Skip to content

Instantly share code, notes, and snippets.

@dcava
Forked from blt04/ip-down
Created December 5, 2017 10:25
Show Gist options
  • Save dcava/1e40080fee8e492ce14c6818e671507a to your computer and use it in GitHub Desktop.
Save dcava/1e40080fee8e492ce14c6818e671507a to your computer and use it in GitHub Desktop.
OSX VPN Scripts: The built in Mac VPN client doesn't have too many options but you can easily apply custom settings via scripts. Here are some examples of how to customize your VPN connections. Just put these two files in /etc/ppp and customize. Make sure you `chmod 0755 /etc/ppp/ip-up /etc/ppp/ip-down`. For more information, see `man pppd`.
#!/bin/bash
#
# /etc/ppp/ip-down
#
# When the ppp link goes down, this script is called with the following
# parameters
# $1 the interface name used by pppd (e.g. ppp3)
# $2 the tty device name
# $3 the tty device speed
# $4 the local IP address for the interface
# $5 the remote IP address
# $6 the parameter specified by the 'ipparam' option to pppd
# Restore ipfw rules
if [ -e /tmp/vpn-ipfw-$IFNAME.rules ] ; then
/sbin/ipfw -f flush
while read rule
do
/sbin/ipfw -f add $rule
done < /tmp/vpn-ipfw-$IFNAME.rules
rm /tmp/vpn-ipfw-$IFNAME.rules
fi
# Restore ip6fw rules
if [ -e /tmp/vpn-ip6fw-$IFNAME.rules ] ; then
/sbin/ip6fw -f flush
while read rule
do
/sbin/ip6fw -f add $rule
done < /tmp/vpn-ip6fw-$IFNAME.rules
rm /tmp/vpn-ip6fw-$IFNAME.rules
fi
#!/bin/bash
#
# /etc/ppp/ip-up
#
# When the ppp link comes up, this script is called with the following
# parameters
# $1 the interface name used by pppd (e.g. ppp3)
# $2 the tty device name
# $3 the tty device speed
# $4 the local IP address for the interface
# $5 the remote IP address
# $6 the parameter specified by the 'ipparam' option to pppd
# Available variables:
# $SERVER - the VPN server address
#
function ip_up_post () {
case $SERVER in
# Customize settings for a split-tunnel VPN, removing the VPN
# DNS and adding static routes
# "Send all traffic over VPN connection" should be unchecked
"my-split-tunnel.com" )
# Don't use the VPN provided DNS servers
remove_ppp_dns
# Add static routes
add_static_route foo1.my-split-tunnel.com
add_static_route foo2.my-split-tunnel.com
;;
# Block all non-VPN traffic (including local and IPV6 traffic)
# "Send all traffic over VPN connection" should be checked
"my-secure-vpn.com" )
block_non_vpn_traffic
;;
esac
}
#
# ===========================================
# You should not need to edit below this line
# ===========================================
#
function remove_ppp_dns () {
echo "set $SERVICE/DNS" | /usr/sbin/scutil
}
# Add a static route to the VPN
# @param host -- hostname or IP
function add_static_route () {
/sbin/route add -host $1 -interface $IFNAME
}
# Block all non-VPN traffic.
# Even when you check "Send all traffic over VPN connection", OSX will still
# allow local traffic on the same subnet and IPV6 traffic
# This uses the built-in firewall to block this traffic, ensuring all
# traffic goes through the VPN.
function block_non_vpn_traffic () {
# Save previous rules
/sbin/ipfw list > /tmp/vpn-ipfw-$IFNAME.rules
/sbin/ip6fw list > /tmp/vpn-ip6fw-$IFNAME.rules
/sbin/ipfw -f flush
/sbin/ipfw -f add allow all from any to any via $IFNAME
/sbin/ipfw -f add allow all from any to $SERVER
/sbin/ipfw -f add allow all from $SERVER to any
/sbin/ipfw -f add reject all from any to any
/sbin/ip6fw -f flush
/sbin/ip6fw -f add allow all from any to any via $IFNAME
/sbin/ip6fw -f add reject all from any to any
}
#
# Find the current VPN connection and call ip_up_post
#
SERVICES=$(echo "list State:/Network/Service/[^/]+/PPP" | /usr/sbin/scutil | /usr/bin/cut -c 16- | /usr/bin/cut -d / -f 1-4)
for SERVICE in $SERVICES
do
if [ "$(echo show $SERVICE/PPP | /usr/sbin/scutil | grep InterfaceName | /usr/bin/cut -c 19-)" == "$IFNAME" ]; then
SERVER=$(echo show $SERVICE/PPP | /usr/sbin/scutil | grep CommRemoteAddress | /usr/bin/cut -c 23-)
ip_up_post
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment