Connecting to a VPN AND internet

Discussion in 'macOS' started by zync, Sep 12, 2005.

  1. zync macrumors 68000

    zync

    Joined:
    Sep 8, 2003
    Location:
    Tampa, FL
    #1
    I was wondering if anyone has found an easy way to split routing between a VPN and regular internet traffic? I thought tiger had fixed this but apparently it hasn't. I've tried DigiTunnel to no avail, even though it specifically stated that it would split route traffic. And yes I configured it to do so via its system pref pane.

    If I disable "send all traffic through VPN" in Internet Connect, then my no HTTP traffic or SMB shares work correctly, which is expected. I wish they had just implemented this to split traffic via a remote DNS when that option was unchecked!

    Anyone have any ideas? All of the information I have found deals with changing the underpinnings of how everything is routed on my machine, but I suspect that there's a simple GUI trick or something that is hidden somewhere I don't know how to find :)
     
  2. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #2
    Yeah, just modify your routes accordingly. For example, go into Terminal and check your routes:

    netstat -rn

    You will most likely see two default routes (0.0.0.0). Note the default route for your work subnet. Add a route for each VPN subnet, then delete the VPN default route.

    Let's say your home network is 192.168.1.0/24 and your work's subnet is 10.1.1.0/24. You would do this in Terminal:

    route add 10.1.1.0 netamsk 255.255.255.0 <work subnet default route>
    route delete 0.0.0.0 netmask 0.0.0.0 <work subnet default route>

    I wrote a script to do all of this for my particular VPN setup, and I would suggest you to do the same. Then you can just run the script to fix your routes.
     
  3. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #3
    Are you sure that works in all cases?

    I believe it may also depend on how the VPN is configured. For example, I know that our Cisco VPN is configured to not allow local 'net traffic when connected to the VPN.

    This restriction works quite well on Windows. I tried creating my own routes as you suggest here, but anything but the default configuration is ignored as long as the PPTP connection is active. I even tried replacing the default route with a specific route to our subnet at work and added explicit routes to one local host, but it seems like the local NIC is completely disabled, only the virtual PPTP connection works. I even tried connecting the two hosts directly via Firewire with no success.

    This might be a limitation of Windows, but my guess is that it is a more generic feature of PPTP. There are good security reasons why VPN access should not be simultaneous with local access,

    B
     
  4. Le Big Mac macrumors 68020

    Le Big Mac

    Joined:
    Jan 7, 2003
    Location:
    Washington, DC
    #4
    I have the same thing with my work. I asked about this and they said they did not support split tunnelling (is that the right term?) because of security concerns (they are worried someone could come in through one tunnel on my computer and then out through the VPN tunnel into the work servers--that would take some good timing, but I understand the concern).

    Anyway, it may be that your configuration prevents this.
     
  5. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #5
    Considering the original question revolved around Internet Connect, then yes you can change the routes without any issues. My employer uses Nortel, and if you change the routes, it disconnects you, but it also loads a DLL into the IP stack. In addition, any traffic sent to the Internet does _not_ go through the VPN, and there's no need for it to do so, unless your employer wants to watch your every move wherever you are.

    The security risk is arguably minimal if you disallow inbound traffic to the VPN client machine with a firewall of some sort. It is effectively the same as being connected to your work's LAN.

    Of course, everyone's mileage may vary, and everyone has a differing opinion on that.
     
  6. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #6
    You can change the routes, but will it actually achieve what the OP wanted? (presuming his VPN server doesn't support split tunneling)

    NOTE: I haven't tried it with my iBook, but know it never worked on Windows even using the built-in PPTP client instead of the Cisco client, so no DLLs were loaded into the TCP/IP stack.

    I agree with you about the real security risks, particularly where the VPN client is not a Windows box with all the vulnerabilities that carries.

    B
     
  7. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #7
    I did this and it worked fine for me. You can always test it with traceroute. First traceroute to www.apple.com and watch the hops. Now, change the routes, and traceroute to www.apple.com again. It should go through your pre-VPN routes.

    In the case where I used it, it was a Windows 2000 VPN server, and changing the routes worked on both Windows and OS X. The VPN server in my scenario had no way of knowing what my routes were.
     
  8. zync thread starter macrumors 68000

    zync

    Joined:
    Sep 8, 2003
    Location:
    Tampa, FL
    #8
    I've tried something similar but I forgot to add a netmask. Also, I only added a default route for my own network. I suppose that if I default with my work's VPN (the scenario is opposite with IPs as you described :)) 192.168.1.0/24 it'll only send that traffic through the VPN, however it removes my local default when I'm connected. Do I need to add it in? Otherwise how would it know to route through 10.0.1.0/24? And if I do have to add it as well, what would I name it, because default will obviously be taken :)

    Also, thanks for helping so much already. I'll play around with it :) If you know the answers to my question above, however, please share :D

     
  9. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #9
    Okay, it's 4am and I am awake because of pages from work, so bear with me here.

    The local subnet route won't change. So, jot down the new default route it gave you and know your local default route.

    Let's say the VPN default route is 192.168.1.30 and your local default route is 10.0.1.1. Let's also say that 192.168.1.0/24 is your work subnet. You'll do:

    route add 192.168.1.0 netmask 255.255.255.0 192.168.1.30
    route delete default 192.168.1.30
    route add default 10.0.1.1

    Notice how I added a route for the entire work subnet first? I did this so you can still remain connected to work while you delete the default route. If you have more subnets at work, just add them in before you delete your default route:

    route add 192.168.2.0 netmask 255.255.255.0 192.168.1.30

    and so on.
     
  10. zync thread starter macrumors 68000

    zync

    Joined:
    Sep 8, 2003
    Location:
    Tampa, FL
    #10
    BTW, I can't add a specific IP after the -netmask for /24. Like 255.255.255.0 192.168.1.30. But that's not the problem.

    The default that comes up when I connect to the VPN is the actual server address. Makes sense. What I don't get is that it doesn't actually list the local network anywhere in there. The local network follows 192.168.1.0/24.

    So I tried to add defaults for both 192.168.1.0/24 and 10.0.1.0/24. Didn't work. Then I removed the original default to actual IP of the server. Nothing worked, except one thing: AIM. AIM was still connected somehow.

    I feel like I've tried everything :( I have no idea why this isn't working.

    If it would help in any way I can PM you the piped output of my netstat -rn when I have my local net working. I know the output of netstat when I'm connected would probably be more helpful but that would probably violate my NDA by just a smidgeon :) Though my client did tell me to post on forums for a solution :D

    I appreciate all your help so far though! It's got me a lot closer. I know there's just one small thing standing in the way. I really don't understand why it doesn't have anything for the local network on the VPN end.

    Oh and I also tried to add just a regular default with the actual IP of the VPN/24 along with my local 10.0.1.0/24 to no avail. Maybe I should just match up my router to theirs to just see what happens :)
     
  11. belvdr macrumors 601

    Joined:
    Aug 15, 2005
    #11
    Sure, PM me your routing table. I'll take a look at it. I'll also jot down the route commands that I would use. I'll double check the commands on my iMac, that is, when my wife turns it on (I'm at work). :)

    I'm certain that the route for your local network can't be removed by a VPN connection. Look at it this way, if it were possible to route the packets for your local network to the VPN server, how would they get back? The VPN server only knows your IP, not your entire subnet, because the connection is a host-to-network tunnel, not network-to-network (called site-to-site as well). Thus, the packet would never return.

    EDIT: As for your NDA, that's a good cause not to post it. However, if someone were to use the routing table for malicious purposes, then they would surely notice this in their logs. I mean, they are logging, aren't they? ;)
     

Share This Page