Mac OS X VPN and static routing


The VPN client built into Mac OS X has a checkbox saying “Send all traffic over VPN connection”. Turning this on causes all traffic to get routed over the VPN. Turning this off means that only the VPN IP block will get routed over the VPN. If there are additional IP networks behind the VPN gateway, they won’t be reachable unless you manually add static routes.


Mac OS X uses a program called pppd to negotiate a point-to-point connection. pppd is in charge of performing mutual authentication and creating a ppp network interface. pppd is used, at least, by PPTP and L2TP over IPSec VPNs in Mac OS X.

When a PPP connection is established, the pppd program will look for a script named /etc/ppp/ip-up and, if it exists and is executable, will run it. This file does not exist in a default, clean installation of Mac OS X, but it can easily be created and customized to add static routes whenever a VPN connection is established,

When pppd executes this script, it passes several pieces of information onto the command line. The following sample script describes them:

$ cat /etc/ppp/ip-up
# This script is called with the following arguments:
# $2: VPN interface name (e.g. ppp0)
# $3: 0
# $4: local VPN address (e.g.
# $5: remote VPN gateway (e.g.
# $6: local gateway used to reach the remote VPN gateway
# Example:
# $ ifconfig ppp0
# ppp0: flags=8051 mtu 1280
#  inet --> netmask 0xfffffc00 

if [ "$5" = "" ]; then
  # Add static routes to Hetzner OST3 environment
  /sbin/route add -net -interface ppp0
  /sbin/route add -net -interface ppp0

Tor with Brew in Mac OS X

To install the Tor service using Brew in Mac OS X:

$ brew install tor torsocks

However, this does not load the Tor service automatically (either manually or automatically at log in). Since I don’t link things to be loaded automatically for me, I’ve created the following shell script to load or unload (start or stop) the Tor service manually in Mac OS X:


function usage() {
  echo "usage: $0 start|stop";
  exit 1;

function tor_service() {
  launchctl $1 /usr/local/opt/tor/homebrew.mxcl.tor.plist

function start() {
  echo "$0: starting tor service...";
  tor_service load

function stop() {
  echo "$0: stopping tor service...";
  tor_service unload

function check() {
  echo "$0: checking if tor works...";
  if torsocks curl -s | grep -q 'Congratulations. This browser is configured to use Tor.'; then
    echo 'The tor service works';
    echo 'The tor service does NOT work';

case "$1" in




    echo "error: missing or unrecognized command-line argument";

To start (load) the Tor service:

./ start

To stop (unload) the Tor service:

./ start

To check whether the Tor service is working:

./ check

To tor-ify command-line tools like curl or wget:

torsocks wget

Installing python-glanceclient using Brew on Mac OS X 10.10

I was getting clang errors on ffi.h when trying to install python-glanceclient using pip:

$ pip install python-glanceclient
Installing collected packages: python-glanceclient, cryptography, jsonschema, jsonpatch, cffi, jsonpointer, pycparser
Running install for cryptography
Package libffi was not found in the pkg-config search path.
Perhaps you should add the directory containing `libffi.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libffi' found
Cleaning up...
Command /usr/local/opt/python/bin/python2.7 -c "import setuptools, tokenize;__file__='/private/tmp/pip_build_brew/cryptography/';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-jghJZG-record/install-record.txt --single-version-externally-managed --compile failed with error code 1 in /private/tmp/pip_build_brew/cryptography
Storing debug log for failure in /Users/brew/.pip/pip.log

A fix that seems to work is manually installing libffi and exporting PKG_CONFIG_PATH pointing to it:

$ brew install pkg-config libffi
$ export PKG_CONFIG_PATH=/usr/local/Cellar/libffi/3.0.13/lib/pkgconfig/
$ pip install cffi
$ pip install python-glanceclient
$ glance --version

Cisco AnyConnect Web security module (acwebsecagent) in Mac OS X

The Cisco AnyConnect Client on Mac OS X seems to install two components: the VPN client and a Web security module. Based on my experience, the Web security module is always running (as a process named acwebsecagent) and consuming network bandwidth. If you don’t need the Web security module, you can uninstall it by running:

To uninstall the Web security module, just run:

sudo /opt/cisco/anyconnect/bin/

Credit for this: No to Cisco Web Security

Android USB Tethering and Mac OS X

I have tried several ways of tethering my Mac laptop to my Android phone, but I think that USB is the most effective one, at least from a subjective point of view: it doesn’t use as much battery as Bluetooth or WiFi tethering, it seems safer from a security point of view since it transmit the data over a cable, and it also seems safer from a health point of view as it does not rely on yet another wireless emitting point.

In order to get Mac OS X to tether with my Android phone over USB, I had to install Joshua Wise‘s HoRNDIS. It is a Mac OS X package that implements a kext RNDIS driver. The beauty of it all: it is open source and straightforward to set up and use: download the package, install it, connect your Android phone to your laptop using an USB cable, enable USB tethering and it should work automatically, without having to do anything. Magic!

PS: A copy of the HoRNDIS release 4 package can be found here.