VPN and default gateway issue
 

I'm on OS version 10.2.8. Whenever I make a VPN connection, the system automatically sets the default gateway to the VPN rather than the local router. For obvious reasons, this is very bad. I have searched literally for hours and have not found a way to correct this "feature." I can manually change the routes via command line, but that's a pretty bad solution.

Anyone know how to change this setting permanently?

Go into your Network preferences pane. Select Show: "Network Port Configurations" and move VPN to the bottom of the list. It will no longer take priority over other connections.

Wow...that simple. :o Thanks!

Well, that doesn't seem to do it. I've got the Ethernet card at the top, connected the VPN, and still get the default route set to the VPN address. Any other ideas?

This is on 10.2, not Panther, maybe that's a new feature...?

I am having the same problem in 10.3.5, anyone have any suggestions?

The only answer I've been able to find has been, "use another VPN client." That seems dumb; I can't believe Apple would let such an obvious thing slip by them, but I've found no other solution after literally a couple of hours of searching. I tried the genius bar at both local stores, both said the same thing, get another VPN client.

Digitunnel and Piepants were two suggestions. I haven't tried them yet, as I've been simply re-writing the gateway in the CLI.

At least we're not alone, I know I got it working right when I did vpn server on windows 2000, but that was because if I remember correctly there was a spot on the config where you could tell it the gateway.

Well actually I was doing some playing around with my test servers and its more or less a problem with the windows dialup client that distinguishes the default gateway as the existing ip, but I tested out routing wise and everything works. I did find something out though by calling apple tech support. They said that the server doesn't like that you change the ip address to system preferences, which is kind of false, but what he told me to do was wipe out the machine and reload it after doing that I had no routing issue even though the gateway was itself, so it seemed like a config got fried some how, anyway he recommended that the ip be changed through the chanegip command. Hope this helps.

Since this is happening the same way on three of my machines, on 10.2 and 10.3, I'm pretty sure a basic reload isn't going to do a lot for me. If you look in the network tool and see the default route set to the VPN, then it's going there. You can verify that with a traceroute. It will still work, just slower, and doubling the traffic on the VPN server side.

I don't know what you mean by Windows dialup client. I thought you were doing this on a Mac? The Windows client DOES have a simple checkbox to turn off using the remote gateway as a default.

Where's the "changeip" command. That's not found on my system.

The solution to Default Gateway Being set to the VPN is to create an ip-up script in /etc/ppp

In this script add the following lines:
/sbin/route delete default ip-of-vpn-gateway
/sbin/route add default 192.168.0.1 (replace with your own default gateway)
/sbin/route add 192.168.1.0/24 192.168.1.1 (replace with the values of the VPN network)

Then when you launch the OS X VPN it will automatically run the ip-up script.

Hope this helps.

Unfortunately, the VPN address changes every time you connect. The gateway changes as I travel. I posted a request in the Unix section to see if someone can come up with a script that finds and uses those variables.

Useful tip though, I didn't know you could auto-run a script like that.

Solution!
 

Hi,

I've just been through this myself. This hint will tell you what you need, but NOT the top of the thread - scroll to the bottom for the "best" solution.

http://www.macosxhints.com/article.p...30906232648318

In short - you specify nodefaultroute for the ppp startup, create an ip-up and ip-down to manually add the VPN routes, and if desired, create the necessary DNS resolvers.

Hope this helps,

ctrlbreak

Just so there is a record of it in this thread too I will repeat what I said here.....

I think (for obvious reasons) this is good. Most network administrators do not want you to connect another network to theirs. If you can only route packets through them, you cannot 'leak' information to another network that you are also connected to.

If you allow routing to both networks, you are allowing your home machine to basically be a firewall onto the corporate network, and your home machine is unlikely to be as secure as the firewalls most companies have in place.

Most corporations will have rules in place that say you cannot connect to another network when you are connected to theirs.

That's a great tip, ctrlbreak. I think it will do just what I need. Now if I can just figure out how to make the /etc/ppp folder writeable...I'll be all set...

For the record, maintaining a default route to the internet while you're on a VPN does NOT create a connection between the two automatically.

Hi CAlvarez,

The directory /etc/ppp is owned by root, precisely to stop other users editing / creating files there. These files are loaded automatically by the root user, so you should make all these changes either as root, or using sudo to run as root. For example:

in /etc/ppp

sudo vi ip-up

This launches the vi editor as root, so you have permission to write the file and it is owned by root. You may be asked for your password at this stage. The permissions on these files should probably also be read/write/executable only by root. The easy way to do this is:

chmod 700 ip-up

This assignes permission 7 (integer, equivalent to binary 111 - means read, write and executable) to the owner (root), and permission 0 to group and world (means other users can't read / write / execute it). This is fine, but you will always need to use sudo to edit / read the file.

Hope this helps,

ctrlbreak

Hi CAlvarez,

The reason you can't write to the etc/ppp directory is because it is owned by the root user and the permissions state that only root can write / create files there.

To do this you need to be the root user or use sudo. For example, within /etc/ppp in a terminal, to create and edit the ip-up script use:

sudo vi ip-up

This may ask for your password, but will result in the file being edited as root and hence creatable.

After you have created the ip-up and ip-down scripts you will need to make them executable, ideally only by root. One quick way to do this is to use chmod, for example:

sudo chmod 700 ip-up

This changes the owner permission to decimal 7 (111 in binary, indicating read, write and execute all possible) and makes the group and world permissions 0 (not readable, writeable or executable). This is probably best as only root will need to run this when the ppp connection is brought up.

You will have to similarly use sudo for the DNS stuff if required.

Hope this helps,

ctrlbreak

Good tips, thank you. I ended up creating the file elsewhere and using "sudo mv" to move it there. For some reason I never thought to run "sudo vi." I have much to learn/re-learn about Unix (my last work on Unix was in 1979).

I created the "nodefaultroute" file and it had no effect on setting the default route. The referenced link is contradictory on whether the file should be in /etc/ppp or /etc/ppp/peers (it says both that it must be and cannot be in peers). I tried it in both, and it's marked executable, but it does nothing either way. Am I wrong in thinking that this should eliminate the changing of the default route on its own, and the others merely are needed to set a route into the VPN network?

You are correct - the nodefaultroute option will eliminate the changing of the default route, the ip-up is for creating the route into the VPN network and the ip-down is for cleaning up when you disconnect.

I think you have got slightly confused about what files are needed where. This is what I have:

In /etc/ppp/peers I have a file with the same name as my VPN connection as saved in the Internet Connect application, for example /etc/ppp/peers/MyVPN which contains the single word "nodefaultroute". This prevents the route being created, it is read automatically by pppd so its very important that it is the exact same name (including capitalisation) as the VPN connection. You can verify it has worked by enabling the Connection Log window in Internet Connect - from the Window menu. You should see the following line:
Sun Nov 14 22:25:30 2004 : nodefaultroute # (from )
If it says defaultroute # (from command line) or similar, then your file hasn't been read correctly.

In /etc/ppp I have ip-up and ip-down, which are executable files. The contents of ip-up are reproduced below:
#!/bin/sh
/sbin/route -n add -net 192.168.200 $IPREMOTE >> /tmp/ppp.log 2>&1
/sbin/route -n add -net 192.168.201 $IPREMOTE >> /tmp/ppp.log 2>&1

This adds routes for all 192.168.200.xxx and 192.168.201.xxx addresses into my VPN.

To remove these routes on disconnect I have the file ip-down, which contains:
#!/bin/sh
/sbin/route -n delete -net 192.168.200 $IPREMOTE >> /tmp/ppp.log 2>&1
/sbin/route -n delete -net 192.168.201 $IPREMOTE >> /tmp/ppp.log 2>&1

In /etc/resolver I have created a file with the name of my vpn domain, let's say its mydomain.com, so the file is /etc/resolver/mydomain.com. It contains the following:
search mydomain.com
nameserver 192.168.200.5
nameserver 192.168.200.10

This means any lookups for machine.mydomain.com will go to the two DNS servers specified here.

I then created the reverse lookup resolvers, based on the ip domains that are routed to the VPN:

sudo ln -s mydomain.com 200.168.192.in-addr.arpa
sudo ln -s mydomain.com 201.168.192.in-addr.arpa


This sounds longwinded, but it all works fine now, so if you do similar it should work, honest!!

Good luck,

ctrlbreak

Argh. I was feeling stupid for a while there, then I realized... Those scripts do not run if you connect the VPN from the Internet Connect menu on the bar! They will only work if you open Internet Connect and click on the "Connect" button. Damn. It was making me insane for a while. Oh well, I can live with a few extra steps to get connected.

Anyway, works great now, thanks!

BTW though, no big deal, but I don't get any results in the /tmp/ppp.log file. It is there, it opens in console when I double-click it, but there's nothing in the viewer. Doesn't matter to me, but just FYI.

Scripting the vpn default route
 

The above hints were nice but the problem with them is that if you have several vpn connections or you have to use a dial-up sometimes, it can (i haven't tested if it will) mess the route tables for other connections.

What I did was this:

/etc/ppp/peers/vpn-name:
--------
nodefaultroute
ipparam vpn-name
--------
(Added the ipparam option with the name of the vpn. The ipparam option is passed to the ip-up and ip-down scripts as the sixth parameter)

/etc/ppp/ip-up:
--------
#!/bin/sh
sh /etc/ppp/upscripts/$6 >> /tmp/ppp.log 2>&1
--------

/etc/ppp/ip-down:
---------
#!/bin/sh
sh /etc/ppp/downscripts/$6 >> /tmp/ppp.log 2>&1
---------

/etc/ppp/upscripts/vpn-name:
--------
/sbin/route -n add -net 192.168 $IPREMOTE
--------
(you can add as many routes here as it makes sense for this vpn connection)

/etc/ppp/downscripts/vpn-name:
--------
/sbin/route -n delete -net 192.168 $IPREMOTE
--------
(again, delete as many routes as necesary)

this works like this:
1.- the ipparam option is passed to the ip-up script upon connection
2.- the ip-up script uses this argument to execute a script in the upscripts directory
3.- when disconnected, the ipparam option is passed to ip-down.
4.- the ip-down script gets this paramete and executes the file in the downscripts directory

This way you can customize the routes for as many dial-up, vpn or other ppp based connections you need.

Note: the files in the upscripts and downscripts directories dont have to be executable. they are "sh"ed from the ip-up and ip-down scripts. ouptut redirection isn't necessary either.

Heron

Nice work. My solution was to have the up and down scripts rename files in the ../resolvers directory.

I hope Apple gets on this; it's one area where Mac OS falls flat on its face compared to Windows. On my Windows laptop I'd be connected to several VPNs at once with no issues, all managed automatically.

Have you managed to make the scripts run from the Internet Connect pull-down menu in the menu bar? I don't understand why that's different from actually opening Internet Connect.

So easy on windows
 

Firslty has anyone made a script to fix the routing table? Or at least step by step instructions?

Secondly,
I've been reading a bit on this and I saw a comment (above) that if you allow these changes to the routing table then you are opening up your "companies" firewall thus creating security holes.

SO if this is the case and it is creating security issues, why is it so easy to do on windows xp. From memory it is called "use default gateway on remote computer" which is found on the advanced tab of the VPN connection.

Mac osx has the security of unix and probably the reason apple has not made this an easy option. Has anyone seen any comments from Apple?

GO MAC

If you do this on a Mac, it is exactly the same result/risk as on Windows. Some people think that having a connection to the internet is a risk. But it's a truly tiny risk, and there are much bigger risks to worry about even if you don't have this one. It's a silly thing to do, and nobody has ever asked me to do it differently. Everyone specifically wants to keep that traffic off the corporate network.

If you don't protect the enterprise from the other risks, you have problems. And if you do, the default gateway being on the internet is NOT a problem.

You are NOT, by default, bypassing the firewall.