Routing tips for VPNs on OS X

osxvpnrouting.markdown

Routing tips for VPNs on OS X

When VPNs Just Work™, they're a fantastic way of allowing access to a private network from remote locations. When they don't work it can be an experience in frustration. I've had situations where I can connect to a VPN from my Mac, but various networking situations cause routing conflicts. Here are a couple of cases and how I've been able to get around them.

Specific cases

Case 1: conflicting additional routes.

In this example the VPN we are connecting to has a subnet that does not conflict with our local IP, but has additional routes that conflict in some way with our local network's routing. In my example the remote subnet is 10.0.x.0/24, my local subnet is 10.0.y.0/24, and the conflicting route is 10.0.0.0/8. Without the later route, I can't access all hosts on the VPN without manually adding the route after connecting to the VPN:

sudo route add -net 10 -interface ppp0

In the above case the VPN is a PPTP VPN that uses ppp0 as the network interface. With this additional route, I can now access all the hosts I need to on the VPN. This won't solve the case of trying to access addresses on the 10.0.y.0/24 subnet though.

Case 2: conflicting subnet between VPN and local network.

Fairly often a VPN on a private address space subnet can end up conflicting with a local subnet. For example if both the remote and local networks share the 192.168.0.0/24 subnet then our VPN connection ends up being pretty useless as all of the remote addresses will end up being routed to the local network device.

It is possible to get around this in some cases as long as the VPN IP address doesn't conflict directly with a local IP address that you need access to. In this case we need to add a specific route for the remote IP:

sudo route add -host 192.168.0.x -interface tun0

In the above case I'm routing the host 192.168.0.x (replace the x with your specific address) via the tun0 device (in this case an OpenVPN connection).

Useful commands to debug routing issues.

The following command will show the existing routing table (IPv4 only):

netstat -nr -f inet

The following command will show you how a specific host will get routed:

route get HOSTNAME_OR_IP

Has anyone found a way to automatically add routes, now that OSX doesn't seem to use ppp anymore? Does the if-up ppp script still work? If not, what can we use instead?

I can confirm that /etc/ppp/ip-up still works with current macOS (Catalina). The permissions must be correct (sudo chmod 0755 /etc/ppp/ip-up).

https://superuser.com/questions/4904/how-to-selectively-route-network-traffic-through-vpn-on-mac-os-x-leopard

Hi,

very usefull, but how do you know the name of the right interface to choose ?
If i run ifconfig I got lots of interfaces... is it one of these two ? utun0 utun1

Hi,

very usefull, but how do you know the name of the right interface to choose ?
If i run ifconfig I got lots of interfaces... is it one of these two ? utun0 utun1

Running netstat -nr -f inet to view the current routing table can give you a clue.

If you know the subnet of your pptp vpn, you can do this in ip-up script as well.

i.e The VPN assign subnet of 10.20.30.0/24, it will check whether the ppp IP being assign is 10.20.30.*

if [[ $4 =~ "10.20.30" ]]; then 
	#ROUTE HOST 1
	/sbin/route add -net 1.2.3.4/32 -interface $1

	#ROUTE HOST 2	
	/sbin/route add -net 2.3.4.5/32 -interface $1
fi      	

This worked for me! :-)

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

Did you solved any way this problem? I have the same scenario.

Hello,
I'm having an issue with MacOs Big Sur. I have a unifi Securtity Gateway at home and I have configured a L2TP Remote Network so that I can connect to my home network when I'm away. Before BigSur when I connected to the L2TP Remote Network and consulted my external IP, I would get my Home's Internet IP, but now ever since BigSur, when I connect to the L2TP VPN and consult my external IP I get the IP of whatever network I'm connected to. I checked the "Send All Traffic over VPN Connection" but that didn't help. Do I have to configure a Static Route with my home's internet IP to force it to use that IP? Any guidance would be greatly appreciated.

Did you solved any way this problem? I have the same scenario.

Adding the static route manually when connected to the VPN as mentioned in this gist and subsequent comments should resolve this issue. The easiest way to test is to connect to your VPN, then run sudo route add -net 192.168.50 -interface ppp0 (replace 192.168.50 with your local subnet), and then your local connections should work.

In Big Sur, I have found the ip-up script method will work, but you have to use networksetup instead of route.

# Format
# networksetup -setadditionalroutes <networkservice> [ <dest> <mask> <gateway> ]*
# Below, gateway is the gateway for the USG assigned VPN subnet and the destination is the local net
networksetup -setadditionalroutes "Home VPN" 192.168.1.0 255.255.255.0 192.168.2.1

Hello,
My home network is 10.21.30.0/24. I connect to a VPN at work and sets 10/8 to go out ppp0 which does not allow me to do anything within my own home including printing. I have attempted to create a static route sending 10.21.30.0/24 out en0 which is my wireless adapter. Apparently 10/8 is the bigger subnet and it just ignores the route. What options do I have to force 10.21.30.0/24 out my wireless instead of the vpn interface ppp0? I understand that I wont be able to connect to anything in the company with that network.

Hello, My home network is 10.21.30.0/24. I connect to a VPN at work and sets 10/8 to go out ppp0 which does not allow me to do anything within my own home including printing. I have attempted to create a static route sending 10.21.30.0/24 out en0 which is my wireless adapter. Apparently 10/8 is the bigger subnet and it just ignores the route. What options do I have to force 10.21.30.0/24 out my wireless instead of the vpn interface ppp0? I understand that I wont be able to connect to anything in the company with that network.

Check setting the order of interfaces as described here

You're my hero! I have a VPN on the 10.1.x.x network and a local device at 10.1.1.123 and have been trying to convince my computer on a 192.168.1.0 network access it. The first route worked! I tried what seems like countless other options for the network to no avail.

THANK YOU!

In Big Sur, I have found the ip-up script method will work, but you have to use networksetup instead of route.

Actually, you don't have to create /etc/ppp/ip-up anymore (it doesn't work). You just run a command one time in terminal and it applies it to future connections automatically.

Works for me in Ventura:
networksetup -setadditionalroutes "You vpn name" 172.20.20.0 255.255.255.0 172.17.19.1 172.16.0.0 255.255.254.0 172.17.19.1 (yes all routes should be in one command run)

the solution from @b1rdex worked perfectly fine for me, thanks for sharing