Routing in 10.8 Server - WiFI clients over VPN - Ethernet Clients not over VPN

1

1

I'm not sure I have the right hardware for this, but....

I have a Mac Mini i7 Server with a built-in ethernet (en0) and a thunderbolt ethernet (en1) and the built in airport.

I would like to be able to configure a VPN (PPTP or OpenVPN using a client) connection to another location and then allow another device on the same 192.168.x.x network connect to the VPN via the Mac Mini Server on either en1 or over wireless.

However, I also want the Mac Mini Server to be able to send traffic over en0 bypassing the VPN.

Is this at all possible?

A scenario would be an Apple TV connecting over wifi or en1 to the Mac Mini Server and then being routed via the VPN. Meanwhile the Mac Mini is acting as a Plex Media Server and sending transcoded movies over en0, not via the VPN.

Any help greatly appreciated, thanks for looking.

sgtbeano

Posted 2013-03-04T09:58:03.197

Reputation: 575

Answers

1

Yes, it should be possible. I don't have a Mac, however I'm sure that it is conceptually similar to doing it under Linux. After setting up your VPN (OpenVPN is a better choice then PPTP, but either should work fine), you need to do 3 things. [ I note it does not really matter if you do it over the ethernet or WIFI interface ]

Let me define the machines for ease of reference: REMOTE = OpenVPN Server outside your network SERVER = Mac Mini CLIENT = "Other device on same 192.168.x.x network"

  1. Enable forwarding on SERVER.
  2. Either enable routing to CLIENT across he VPN on the REMOTE (ie a static route for CLIENT/SERVER Subnet) or get the server to masquerade/nat packets coming from CLIENT destined for remote.
  3. Set a static route for REMOTE on CLIENT to go via SERVER.

I have no way of trying these things, but practically, I believe the following will work:

  1. Enable packet forwarding by entering 

    sudo sysctl -w net.inet.ip.forwarding=1
    in a Terminal.

  2. (This will depend on your setup). For OpenVPN you can probably
    affect this change simply by adding a line to the OpenVPN config on REMOTE

    route IP.RANGE.OF.CLIENT NETMASK.OF.RANGE

    Alternatively try something like

    /sbin/ipfw add divert natd all from any to any via XXX

    On server to enable masquerading (where XXX is either the wireless or ethernet interface)

    Alternatively have a look at http://hints.macworld.com/article.php?story=20021030055008917 for a starting point for setting up a PPTP tunnel with Masquerading.

  3. Use the command 

    route -n add REMOTE.IP gw SERVER.IP

    on the CLIENT.
    (Have a look at http://blog.irrashai.com/blog/2009/03/how-to-add-static-route-in-mac-os-x/ on how to make this permanant)

davidgo

Posted 2013-03-04T09:58:03.197

Reputation: 49 152

Thanks very much for the detailed response, I'll try to follow it and then report back if that's okay? – sgtbeano – 2013-03-07T20:39:35.783

Thanks again, had to look a few things up but this worked. – sgtbeano – 2013-03-13T19:43:42.637

Asked: 2013-03-04T09:58:03.197

Viewed: 1 119 times

Active: 2013-03-07T19:32:04.180