Changing default routes on OS X on VPN

  • Christian Stocker

We finally replaced our 5 year old 300 MHz Pentium Firewall/Gateway for the office network with a cute little m0nowall. Besides now having a nice web based interfaced for setting up firewall rules, the m0n0wall comes with built in VPN capabilities (IPSec and PPTP). Therefore we can connect to the office network from home and securely connect to the datacenter (even though almost all important connections are SSL or SSHed anyway, but it's more reassuring, especially if you're on an untrusted network)

Setting VPN over PPTP up on OS X is also super easy with the help of “Internet Connect”, but it sets a default route to the gateway. Good, if you're on a completely untrusted network like a conference wireless network. Bad, if you just want to connect securely to the office network, but not want to let each and every download go through the office.

But there's a solution to this, which I found on macosxhints (way down in the comments).

First create a file in /etc/ppp/peers/ called the same as your VPN config, in my case, this is /etc/ppp/peers/bitflux. Then write just “nodefaultroute” into that file. This prevents creating a new default route.

Now you have to add the routing to your network. Edit (or create) /etc/ppp/ip-up and put something like the following into that

#!/bin/sh

BXVPNIP="192.168.84.2";

if [ $IPREMOTE = $BXVPNIP ]  

then

        /sbin/route -n add -net 212.55.202 $IPREMOTE > /tmp/ppp.log 2>&1

        /sbin/route -n add -net 192.168.84 $IPREMOTE > /tmp/ppp.log 2>&1

fi

and make this file executable (the “if” is not really needed, btw). Now, the next time you connect to the VPN, only packets to 212.55.202.xxx and 192.168.84.xxx go through the VPN network, the rest still goes over your “normal” route, therefore avoiding unnecessary traffic on the office router.

If you want to add some networks or IPs temporarily to the VPN route, just do:

sudo /sbin/route -n add -net  193.99.144.80 192.168.84.2

(192.168.84.2 is the IP of the VPN gateway)

Checking your routing table can done with the following command:

netstat -rn

Hope that helps anyone and if not, at least I know where to look at next time :)


Tell us what you think