146

I don't want to send all my network traffic down to VPN when I'm connected to my company's network (via VPN) from home. For example, when I'm working from home, I would like to be able to backup all my files to the Time Capsule at home and still be able to access the company's internal network.

I'm using Leopard's built-in VPN client. I've tried unchecking "Send all traffic over VPN connection." If I do that I will lose access to my company's internal websites be it via curl or the web browser (though internal IPs are still reachable). It'd be ideal if I can selectively choose a set of IPs or domains to be routed through VPN and keep the rest on my own network. Is this achievable with Leopard's built-in VPN client?

Mokubai
  • 89,133
  • 25
  • 207
  • 233
newtonapple
  • 1,563
  • 2
  • 10
  • 7
  • 4
    The first solution will only work on a PPP VPN. The following solution will work on a Cisco VPN (and other types nothing specific to Cisco) http://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn – dr jimbob Apr 07 '14 at 04:20

5 Answers5

129

Create the file /etc/ppp/ip-up with following content:

#!/bin/sh
/sbin/route add <SUBNET> -interface $1

replacing <SUBNET> with subnet, you want to route through VPN (for ex. 192.168.0.0/16)

execute as root:

chmod 0755 /etc/ppp/ip-up

This file will be executed each time you connect to VPN.

The parameters given to the script:

  • $1: The VPN interface (e.g. ppp0)
  • $2: Unknown, was 0 in my case
  • $3: IP of the VPN server
  • $4: VPN gateway address
  • $5: Regular (non-vpn) gateway for your lan connections
Wolph
  • 625
  • 5
  • 16
Aleksei Balandin
  • 1,306
  • 1
  • 9
  • 2
  • 1
    The tip of Aleksei worked for me. I am only wondering whether the first line (#!/bin/sh) is doing anything. Isn't it commented out. I am asking this since I am describing this for use at our company and the simpler the better :-) Thanks, Edgar – Edgar Wieringa Feb 22 '11 at 15:59
  • 1
    @EdgarWieringa: converted your answer to a comment. Hope that's better! :) – studiohack Feb 22 '11 at 15:59
  • 7
    @Edgar - no. That first line is special. http://en.wikipedia.org/wiki/Shebang_(Unix) – James Moore May 23 '11 at 20:42
  • James is right, but of course in the case of a shell script, it's not necessary. If a shebang isn't present, the OS will send it to the shell anyway. :-) – Benson Sep 22 '11 at 20:52
  • 6
    On 10.7/Lion, I had better luck with: /sbin/route add 172.16.0.0/16 -interface $1 The arguments I saw ip-up getting are: $1 = VPN interface, e.g. 'ppp0' $2 = '0' (not sure what this value is) $3 = Your VPN IP $4 = VPN public gateway IP address $5 = Normal default gateway for ethernet/wifi – Gabe Martin-Dempesy Dec 07 '11 at 17:18
  • I wonder.. Would this method also work with the built-in VPN On a jailbroken iOS device? I always feel dirty messing with `/etc` on my iPad. – mralexgray Feb 07 '13 at 06:33
  • This works wonderfully on Lion. I struggled with this for days. Thanks Aleksei. – Anriëtte Myburgh Mar 27 '13 at 23:21
  • Mountain lion seems to be the same params, -interface $1 as well as just $4 should work well – tutuDajuju Aug 23 '13 at 05:08
  • 4
    What happens if I have two or more VPN connections configured? How do I distinguish among them in `/etc/ppp/ip-up` so I can add the routes accordingly? Will the friendly VPN name be passed as the 6th argument (`ipparam`)? – Kal Sep 16 '14 at 01:19
  • Saved time here :) – Hatem Alimam Oct 07 '15 at 10:50
  • 1
    The parameters $1 till $5 — which are a little different for OS X 10.9 which has a $6 — can be found in your pppd man page: `$ man -P 'less -p " /etc/ppp/ip-up"' pppd` – Pro Backup Apr 09 '16 at 18:17
  • Works on Yosemite as answered, and removes routes after disconnect. Nice! – Zayne S Halsall Sep 06 '16 at 10:39
  • I had to run the chmod again for some reason, I've done this fix a while back, but stopped working. Running the chmod fixed it again. – Anriëtte Myburgh Oct 24 '16 at 10:17
  • 3
    `/etc/ppp/ip-up` doesn't get called on my system; MacOS `10.13`. I did a similar script that logs execution, it has `root:staff` ownership and `0755` mod. Invoking it manually does execute the script. My VPN connection is an `L2TP over IPSec` and `Configure IPv4` is set to `Using PPP`. I `tail -f` the logs and Connecting or Disconnecting the vpn doesn't do anything with `/etc/ppp/ip-up`. – GabLeRoux Oct 28 '17 at 17:56
  • I've made a gist with my logging script here: https://gist.github.com/GabLeRoux/c7d4c9046d9b5ec7bce822426613912a let me know if someone knows a solution. At least I managed to skip "Send all traffic over VPN connection" with following answer: https://superuser.com/a/121259/55267 – GabLeRoux Oct 28 '17 at 18:10
  • This will still let me connect to devices on my LAN, but no longer allows the DNS on my LAN to be used. So I can ping 192.168.0.1, but I can't ping myfirewall. (Even if I use "ping myfirewall.mylan.lan" with mylan.lan as a search domain in my Settings and have 192.168.0.1 set up as the first DNS server in Settings.) – Tango Nov 27 '18 at 15:19
  • Does this depend on the VPN type? Will it work on IKEv2 VPNs? – Kevin C. Feb 07 '19 at 17:48
  • 4
    On MacOS 10.15 (Catalina), this answer got me most of the way there but the "Send all traffic over VPN connection" option in the advanced VPN settings doesn't seem to work. Running `route -n monitor` shows the default route getting reset, either way. I added the following to the ip-up script and finally fixed it: `#!/bin/sh /sbin/route add -interface $1 /sbin/route change default -interface ` In my case, I set this to ` en0 `. – Bishop May 21 '20 at 14:25
  • still working fine on Catalina – apedic Jun 01 '20 at 11:20
  • 1
    working great on Monterey – Aaron Ullal Apr 11 '22 at 09:25
  • This didn't work automatically on Big Sur, but running it manually after vpn connect does. `sudo sh /etc/ppp/ip-up ppp0`. Additionally, because I have a conflict with my work network space (work network is `10.0.0.0/8` and I'm `10.0.1.0/24` I had to add: `sudo route -n delete 10.0.0.0/8 -interface $1` and then add a /16 or /24 for every 10.x entry, excluding my `10.0.1.0/24` LAN eg `route add 10.0.2.0/24 -interface $1 ` ... `route add 10.0.255.0/24 -interface $1 ` ... `route add 10.1.0.0/16 -interface $1 ` ... `route add 10.255.0.0/16 -interface $1 ` – Chase Holland May 17 '22 at 21:35
19

There is a hidden feature in Network Preferences on MacOS: you can sort interfaces.

Open System Preferences -> Network -> Click the gear bottom left -> Set service Order...

<code>Set service Order...</code> VPN Ordering

It's critical that you have your network interfaces sorted into the order you want them to be used. If you want ALL non-LAN data to go to the VPN, put the VPN interface at the top. Sort like this

  1. VPN
  2. Ethernet
  3. Airport

Not like this:

  1. Airport
  2. Ethernet
  3. VPN

This way, no need to check the following setting in Session Options:

Send all traffic over VPN connection

✅ Tested on L2TP VPN connection

GabLeRoux
  • 332
  • 4
  • 12
  • I don't think this answers the question, unless the OP is backing up to Time Machine via Ethernet and connecting to the company network view Airport (Wireless connection) – Josh Newman Apr 15 '10 at 17:53
  • 2
    I used the ppp startup trick, but it didn't work until I moved my vpn connection below the wireless connection. This is a valid answer. – Arosboro Aug 11 '12 at 14:41
  • 1
    It really wold be the main answer! Thanks very much, it would be impossible to figure out! – Andre Soares Jan 30 '16 at 01:45
  • 10
    This does work for L2TP IPSec VPNs, but does NOT work for Cisco IPSec VPNs. Cisco IPSec VPNs are not available in the "Set Service Order" dialog – goofology Apr 12 '18 at 00:32
  • in addition to @goofology, neither the ikev2 vpn connection is available in the ordering list ..................... macOS macOS macOS.... – lese Sep 28 '21 at 14:53
  • 1
    This doesn't seem to work on macOS 12, even for L2TP VPNs. – Noldorin Jun 25 '22 at 14:32
11

I wanted to do a similar thing. Connect the VPN and then route an additional network via that VPN. I ended up with the following bit of Applescript:

-- Connect Work VPN

tell application "System Events"
    tell network preferences
        tell current location
            tell service "Work"
                connect
                tell current configuration
                    repeat until get connected = true
                        delay 1
                    end repeat
                end tell
            end tell
        end tell
    end tell
end tell

set gateway to "192.168.1.1"

do shell script "route add 172.16.0.0/16 " & gateway with administrator privileges

You need to change "Work" to the name of your VPN connection, 192.168.1.1 to your gateway address, and 172.16.0.0/16 to the address of the network to which you wish to route. Additional networks can be added by repeating the final line with different addresses.

Martin Hilton
  • 1,486
  • 1
  • 11
  • 11
  • 1
    (Minor addition, for those who wonder about this IP address: just like the questioner talked about, 172.16.0.0/16 is a private address space just like 10.x.x.x and 192.168.x.x. So, it is in fact part of the VPN, and not some external web site or whatever.) – Arjan Oct 21 '09 at 09:48
  • 1
    So `192.168.1.1` is your router on the VPN, or the router on the LAN? And don't you have to set the default route back to your LAN? – Jack M. Jun 16 '10 at 17:14
1

Only one right solution for MacOS is to use networksetup:

First find name of your VPN network

$ networksetup -listnetworkserviceorder

Next setup additional routes

$ networksetup -setadditionalroutes networkservice [dest1 mask1 gate1] [dest2 mask2 gate2] ... [destN maskN gateN]

Example:

$ networksetup -setadditionalroutes "my vpn network name" 10.100.1.0 255.255.255.0 10.100.1.1 10.100.2.0 255.255.255.0 10.100.2.1

Check this settings:

$ networksetup -getadditionalroutes "my vpn network name"
10.100.1.0 255.255.255.0 10.100.1.1
10.100.2.0 255.255.255.0 10.100.2.1

To delete this settings just set it without addresses:

$ networksetup -setadditionalroutes "my vpn network name"
vlk
  • 171
  • 2
  • 4
1

I have had a look online to see if I can find anything, and as far as I can understand you seem to want to be able to use your computer like normal, while also being able to connect to internal company websites, so, you may need to set up a custom routing table.

This link apparently only applies to 10.4, but the command line stuff may still work.

Community
  • 1
Alexis Hirst
  • 1,161
  • 2
  • 14
  • 18