Mac OS X VPN and static routing


The VPN client built into Mac OS X has a checkbox saying “Send all traffic over VPN connection”. Turning this on causes all traffic to get routed over the VPN. Turning this off means that only the VPN IP block will get routed over the VPN. If there are additional IP networks behind the VPN gateway, they won’t be reachable unless you manually add static routes.


Mac OS X uses a program called pppd to negotiate a point-to-point connection. pppd is in charge of performing mutual authentication and creating a ppp network interface. pppd is used, at least, by PPTP and L2TP over IPSec VPNs in Mac OS X.

When a PPP connection is established, the pppd program will look for a script named /etc/ppp/ip-up and, if it exists and is executable, will run it. This file does not exist in a default, clean installation of Mac OS X, but it can easily be created and customized to add static routes whenever a VPN connection is established,

When pppd executes this script, it passes several pieces of information onto the command line. The following sample script describes them:

$ cat /etc/ppp/ip-up
# This script is called with the following arguments:
# $2: VPN interface name (e.g. ppp0)
# $3: 0
# $4: local VPN address (e.g.
# $5: remote VPN gateway (e.g.
# $6: local gateway used to reach the remote VPN gateway
# Example:
# $ ifconfig ppp0
# ppp0: flags=8051 mtu 1280
#  inet --> netmask 0xfffffc00 

if [ "$5" = "" ]; then
  # Add static routes to Hetzner OST3 environment
  /sbin/route add -net -interface ppp0
  /sbin/route add -net -interface ppp0

Tor with Brew in Mac OS X

To install the Tor service using Brew in Mac OS X:

$ brew install tor torsocks

However, this does not load the Tor service automatically (either manually or automatically at log in). Since I don’t link things to be loaded automatically for me, I’ve created the following shell script to load or unload (start or stop) the Tor service manually in Mac OS X:


function usage() {
  echo "usage: $0 start|stop";
  exit 1;

function tor_service() {
  launchctl $1 /usr/local/opt/tor/homebrew.mxcl.tor.plist

function start() {
  echo "$0: starting tor service...";
  tor_service load

function stop() {
  echo "$0: stopping tor service...";
  tor_service unload

function check() {
  echo "$0: checking if tor works...";
  if torsocks curl -s | grep -q 'Congratulations. This browser is configured to use Tor.'; then
    echo 'The tor service works';
    echo 'The tor service does NOT work';

case "$1" in




    echo "error: missing or unrecognized command-line argument";

To start (load) the Tor service:

./ start

To stop (unload) the Tor service:

./ start

To check whether the Tor service is working:

./ check

To tor-ify command-line tools like curl or wget:

torsocks wget

Installing python-glanceclient using Brew on Mac OS X 10.10

I was getting clang errors on ffi.h when trying to install python-glanceclient using pip:

$ pip install python-glanceclient
Installing collected packages: python-glanceclient, cryptography, jsonschema, jsonpatch, cffi, jsonpointer, pycparser
Running install for cryptography
Package libffi was not found in the pkg-config search path.
Perhaps you should add the directory containing `libffi.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libffi' found
Cleaning up...
Command /usr/local/opt/python/bin/python2.7 -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_brew/cryptography/';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-jghJZG-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_brew/cryptography
Storing debug log for failure in /Users/brew/.pip/pip.log

A fix that seems to work is manually installing libffi and exporting PKG_CONFIG_PATH pointing to it:

$ brew install pkg-config libffi
$ export PKG_CONFIG_PATH=/usr/local/Cellar/libffi/3.0.13/lib/pkgconfig/
$ pip install cffi
$ pip install python-glanceclient
$ glance --version

Cisco AnyConnect Web security module (acwebsecagent) in Mac OS X

The Cisco AnyConnect Client on Mac OS X seems to install two components: the VPN client and a Web security module. Based on my experience, the Web security module is always running (as a process named acwebsecagent) and consuming network bandwidth. If you don’t need the Web security module, you can uninstall it by running:

To uninstall the Web security module, just run:

sudo /opt/cisco/anyconnect/bin/

Credit for this: No to Cisco Web Security

Android USB Tethering and Mac OS X

I have tried several ways of tethering my Mac laptop to my Android phone, but I think that USB is the most effective one, at least from a subjective point of view: it doesn’t use as much battery as Bluetooth or WiFi tethering, it seems safer from a security point of view since it transmit the data over a cable, and it also seems safer from a health point of view as it does not rely on yet another wireless emitting point.

In order to get Mac OS X to tether with my Android phone over USB, I had to install Joshua Wise‘s HoRNDIS. It is a Mac OS X package that implements a kext RNDIS driver. The beauty of it all: it is open source and straightforward to set up and use: download the package, install it, connect your Android phone to your laptop using an USB cable, enable USB tethering and it should work automatically, without having to do anything. Magic!

PS: A copy of the HoRNDIS release 4 package can be found here.

The Mac OS X Keychain

Today, I was trying to restore the contents of System keychain in my Mac OS X.

Luckily, I had a copy of the System.keychain file lying around, so I copied it as /tmp/System.keychain and rebooted my computer in single-user mode [1].

In single-user mode:

mv /tmp/System.keychain /Library/Keychains

However, I found out that System.keychain was being apparently wiped out during boot: the Keychain application shown it was empty instead of containing the expected entries. Looking at /var/log/system.log I found this intriguing log line:

Jan 10 20:46:12 foo _locationd[86]: Recreating System.keychain because it ca
nnot unlock; see /usr/libexec/security-checksystem
Jan 10 20:46:12 foo systemkeychain[79]: done file: /var/run/systemkeychaincheck.done

Turns out that /usr/libexec/security-checksystem just dies die with the following error code: CSSMERR_DL_DATASTORE_ALREADY_EXISTS. I couldn’t find any explanation of what it means.

Turns out that /usr/libexec/security-checksystem is just a shell script, and it contains some very interesting lines:


So, it seems that the System.keychain file is actually protected (encrypted) using a system key which is stored inside /var/db/SystemKey. Fortunately for me, Mac OS X keeps a copy of both the System.keychain and SystemKey files:

ls /var/db/SystemKey*

So, in order to make /usr/libexec/security-checksystem happy, the only thing I had to do is to restore the right SystemKey backup file (which is easily done by looking at the timestamp). After doing this, and also restoring the right version of the System.keychain, I double-checked that /usr/libexec/security-checksystem ran silently. Rebooting the system demonstrated that the System keychain survives the boot process and is not recreated anymore 🙂

[1] To reboot in single-user mode, just hold Command+S during boot.

Reverse scrolling direction in Windows

If you are used to Mac OS X Lion “natural” scrolling behavior, you might be interested in to how to emulate such behavior in Windows.

There is a registry setting named FlipFlopWheel that does allow reversing the scrolling direction, both vertical and horizontal. The exact name of the registry key depends on the HID of the mouse devices and, in computers with multiple input devices, there might be multiple entries.

Look for a key under HKEY_LOCAL_MACHINE that is named like SYSTEMCurrentControlSetEnumHID????????Device Parameters. Change the value for FlipFlopWheel from 0 to 1 to reverse vertical scrolling. In Windows 8, there’s an additional FlipFlopHScroll that allows reversing horizontal scrolling.

Disable Bonjour service advertisements in OS X

In case you are worried about Bonjour sending advertisements onto the local network because it compromises your privacy or because you are worried about security, know that you can disable them. It is described in

$ cd /System/Library/LaunchDaemons
$ sudo vi

and replace: