Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Routing tips for VPNs on OS X

Routing tips for VPNs on OS X

When VPNs Just Work™, they're a fantastic way of allowing access to a private network from remote locations. When they don't work it can be an experience in frustration. I've had situations where I can connect to a VPN from my Mac, but various networking situations cause routing conflicts. Here are a couple of cases and how I've been able to get around them.

Specific cases

Case 1: conflicting additional routes.

In this example the VPN we are connecting to has a subnet that does not conflict with our local IP, but has additional routes that conflict in some way with our local network's routing. In my example the remote subnet is 10.0.x.0/24, my local subnet is 10.0.y.0/24, and the conflicting route is 10.0.0.0/8. Without the later route, I can't access all hosts on the VPN without manually adding the route after connecting to the VPN:

sudo route add -net 10 -interface ppp0

In the above case the VPN is a PPTP VPN that uses ppp0 as the network interface. With this additional route, I can now access all the hosts I need to on the VPN. This won't solve the case of trying to access addresses on the 10.0.y.0/24 subnet though.

Case 2: conflicting subnet between VPN and local network.

Fairly often a VPN on a private address space subnet can end up conflicting with a local subnet. For example if both the remote and local networks share the 192.168.0.0/24 subnet then our VPN connection ends up being pretty useless as all of the remote addresses will end up being routed to the local network device.

It is possible to get around this in some cases as long as the VPN IP address doesn't conflict directly with a local IP address that you need access to. In this case we need to add a specific route for the remote IP:

sudo route add -host 192.168.0.x -interface tun0

In the above case I'm routing the host 192.168.0.x (replace the x with your specific address) via the tun0 device (in this case an OpenVPN connection).

Useful commands to debug routing issues.

The following command will show the existing routing table (IPv4 only):

netstat -nr -f inet

The following command will show you how a specific host will get routed:

route get HOSTNAME_OR_IP
@djsmiley2k

This comment has been minimized.

Copy link

@djsmiley2k djsmiley2k commented Mar 28, 2019

Has anyone found a way to automatically add routes, now that OSX doesn't seem to use ppp anymore? Does the if-up ppp script still work? If not, what can we use instead?

@arnodirlam

This comment has been minimized.

Copy link

@arnodirlam arnodirlam commented Oct 21, 2019

I can confirm that /etc/ppp/ip-up still works with current macOS (Catalina). The permissions must be correct (sudo chmod 0755 /etc/ppp/ip-up).

https://superuser.com/questions/4904/how-to-selectively-route-network-traffic-through-vpn-on-mac-os-x-leopard

@optyler

This comment has been minimized.

Copy link

@optyler optyler commented Sep 29, 2020

Hi,

very usefull, but how do you know the name of the right interface to choose ?
If i run ifconfig I got lots of interfaces... is it one of these two ? utun0 utun1

@taldanzig

This comment has been minimized.

Copy link
Owner Author

@taldanzig taldanzig commented Sep 29, 2020

Hi,

very usefull, but how do you know the name of the right interface to choose ?
If i run ifconfig I got lots of interfaces... is it one of these two ? utun0 utun1

Running netstat -nr -f inet to view the current routing table can give you a clue.

@takizo

This comment has been minimized.

Copy link

@takizo takizo commented Oct 12, 2020

If you know the subnet of your pptp vpn, you can do this in ip-up script as well.

i.e The VPN assign subnet of 10.20.30.0/24, it will check whether the ppp IP being assign is 10.20.30.*

if [[ $4 =~ "10.20.30" ]]; then 
	#ROUTE HOST 1
	/sbin/route add -net 1.2.3.4/32 -interface $1

	#ROUTE HOST 2	
	/sbin/route add -net 2.3.4.5/32 -interface $1
fi      	

@drizzentic

This comment has been minimized.

Copy link

@drizzentic drizzentic commented Jan 28, 2021

This worked for me! :-)

@devcaco

This comment has been minimized.

Copy link

@devcaco devcaco commented Feb 16, 2021

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

@sergiorru

This comment has been minimized.

Copy link

@sergiorru sergiorru commented Mar 26, 2021

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

Did you solved any way this problem? I have the same scenario.

@scottharwell

This comment has been minimized.

Copy link

@scottharwell scottharwell commented Apr 23, 2021

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

Did you solved any way this problem? I have the same scenario.

Adding the static route manually when connected to the VPN as mentioned in this gist and subsequent comments should resolve this issue. The easiest way to test is to connect to your VPN, then run sudo route add -net 192.168.50 -interface ppp0 (replace 192.168.50 with your local subnet), and then your local connections should work.

In Big Sur, I have found the ip-up script method will work, but you have to use networksetup instead of route.

# Format
# networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*
# Below, gateway is the gateway for the USG assigned VPN subnet and the destination is the local net
networksetup -setadditionalroutes "Home VPN" 192.168.1.0 255.255.255.0 192.168.2.1
@joli-martinez

This comment has been minimized.

Copy link

@joli-martinez joli-martinez commented Jun 3, 2021

Hello,
My home network is 10.21.30.0/24. I connect to a VPN at work and sets 10/8 to go out ppp0 which does not allow me to do anything within my own home including printing. I have attempted to create a static route sending 10.21.30.0/24 out en0 which is my wireless adapter. Apparently 10/8 is the bigger subnet and it just ignores the route. What options do I have to force 10.21.30.0/24 out my wireless instead of the vpn interface ppp0? I understand that I wont be able to connect to anything in the company with that network.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment