Mac OS X VPN and static routing

Problem

The VPN client built into Mac OS X has a checkbox saying “Send all traffic over VPN connection”. Turning this on causes all traffic to get routed over the VPN. Turning this off means that only the VPN IP block will get routed over the VPN. If there are additional IP networks behind the VPN gateway, they won’t be reachable unless you manually add static routes.

Solution

Mac OS X uses a program called pppd to negotiate a point-to-point connection. pppd is in charge of performing mutual authentication and creating a ppp network interface. pppd is used, at least, by PPTP and L2TP over IPSec VPNs in Mac OS X.

When a PPP connection is established, the pppd program will look for a script named /etc/ppp/ip-up and, if it exists and is executable, will run it. This file does not exist in a default, clean installation of Mac OS X, but it can easily be created and customized to add static routes whenever a VPN connection is established,

When pppd executes this script, it passes several pieces of information onto the command line. The following sample script describes them:

$ cat /etc/ppp/ip-up
#!/bin/sh
#
# This script is called with the following arguments:
#
# $2: VPN interface name (e.g. ppp0)
# $3: 0
# $4: local VPN address (e.g. 10.0.0.1)
# $5: remote VPN gateway (e.g. 10.255.255.0)
# $6: local gateway used to reach the remote VPN gateway
#
# Example:
#
# $ ifconfig ppp0
# ppp0: flags=8051 mtu 1280
#  inet 10.0.0.1 --> 10.255.255.0 netmask 0xfffffc00 

if [ "$5" = "10.255.255.0" ]; then
  # Add static routes to Hetzner OST3 environment
  /sbin/route add -net 192.0.2.0/24 -interface ppp0
  /sbin/route add -net 192.168.253.0/24 -interface ppp0
fi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s