.
PS2. I am using VPN to access intranet, version control servers (svn://), samba shares and for SSH access to servers.

Michal M

Posted 2011-01-25T14:06:48.743

Reputation: 162

What kind of VPN is it? Have you tried disabling "Send all traffic"? – bahamat – 2011-01-25T17:04:23.503

It's PPTP with user/pass authentication. Disabling "Send all traffic" makes all traffic go through the default gateway. None of the required hostnames work then. Accessing client's network works only by IP addresses then. – Michal M – 2011-01-25T17:13:35.540

good question! it bugs me also, although i'm using openvpn on linux and i have control over the server. – attila lendvai – 2012-07-31T07:32:48.297

Can you use another service to access your client's network? – SuB – 2013-09-14T09:28:19.080

Answers

Do netstat -r before and after VPN connection. Note the change in default route from your default gateway to the VPN link. remove the default link to the VPN connection's IP address add the client's subnet and VPN subnet to your route using the destination subnet so traffic to your client will go through VPN. Your original default route via your Gateway should be intact and your regular traffic should go through your own gateway.

itinaguru

Posted 2011-01-25T14:06:48.743

Reputation: 79

The standard way to do this is to only route the clients IP ranges over the VPN. Route other traffic over your default network.

For security reasons, many VPN connections will force all traffic over the VPN to control information leakage. I would discuss doing otherwise with your client. Disconnect from the VPN when doing your own work.

BillThor

Posted 2011-01-25T14:06:48.743

Reputation: 9 384

I can see how it is advised security-wise, but there's more to it than that. Consider that the client pays for his Internet traffic and he doesn't appreciate me downloading my emails and new Linux distribution .iso's. I require VPN connection for most of the day so you should see now why I want another solution. – Michal M – 2011-01-25T15:09:33.260

Disconnect from the VPN when you do so. For security reasons you shouldn't be doing so while connected to the VPN. You may consider setting up a virtual server as client to use for work with the client. Use it for all client work, and only route the virtual servers traffic over the VPN. – BillThor – 2011-01-25T15:21:07.743

Seems like the only way and best way, although not necessarily safe as you say. Could you elaborate on the security matter in doing what I'm asking for - just an example will do. – Michal M – 2011-01-25T15:33:13.753

@Michal A program on your system could copy information from the clients servers onto the Internet. It would look like you were accessing the file not someone on the Internet. – BillThor – 2011-01-26T03:29:35.133

@BillThor How's sending all traffic through VPN helps that? If there is a malicious application on my system it will still be able to access client's data as me. – Michal M – 2011-01-26T15:27:46.180

@Michal If you route everything through the VPN, the clients egresss filters are responsible for checking for leakage. Leakage can only be to ports and hosts their firewall permits. They get to set and enforce the policy. Any enforcement failure becomes their responsibility not yours. – BillThor – 2011-01-29T18:18:32.390

If you can run RIP or some other routing prototcol on the VPN server (e.g. Windows Server 2008) you can also run RIP on your Mac too, which would automatically add routes that were advertised by the server. That way you would only need to specify the list of routes once and get it configured automatically for VPN clients.

In practice you probably want the VPN server to only advertise routes and not listen to anything any clients happen to advertise otherwise malicious or broken clients could divert all/some traffic.

Flexo

Posted 2011-01-25T14:06:48.743

Reputation: 1 897

Thanks for the input Alan. Unfortunately I have no control over VPN Server so looks like I need to have a look at running RIP on my mac then. – Michal M – 2011-01-25T17:09:29.693

running a routing daemon on just one end of the link defeats the point - ideally daemons at both ends would negotiate sensible routes over the tunnel, if only one end is doing it the adverts "fall on deaf ears". – Flexo – 2011-01-25T17:29:29.503

Ah, I misread the first sentence. I see your point now. – Michal M – 2011-01-25T17:38:34.457

What you are suggesting is known as Split-Tunneling, and most of the time network administrators do not allow it for security reasons. Depending on the VPN client you are using, the VPN client creates a virtual network adapter and the default route for traffic becomes the tunnel. With few exceptions, the VPN user cannot modify this behavior.

So unfortunately, you will have to disconnect from the VPN in order to direct traffic outside the tunnel.

user237161

Posted 2011-01-25T14:06:48.743

Reputation: 21