How to selectively route network traffic through VPN on Mac OS X Leopard?
Solution 1
Create the file /etc/ppp/ip-up with following content:
#!/bin/sh
/sbin/route add <SUBNET> -interface $1
replacing <SUBNET>
with subnet, you want to route through VPN (for ex. 192.168.0.0/16)
execute as root:
chmod 0755 /etc/ppp/ip-up
This file will be executed each time you connect to VPN.
The parameters given to the script:
-
$1
: The VPN interface (e.g.ppp0
) -
$2
: Unknown, was0
in my case -
$3
: IP of the VPN server -
$4
: VPN gateway address -
$5
: Regular (non-vpn) gateway for your lan connections
Solution 2
There is a hidden feature in Network Preferences on MacOS: you can sort interfaces.
Open System Preferences -> Network -> Click the gear
bottom left -> Set service Order...
It's critical that you have your network interfaces sorted into the order you want them to be used. If you want ALL non-LAN data to go to the VPN, put the VPN interface at the top. Sort like this
- VPN
- Ethernet
- Airport
Not like this:
- Airport
- Ethernet
- VPN
This way, no need to check the following setting in Session Options
:
Send all traffic over VPN connection
✅ Tested on L2TP VPN
connection
Solution 3
I wanted to do a similar thing. Connect the VPN and then route an additional network via that VPN. I ended up with the following bit of Applescript:
-- Connect Work VPN
tell application "System Events"
tell network preferences
tell current location
tell service "Work"
connect
tell current configuration
repeat until get connected = true
delay 1
end repeat
end tell
end tell
end tell
end tell
end tell
set gateway to "192.168.1.1"
do shell script "route add 172.16.0.0/16 " & gateway with administrator privileges
You need to change "Work"
to the name of your VPN connection, 192.168.1.1
to your gateway address, and 172.16.0.0/16
to the address of the network to which you wish to route. Additional networks can be added by repeating the final line with different addresses.
Solution 4
I have had a look online to see if I can find anything, and as far as I can understand you seem to want to be able to use your computer like normal, while also being able to connect to internal company websites, so, you may need to set up a custom routing table.
This link apparently only applies to 10.4, but the command line stuff may still work.
newtonapple
Updated on September 17, 2022Comments
-
newtonapple almost 2 years
I don't want to send all my network traffic down to VPN when I'm connected to my company's network (via VPN) from home. For example, when I'm working from home, I would like to be able to backup all my files to the Time Capsule at home and still be able to access the company's internal network.
I'm using Leopard's built-in VPN client. I've tried unchecking "Send all traffic over VPN connection." If I do that I will lose access to my company's internal websites be it via curl or the web browser (though internal IPs are still reachable). It'd be ideal if I can selectively choose a set of IPs or domains to be routed through VPN and keep the rest on my own network. Is this achievable with Leopard's built-in VPN client?
-
dr jimbob about 10 yearsThe first solution will only work on a PPP VPN. The following solution will work on a Cisco VPN (and other types nothing specific to Cisco) superuser.com/questions/91191/…
-
-
Arjan over 14 years(Minor addition, for those who wonder about this IP address: just like the questioner talked about, 172.16.0.0/16 is a private address space just like 10.x.x.x and 192.168.x.x. So, it is in fact part of the VPN, and not some external web site or whatever.)
-
Glenn about 14 yearsSo
192.168.1.1
is your router on the VPN, or the router on the LAN? And don't you have to set the default route back to your LAN? -
Edgar Wieringa over 13 yearsThe tip of Aleksei worked for me. I am only wondering whether the first line (#!/bin/sh) is doing anything. Isn't it commented out. I am asking this since I am describing this for use at our company and the simpler the better :-) Thanks, Edgar
-
studiohack over 13 years@EdgarWieringa: converted your answer to a comment. Hope that's better! :)
-
noslenkwah about 13 years@Edgar - no. That first line is special. en.wikipedia.org/wiki/Shebang_(Unix)
-
tobi_b almost 13 yearsJames is right, but of course in the case of a shell script, it's not necessary. If a shebang isn't present, the OS will send it to the shell anyway. :-)
-
Gabe Martin-Dempesy over 12 yearsOn 10.7/Lion, I had better luck with: /sbin/route add 172.16.0.0/16 -interface $1 The arguments I saw ip-up getting are: $1 = VPN interface, e.g. 'ppp0' $2 = '0' (not sure what this value is) $3 = Your VPN IP $4 = VPN public gateway IP address $5 = Normal default gateway for ethernet/wifi
-
Arosboro almost 12 yearsI used the ppp startup trick, but it didn't work until I moved my vpn connection below the wireless connection. This is a valid answer.
-
mralexgray over 11 yearsI wonder.. Would this method also work with the built-in VPN On a jailbroken iOS device? I always feel dirty messing with
/etc
on my iPad. -
Anriëtte Myburgh over 11 yearsThis works wonderfully on Lion. I struggled with this for days. Thanks Aleksei.
-
Kal almost 10 yearsWhat happens if I have two or more VPN connections configured? How do I distinguish among them in
/etc/ppp/ip-up
so I can add the routes accordingly? Will the friendly VPN name be passed as the 6th argument (ipparam
)? -
Hatem Alimam over 8 yearsSaved time here :)
-
spider over 8 yearsIt really wold be the main answer! Thanks very much, it would be impossible to figure out!
-
Pro Backup about 8 yearsThe parameters $1 till $5 — which are a little different for OS X 10.9 which has a $6 — can be found in your pppd man page:
$ man -P 'less -p " /etc/ppp/ip-up"' pppd
-
user5504603 almost 8 yearsWorks on Yosemite as answered, and removes routes after disconnect. Nice!
-
Anriëtte Myburgh over 7 yearsI had to run the chmod again for some reason, I've done this fix a while back, but stopped working. Running the chmod fixed it again.
-
GabLeRoux over 6 years
/etc/ppp/ip-up
doesn't get called on my system; MacOS10.13
. I did a similar script that logs execution, it hasroot:staff
ownership and0755
mod. Invoking it manually does execute the script. My VPN connection is anL2TP over IPSec
andConfigure IPv4
is set toUsing PPP
. Itail -f
the logs and Connecting or Disconnecting the vpn doesn't do anything with/etc/ppp/ip-up
. -
GabLeRoux over 6 yearsI've made a gist with my logging script here: gist.github.com/GabLeRoux/c7d4c9046d9b5ec7bce822426613912a let me know if someone knows a solution. At least I managed to skip "Send all traffic over VPN connection" with following answer: superuser.com/a/121259/55267
-
goofology about 6 yearsThis does work for L2TP IPSec VPNs, but does NOT work for Cisco IPSec VPNs. Cisco IPSec VPNs are not available in the "Set Service Order" dialog
-
Tango over 5 yearsThis will still let me connect to devices on my LAN, but no longer allows the DNS on my LAN to be used. So I can ping 192.168.0.1, but I can't ping myfirewall. (Even if I use "ping myfirewall.mylan.lan" with mylan.lan as a search domain in my Settings and have 192.168.0.1 set up as the first DNS server in Settings.)
-
Kevin C. over 5 yearsDoes this depend on the VPN type? Will it work on IKEv2 VPNs?
-
Bishop about 4 yearsOn MacOS 10.15 (Catalina), this answer got me most of the way there but the "Send all traffic over VPN connection" option in the advanced VPN settings doesn't seem to work. Running
route -n monitor
shows the default route getting reset, either way. I added the following to the ip-up script and finally fixed it:#!/bin/sh /sbin/route add <SUBNET> -interface $1 /sbin/route change default -interface <ETHERNET/WIFI IDENTIFIER>
In my case, I set this to ` en0 `. -
Antonio Pedicini about 4 yearsstill working fine on Catalina
-
lese over 2 yearsin addition to @goofology, neither the ikev2 vpn connection is available in the ordering list ..................... macOS macOS macOS....
-
Aaron Ullal about 2 yearsworking great on Monterey
-
Admin about 2 yearsThis didn't work automatically on Big Sur, but running it manually after vpn connect does.
sudo sh /etc/ppp/ip-up ppp0
. Additionally, because I have a conflict with my work network space (work network is10.0.0.0/8
and I'm10.0.1.0/24
I had to add:sudo route -n delete 10.0.0.0/8 -interface $1
and then add a /16 or /24 for every 10.x entry, excluding my10.0.1.0/24
LAN egroute add 10.0.2.0/24 -interface $1
...route add 10.0.255.0/24 -interface $1
...route add 10.1.0.0/16 -interface $1
...route add 10.255.0.0/16 -interface $1
-
Admin about 2 yearsThis doesn't seem to work on macOS 12, even for L2TP VPNs.