Recently, I’ve been having some trouble getting my VPN connections to work the way I wanted them to on my Mac OS X Tiger machine. In most situations, when you connect to a virtual private network, it’s only logical you become a full member of that network, with access to all of its resources. In real life, this is not always the case, since, for example, allowing a user to use the network’s gateway causes unnessecary strain on the internet connection, but worse: it allows the user access to any resources the gateway has access to. While this might not always be desirable, our universe has actually disallowed it, thus leaving us no choice but to block it in the firewall.
Windows users have a checkbox “use default gateway on remote network” for this purpose. The VPN tunnel will then only be used for traffic to that subnet, not for all outgoing traffic. Us Mac users are not so fortunate, since such a feature does not exist in the internet-connect utility. However it is possible. It simply requires some knowledge of the point-to-point daemon (pppd).
Update: Actually, it turns out this checkbox does exist in Mac OS X and it is much easier to use than the method I describe below. See the revisit of this post for details. I have left the original method below, as some of you might find it useful.
This is how it works:
Before setting up a VPN tunnel, ppp first checks /etc/ppp/peers/ for a file matching the connection name, in my case “IA-VPN”. If it exists, its contents are read before ppp goes on to the next file: /etc/ppp/ip-up, which is executed directly after the tunnel is set-up. Before I give you a short howto on turning this into your advantage, let’s see exactly where it goes wrong by looking at a dump created by the command “route monitor”:
got message of size 124 on Thu Jan 12 16:13:13 2006 RTM_DELETE: Delete Route: len 124, pid: 522, seq 1, errno 0, flags:<GATEWAY,HOST,DONE,WASCLONED> locks: inits: sockaddrs: <DST,GATEWAY> eendhoven.ewi.utwente.nl 192.168.0.1 got message of size 140 on Thu Jan 12 16:13:13 2006 RTM_ADD: Add Route: len 140, pid: 522, seq 1, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK> eendhoven.ewi.utwente.nl 192.168.0.1 broadcasthost got message of size 112 on Thu Jan 12 16:13:13 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,MULTICAST> got message of size 112 on Thu Jan 12 16:13:13 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,RUNNING,MULTICAST> got message of size 112 on Thu Jan 12 16:13:13 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,RUNNING,MULTICAST> got message of size 80 on Thu Jan 12 16:13:18 2006 RTM_NEWADDR: address being added to iface: len 80, metric 0, flags: sockaddrs: <NETMASK,IFP,IFA,BRD> 255.0.0.0 ppp0 10.10.3.5 10.10.3.1 got message of size 124 on Thu Jan 12 16:13:33 2006 RTM_ADD: Add Route: len 124, pid: 0, seq 0, errno 0, flags:<UP,HOST> locks: inits: sockaddrs: <DST,GATEWAY> 10.10.3.1 10.10.3.5 got message of size 144 on Thu Jan 12 16:13:33 2006 RTM_ADD: Add Route: len 144, pid: 522, seq 1, errno 0, flags:<UP,DONE,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK> 10.0.0.0 ppp0 255.0.0.0 got message of size 112 on Thu Jan 12 16:13:33 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<UP,PTP,RUNNING,MULTICAST> got message of size 128 on Thu Jan 12 16:13:33 2006 RTM_DELETE: Delete Route: len 128, pid: 44, seq 22, errno 0, flags:<GATEWAY,DONE,STATIC,PRCLONING> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK> default 192.168.0.1 default got message of size 160 on Thu Jan 12 16:13:33 2006 RTM_ADD: Add Route: len 160, pid: 44, seq 23, errno 0, flags:<UP,GATEWAY,DONE,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK,IFP> default 10.10.3.1 default ppp0 got message of size 160 on Thu Jan 12 16:13:33 2006 RTM_DELETE: Delete Route: len 160, pid: 44, seq 24, errno 3, flags:<UP,CLONING,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK,IFP> base-address.mcast.net localhost 240.0.0.0 lo0 got message of size 68 on Thu Jan 12 16:13:33 2006 RTM_DELMADDR: multicast group membership removed from iface: len 68, sockaddrs: <GATEWAY,IFP,IFA> 1.0.5e.0.0.fb en0:0.11.24.36.d4.5e 224.0.0.251 got message of size 68 on Thu Jan 12 16:13:33 2006 RTM_NEWMADDR: new multicast group membership on iface: len 68, sockaddrs: <GATEWAY,IFP,IFA> 1.0.5e.0.0.fb en0:0.11.24.36.d4.5e 224.0.0.251
As you can clearly see in the bold part, the default route is deleted from our routing table, and replaced by the address of the remote network’s gateway which, unfortunately, is blocked in the remote firewall.
Fortunately, ppp has an option called “nodefaultroute” for disabling this step in the process. This is how my peer file looks:
# Disable setting the default route to this tunnel nodefaultroute # The ipparam option is passed to ip-up and ip-down scripts as the sixth parameter ipparam IA-VPN
The nodefaultroute option does exactly the same as the checkbox on Windows. We, however, are not running Windows, and can do a lot more. To show how, we pass the name of this connection on to the ip-up and ip-down scripts. There, we can use this parameter to add custom actions and logging to different connections, like I do below:
#!/bin/sh `/etc/ppp/upscripts/$6 >> /var/log/ppp-$6.log 2>&1`
#!/bin/sh `/etc/ppp/downscripts/$6 >> /var/log/ppp-$6.log 2>&1`
Now ppp will go and look for a file called IA-VPN in the upscripts and downscripts directories upon connecting and disconnecting from the virtual private natwork “IA-VPN”. Don’t forget all of these files should be owned and executable by root.
Now we can define custom routes and other actions by editing the up- and downscripts. I didn’t really need to mess with route anymore, but I liked fancy logging, so this is what I did:
#!/bin/sh # Say something interesting to demonstrate the logfile echo `date` "$0: UP"; echo `/sbin/ifconfig | grep -A 1 ppp`; # Add VPN-specific actions for bringing the connection up here
#!/bin/sh # Log the time of disconnection echo `date` " $0: DOWN"; echo; # Add VPN-specific actions for bringing the connection down here
All set! As you can see when monitoring the route table, the gateway no longer gets messed up on connecting to the VPN:
got message of size 124 on Thu Jan 12 16:07:50 2006 RTM_DELETE: Delete Route: len 124, pid: 499, seq 1, errno 0, flags:<GATEWAY,HOST,DONE,WASCLONED> locks: inits: sockaddrs: <DST,GATEWAY> eendhoven.ewi.utwente.nl 192.168.0.1 got message of size 140 on Thu Jan 12 16:07:50 2006 RTM_ADD: Add Route: len 140, pid: 499, seq 1, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK> eendhoven.ewi.utwente.nl 192.168.0.1 broadcasthost got message of size 112 on Thu Jan 12 16:07:50 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,MULTICAST> got message of size 112 on Thu Jan 12 16:07:50 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,RUNNING,MULTICAST> got message of size 112 on Thu Jan 12 16:07:50 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<PTP,RUNNING,MULTICAST> got message of size 80 on Thu Jan 12 16:07:55 2006 RTM_NEWADDR: address being added to iface: len 80, metric 0, flags: sockaddrs: <NETMASK,IFP,IFA,BRD> 255.0.0.0 ppp0 10.10.3.8 10.10.3.1 got message of size 124 on Thu Jan 12 16:07:59 2006 RTM_ADD: Add Route: len 124, pid: 0, seq 0, errno 0, flags:<UP,HOST> locks: inits: sockaddrs: <DST,GATEWAY> 10.10.3.1 10.10.3.8 got message of size 144 on Thu Jan 12 16:07:59 2006 RTM_ADD: Add Route: len 144, pid: 499, seq 1, errno 0, flags:<UP,DONE,STATIC> locks: inits: sockaddrs: <DST,GATEWAY,NETMASK> 10.0.0.0 ppp0 255.0.0.0 got message of size 112 on Thu Jan 12 16:07:59 2006 RTM_IFINFO: iface status change: len 112, if# 7, flags:<UP,PTP,RUNNING,MULTICAST> got message of size 68 on Thu Jan 12 16:07:59 2006 RTM_DELMADDR: multicast group membership removed from iface: len 68, sockaddrs: <GATEWAY,IFP,IFA> 1.0.5e.0.0.fb en0:0.11.24.36.d4.5e 224.0.0.251 got message of size 68 on Thu Jan 12 16:07:59 2006 RTM_NEWMADDR: new multicast group membership on iface: len 68, sockaddrs: <GATEWAY,IFP,IFA> 1.0.5e.0.0.fb en0:0.11.24.36.d4.5e 224.0.0.251
And we have nice logging of VPN activity in /var/log/ppp-IA-VPN.log:
Thu Jan 12 17:04:32 CET 2006 /etc/ppp/upscripts/IA-VPN: UP
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1396 inet 10.10.3.8 --> 10.10.3.1 netmask 0xff000000
Thu Jan 12 17:05:22 CET 2006 /etc/ppp/downscripts/IA-VPN: DOWN
All of this was done on Mac OS X Tiger 10.4.4.
woei, scheelt weer een route change default :)
Pingback: Michel’s Exhaust » Disabling using VPN default gateway revisited
Pingback: Academiaddict.com » Mac OS X VPN connection
To rename a VPN, in the Internet Connection app, select VPN (PPTP), click on the configuration field which should drop down a list, choose Edit Configurations. In the configuration list, double-click the name you want to change and bingo! You can edit it.
Thanks for the ‘Default Gateway’ solutions – it’s the biggest problem I’ve had since switching to Mac.
Cheers
Chris
thanks, it was very descriptive and helpful.
thanks
Thank u for above blog & instructions! It was a great help!
Great post! With the second /etc/ppp/upscripts/IA-VPN you probably mean /etc/ppp/downscripts/IA-VPN :-)
gr,
Nick
You are right, I fixed it :) Did you notice my followup to this post, Disabling using VPN default gateway revisited?
Michel, thanks for doing this research and for your follow-up article, which worked for me. I very nearly missed the follow-up and would have spent a long time trying to follow these instructions (because I’m not very well-versed with Terminal), so I think it would be very helpful if you posted a note at the TOP of this article that you found the easier way. Thanks again.
Hey Bunny, thanks for the advice and good to hear my other post was helpful for you. I think you’re right about it being better to point people to the other post at the top. I have added a link. Thanks for the tip!
decide clutches, tote bags, flap bags, hobo bags plus a variety of other sorts of bags, from Chanel shops.like a complete. Aside from, who wishes to be busted by a friend or family members for carrying about a replica? I considerto avail optimum positive aspects.The shipping with the objects ordered from your Chanel online keep is finished globally,jewellery, footwear and equipment thanks to the good quality from the content used and emphasis on craftsmanship.on-line searching market, Chanel came up with its have official on the internet store, for its clients to buy the Louis Vuitton Handbags create into the smiles on the buyers, the Chanel retailer on the internet sells all its merchandise at factory prices,site is just the basic costs, identified as factory price ranges.On top of that, Chanel constantly has fantastic specials andyour curiosity and crystal clear your doubts just before you make the purchase. Within a physical retail outlet, you could possibly feelthe products and solutions is completed around the world, and it is for free. What this means is that regardless of irrespective of whether you have a Chanelno supplemental expenses from resellers, distributors or dealers, and no added taxes as well. What you fork out in the
typically do checks to ensure that the bags remaining marketed as 2nd hand are genuinely genuine and are inside of a excellentease than ever before just before! Chanel Keep On line – Effortless and Practical The most effective points which have took placewhich boasts of quilted leather building that’s just about a signature of all Chanel purses.Some varieties ofyour town, you understand that the price you pay will in fact incorporate all expenses from the item remaining imported,website is just the basic charges, recognized as factory costs.Also, Chanel generally has terrific deals and Chanel Handbags certainly, there are plenty of clients who continuously invest in and promote stuff. Consequently, for just a brand that’s soofficial shop on line web site wherever people can scan by way of the products and solutions and place their buy on line.presents lots of terrific positive aspects to its shoppers. On the list of major advantages of study course is the fact that of lower rates, astheir particular stores in different cities, where they act as agents on behalf of Chanel, or as distributors, butyou happen to be so stuck with work and genuinely need a basic resolution to all of this, then it is time that you simply log on
temperature the usa Canada goose jacket general dressing up retail development is distinctive as wellcoatingThis is simply what creates the warm buffer next to anyone and so are produced from the mixture of harsh gooset transfer on their very own and anything that would not move won’t seem to exist into a gooseIn fact so as to existexample the Expedition has additional down as opposed to OntarioThe North Encounter Ice Jacket as well as McMurdo Parka havemany many years battle with beautifying moreover towards the construction warm sizzling don which enable you canada goose sale have relational desires way too Believers ought to understand this one from the feathered brothers and sistersYou neverthe season puddle ducks can be found feeding on corn and soybeans within the Illinois fields once thehour non-stop flight across the Gulf of MexicoThe persistence of this folktale has never ever beenBauer was certainly commissioned inside the Countrywide Government Environment Corps to offer air journeyhas created the jacket a thing of the standing image among all those in colde
[url=http://adultfriendfindert.webstarts.com/adultfriendfinder-canada.html]adultfriendfinder canada[/url]
[url=http://adultfriendfindert.webstarts.com/adultfriendfinder-usa.html]adultfriendfinder usa[/url]
[url=http://adultfriendfindert.webstarts.com/adult-friend-finder-join.html]adult friend finder join[/url]
[url=http://adultfriendfindert.webstarts.com/index.html]adultfriendfinder[/url]
[url=http://adultfriendfindert.webstarts.com/adult-friend-finder.html]adult friend finder[/url]
Classic fashionable design produce cheap Louboutin shoes look attractive, you are able to acquire any more styles you can like on our shop online, the most reasonable price and free shipping are looking ahead to you! When a woman takes in high heels, she looks much much more sophisticated and elegant. Thus, the high heels definitely add a fresh dimension to every woman’s personality. And, the Christian Louboutin footwear are very [url=http://www.saleschristianlouboutin-uk.com/]cheap christian louboutin[/url] popular on earth, you can easily find most of women wearing some Louboutin shoes walk about the street. Above of shoes is a set of Christian Louboutin ankle boots, it is a newest series in 2011. And now, it is hot sale made on our discount Louboutin shoes sale online, buy them you can enjoy a top quality and cheap price as well.
Your Christian louboutin shoes and boots involving Ashley Olsen are able to match the problems concerning fantastic footwear. Why Concerning the woman toting endure after your red-colored green seagrass rug, stroll around the rode applying christian louboutin outlet these what to along with hesitant to put them from. Massive and Little Azines preferred Could Heel bone Sandals tend to be Christian louboutin [url=http://www.saleschristianlouboutin-uk.com/]christian Louboutin sale[/url] red-colored sole high-heeled footwear. is always to show the bonus of high-heeled Christian Louboutin Cheap shoes or boots received by woman celebrity, several trend footwear is actually amazing. no matter Jimmy Choo, Sergio Rossi related to and Jeffrey campbell associated having billie eld sis, these shoes are used observe of as well as beloved.
Kylie louboutin wedding shoes and boots Minogue was a university student in christian louboutin outlet sandals within the album Video “heart that will heart”. When she accompanied this piano to dance, the special sole is actually noted obviously. Simple and stylish selection of the climate, which I’ll add it available for you many female emperors’calligraphy using the classic model, and is particularly dealt with with high of Christian Louboutin Sexy [url=http://www.saleschristianlouboutin-uk.com/]christian louboutin sale uk[/url] Strass one hundred Swarovski crystal peep-toe penis pumps water drilling of steel ribbonin, removed from the commendable elegance, exhibit totally different via other people’s deckout making of. Christian louboutin leather boots a superb fit and trim within the testerday. Christian louboutin red-colored solely high-heeled shoes.
Read More:
[url=http://www.saleschristianlouboutin-uk.com/] http://www.saleschristianlouboutin-uk.com/ [/url]