How to selectively route network traffic through VPN on Mac OS X Leopard?

macos mac networking vpn osx-leopard

154,950

Solution 1

Create the file /etc/ppp/ip-up with following content:

#!/bin/sh
/sbin/route add <SUBNET> -interface $1

replacing <SUBNET> with subnet, you want to route through VPN (for ex. 192.168.0.0/16)

execute as root:

chmod 0755 /etc/ppp/ip-up

This file will be executed each time you connect to VPN.

The parameters given to the script:

$1: The VPN interface (e.g. ppp0)
$2: Unknown, was 0 in my case
$3: IP of the VPN server
$4: VPN gateway address
$5: Regular (non-vpn) gateway for your lan connections

Solution 2

There is a hidden feature in Network Preferences on MacOS: you can sort interfaces.

Open System Preferences -> Network -> Click the gear bottom left -> Set service Order...

It's critical that you have your network interfaces sorted into the order you want them to be used. If you want ALL non-LAN data to go to the VPN, put the VPN interface at the top. Sort like this

VPN
Ethernet
Airport

Not like this:

Airport
Ethernet
VPN

This way, no need to check the following setting in Session Options:

Send all traffic over VPN connection

✅ Tested on L2TP VPN connection

Solution 3

I wanted to do a similar thing. Connect the VPN and then route an additional network via that VPN. I ended up with the following bit of Applescript:

-- Connect Work VPN

tell application "System Events"
    tell network preferences
        tell current location
            tell service "Work"
                connect
                tell current configuration
                    repeat until get connected = true
                        delay 1
                    end repeat
                end tell
            end tell
        end tell
    end tell
end tell

set gateway to "192.168.1.1"

do shell script "route add 172.16.0.0/16 " & gateway with administrator privileges

You need to change "Work" to the name of your VPN connection, 192.168.1.1 to your gateway address, and 172.16.0.0/16 to the address of the network to which you wish to route. Additional networks can be added by repeating the final line with different addresses.

Solution 4

I have had a look online to see if I can find anything, and as far as I can understand you seem to want to be able to use your computer like normal, while also being able to connect to internal company websites, so, you may need to set up a custom routing table.

This link apparently only applies to 10.4, but the command line stuff may still work.

View more solutions

154,950

Author by

newtonapple

Updated on September 17, 2022

Comments

newtonapple almost 2 years

I don't want to send all my network traffic down to VPN when I'm connected to my company's network (via VPN) from home. For example, when I'm working from home, I would like to be able to backup all my files to the Time Capsule at home and still be able to access the company's internal network.

I'm using Leopard's built-in VPN client. I've tried unchecking "Send all traffic over VPN connection." If I do that I will lose access to my company's internal websites be it via curl or the web browser (though internal IPs are still reachable). It'd be ideal if I can selectively choose a set of IPs or domains to be routed through VPN and keep the rest on my own network. Is this achievable with Leopard's built-in VPN client?
- dr jimbob about 10 years
  
  The first solution will only work on a PPP VPN. The following solution will work on a Cisco VPN (and other types nothing specific to Cisco) superuser.com/questions/91191/…
Arjan over 14 years

(Minor addition, for those who wonder about this IP address: just like the questioner talked about, 172.16.0.0/16 is a private address space just like 10.x.x.x and 192.168.x.x. So, it is in fact part of the VPN, and not some external web site or whatever.)
Glenn about 14 years

So 192.168.1.1 is your router on the VPN, or the router on the LAN? And don't you have to set the default route back to your LAN?
Edgar Wieringa over 13 years

The tip of Aleksei worked for me. I am only wondering whether the first line (#!/bin/sh) is doing anything. Isn't it commented out. I am asking this since I am describing this for use at our company and the simpler the better :-) Thanks, Edgar
studiohack over 13 years

@EdgarWieringa: converted your answer to a comment. Hope that's better! :)
noslenkwah about 13 years

@Edgar - no. That first line is special. en.wikipedia.org/wiki/Shebang_(Unix)
tobi_b almost 13 years

James is right, but of course in the case of a shell script, it's not necessary. If a shebang isn't present, the OS will send it to the shell anyway. :-)
Gabe Martin-Dempesy over 12 years

On 10.7/Lion, I had better luck with: /sbin/route add 172.16.0.0/16 -interface $1 The arguments I saw ip-up getting are: $1 = VPN interface, e.g. 'ppp0' $2 = '0' (not sure what this value is) $3 = Your VPN IP $4 = VPN public gateway IP address $5 = Normal default gateway for ethernet/wifi
Arosboro almost 12 years

I used the ppp startup trick, but it didn't work until I moved my vpn connection below the wireless connection. This is a valid answer.
mralexgray over 11 years

I wonder.. Would this method also work with the built-in VPN On a jailbroken iOS device? I always feel dirty messing with /etc on my iPad.
Anriëtte Myburgh over 11 years

This works wonderfully on Lion. I struggled with this for days. Thanks Aleksei.
Kal almost 10 years

What happens if I have two or more VPN connections configured? How do I distinguish among them in /etc/ppp/ip-up so I can add the routes accordingly? Will the friendly VPN name be passed as the 6th argument (ipparam)?
Hatem Alimam over 8 years

Saved time here :)
spider over 8 years

It really wold be the main answer! Thanks very much, it would be impossible to figure out!
Pro Backup about 8 years

The parameters $1 till $5 — which are a little different for OS X 10.9 which has a $6 — can be found in your pppd man page: $ man -P 'less -p " /etc/ppp/ip-up"' pppd
user5504603 almost 8 years

Works on Yosemite as answered, and removes routes after disconnect. Nice!
Anriëtte Myburgh over 7 years

I had to run the chmod again for some reason, I've done this fix a while back, but stopped working. Running the chmod fixed it again.
GabLeRoux over 6 years

/etc/ppp/ip-up doesn't get called on my system; MacOS 10.13. I did a similar script that logs execution, it has root:staff ownership and 0755 mod. Invoking it manually does execute the script. My VPN connection is an L2TP over IPSec and Configure IPv4 is set to Using PPP. I tail -f the logs and Connecting or Disconnecting the vpn doesn't do anything with /etc/ppp/ip-up.
GabLeRoux over 6 years

I've made a gist with my logging script here: gist.github.com/GabLeRoux/c7d4c9046d9b5ec7bce822426613912a let me know if someone knows a solution. At least I managed to skip "Send all traffic over VPN connection" with following answer: superuser.com/a/121259/55267
goofology about 6 years

This does work for L2TP IPSec VPNs, but does NOT work for Cisco IPSec VPNs. Cisco IPSec VPNs are not available in the "Set Service Order" dialog
Tango over 5 years

This will still let me connect to devices on my LAN, but no longer allows the DNS on my LAN to be used. So I can ping 192.168.0.1, but I can't ping myfirewall. (Even if I use "ping myfirewall.mylan.lan" with mylan.lan as a search domain in my Settings and have 192.168.0.1 set up as the first DNS server in Settings.)
Kevin C. over 5 years

Does this depend on the VPN type? Will it work on IKEv2 VPNs?
Bishop about 4 years

On MacOS 10.15 (Catalina), this answer got me most of the way there but the "Send all traffic over VPN connection" option in the advanced VPN settings doesn't seem to work. Running route -n monitor shows the default route getting reset, either way. I added the following to the ip-up script and finally fixed it: #!/bin/sh /sbin/route add <SUBNET> -interface $1 /sbin/route change default -interface <ETHERNET/WIFI IDENTIFIER> In my case, I set this to ` en0 `.
Antonio Pedicini about 4 years

still working fine on Catalina
lese over 2 years

in addition to @goofology, neither the ikev2 vpn connection is available in the ordering list ..................... macOS macOS macOS....
Aaron Ullal about 2 years

working great on Monterey
Admin about 2 years

This didn't work automatically on Big Sur, but running it manually after vpn connect does. sudo sh /etc/ppp/ip-up ppp0. Additionally, because I have a conflict with my work network space (work network is 10.0.0.0/8 and I'm 10.0.1.0/24 I had to add: sudo route -n delete 10.0.0.0/8 -interface $1 and then add a /16 or /24 for every 10.x entry, excluding my 10.0.1.0/24 LAN eg route add 10.0.2.0/24 -interface $1 ... route add 10.0.255.0/24 -interface $1 ... route add 10.1.0.0/16 -interface $1 ... route add 10.255.0.0/16 -interface $1
Admin about 2 years

This doesn't seem to work on macOS 12, even for L2TP VPNs.