Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Avoid creating PPTP default routes Internet
Saw this floating around, been using it for a month or so now, works a treat. This is really no good for people that use Internet Connect or any Internet Services that use PPPD, but hey, if you're Ethernet connected, it works fine.

Start by creatings a new pppd file:
 % su
 % cd /usr/sbin/
 % mv pppd pppd.orig
 % vi pppd
Put in the following text:
 #!/usr/bin/perl
 my @args = @ARGV;
 s/^defaultroute/nodefaultroute/ for @args;
 exec "/usr/sbin/pppd.orig", @args;
Save the file and quit, then make the new file executable with chmod +x pppd, and you're done. Now every session that is started with PPPD will not create a default route. This includes dialup, PPTP, and I would think pppoe for ADSL. Once up, it's just a matter of routing the networks you want over the network. I've configured my PPTP server to assign me the routes, it seems to work fine.

Enjoy!
    •    
  • Currently 3.17 / 5
  You rated: 3 / 5 (6 votes cast)
 
[49,657 views]  

Avoid creating PPTP default routes | 34 comments | Create New Account
Click here to return to the 'Avoid creating PPTP default routes' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Avoid creating PPTP default routes.... why?
Authored by: knowmad on Sep 09, '03 11:50:33AM

I know I am showing my lack of knowledge, but its the only way to learn....
why would i want to avoid creating default routes? what benefit is this hint to me? What does it improve/secure/fix?
thanks,
Knowmad



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: lukeandrews on Sep 09, '03 12:26:17PM

Anyone want to explain what the heck a PPTP default route is, and why I don't want to create one?



[ Reply to This | # ]
Point to Point Tunneling Protocol
Authored by: hayne on Sep 09, '03 02:12:55PM

PPTP is the "Point to Point Tunneling Protocol" and is used for creating a VPN (Virtual Private Network). If you aren't doing VPN (you would know if you were), then this is not relevant for you.

The problem with the default route that this hint is trying to avoid is that it interferes with other network connectivity (e.g. to a local router). A default route specifies where to send packets that are destined for IP addresses other than those explicitly mentioned - usually this applies to packets addressed to machines outside the local network.

Read more here:
http://www.macdevcenter.com/pub/a/mac/2002/12/20/vpn.html
There was a previous hint about setting up PPTP:
http://www.macosxhints.com/article.php?story=20030311232930261
That hint showed how to run the ppp command manually with the options desired, thus avoiding the default route.



[ Reply to This | # ]
Point to Point Tunneling Protocol
Authored by: denty on Sep 09, '03 06:42:23PM

An alternative to altering the way pppd works is to set up the local routing table so that more specific routes already exist to the places you want to go on your LAN/intranet.

For example, if your local intranet uses the 10.0.0.0 network (as many do), if 10.x.y.z is the address of your local network router, then saying:

sudo route add 10.0.0.0/8 10.x.y.z

will make your local intranet immune from the defaultroute problem.

In this scenario, all intranet traffic will go via en0, as before, while internet traffic will go by whatever PPP/PPTP says.

If you really want almost all traffic to go via en0 (with only those very specific tunelled networks going by the PPP link), you can say:

sudo route add 0.0.0.0/1 10.x.y.z
sudo route add 128.0.0.0/1 10.x.y.z

This has almost the same effect as blocking out PPP/PPTP's defaultroute (which is equivalent to 0.0.0.0/0) because both 0.0.0.0/1 and 128.0.0.0/1 are more specific (the number after the slash is bigger). Together, these two routes cover the whole of the internet.

If you get into a mess with routing, 'netstat -nr', 'route get' and 'route delete' are your friends.

d.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: designr on Sep 09, '03 09:23:05PM

Thanks to all for the clarification.

One small warning if you intend to use this hint: Many IT network security groups require that users sign acceptable use agreements in order to access their networks via VPN. Many of these agreements include a clause which specifically forbids the user from connecting to another (i.e., home) network simultaneously. The VPN client in those cases is set to block those connections. Applying these hints may break the agreement that you signed.

Read the fine print in your VPN Remote Access Security Policy Agreement. I didn't and now I have an IV pipeline permanently embedded in my arm that is slowly draining the life-blood out of me. Wherever I go, I have to carry this damn box around with me. Weekends, vacations, all the time...

Somebody help me... Please.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: kholburn on Sep 10, '03 03:28:04AM

You could also if you wanted change the idle time:

#!/usr/bin/perl
my @args = @ARGV;
for @args {
s/^defaultroute/nodefaultroute/;
s/1800/18000/;
}
exec "/usr/sbin/pppd.orig", @args;

or

#!/usr/bin/perl
my @args = @ARGV;
for @args {
s/^defaultroute/nodefaultroute/;
if ($last eq "idle" ) { $_ = 18000; }
$last=$_;
}
exec "/usr/sbin/pppd.orig", @args;



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: BobHarris on Nov 02, '03 08:41:16PM

Using this hint, I have managed to setup split route PPTP tunnels into my company.

Beside the pppd perl, I added 2 additional scripts

/etc/ppp/ip-up
/etc/ppp/ip-down

In /etc/ppp/ip-up, I placed commands to route work specific subnets to the PPTP tunnel.

I also setup my own /etc/resolv.conf file so that the PPTP tunnel supplied DNS servers IP addresses were part of the list, as well as at least one of the DNS servers for my ISP.

The /etc/ppp/ip-up script also saved the original /etc/resolv.conf file which would be used later by /etc/ppp/ip-down to restore the original DNS server list.

So for example (and this is just a very simplistic example):

#!/bin/sh
# /etc/ppp/ip-up
route add 192.168.0.0 $IPREMOTE
cp /etc/resolv.conf /etc/resolv.conf.pppd.save
echo nameserver $DNS1 >/etc/resolv.conf
echo nameserver 151.203.0.85 >>/etc/resolv.conf
echo nameserver $DNS2 >>/etc/resolv.conf

#!/bin/sh
# /etc/ppp/ip-down
cp /etc/resolv.conf.ppp.save /etc/resolv.conf

The above 2 example scripts must be made executable:

chmod +x /etc/ppp/ip-up
chmod +x /etc/ppp/ip-down

$IPREMOTE, $DNS1, $DNS2 are environment variables setup by the real pppd (previously renamed pppd.orig by the base hint).

So if you have put in place the perl script of this base hint to act as a faux pppd that replaces the defaultroute command line option with nodefaultroute, then when you use Internet Connect to connect a PPTP VPN tunnel, the 3 scripts will work together to setup split routing and DNS services for your PPTP connection.

For more information about ip-up and ip-down, read the pppd man page (man pppd).

Good luck.

Bob Harris



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: tfield1974 on Feb 06, '04 01:11:39PM

This is a great tip (especially iwth the ip-up/ip-down addition). However, for some reason I am unable to get my route add statement to be recognized, so I'm basically blocked out of my work network (10.128). As a result, I have to figure out what my remote IP is and manually add the route myself - which seems to not really be the point.

Here's my ip-up:

#!/bin/sh
# /etc/ppp/ip-up
route add -net 10.128 $IPREMOTE
cp /etc/resolv.conf /etc/resolv.conf.pppd.save
echo nameserver $DNS1 > /etc/resolv.conf
echo nameserver 192.168.2.1 >> /etc/resolv.conf
echo nameserver $DNS2 >> /etc/resolv.conf

Here's what I use to manually add the route statement:
sudo route add -net 10.128 my.remote.ip.address

Any suggestions?

Thanks!
Tony



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: slowdog on Mar 08, '04 02:30:40PM
This hint worked for me very well until I (unfortunately) applied "Security Update 2004-02-23 for Panther Client". Now I can't get this hint, or any of the others related with split routing to work. When trying to start the vpn using Internet Connect, I immediately get the error:

The connection has failed. Please verify your settings and try again.

And nothing is written to the vpn log.

This hint just hangs, with no connection or writing to the log.

Has anyone else had this problem? Any fixes/work arounds?

[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: Nom on Jul 13, '04 09:56:12PM

Completely different way to do this under 10.3.4

Say you've used Internet Connect to create a new VPN 'My_VPN' (yes, that underscore is important). To suppress default route allocation:

/etc/ppp/peers/My_VPN:
nodefaultroute

You can't put this in the global options (/etc/ppp/peers) because a configuration error results.

Then, to patch up routing you need an ip-up and an ip-down. Here, we assume that your remote network has two independent class C subnets, a.b.c1/24 and a.b.c2/24. If your remote has a single class B, you would use a.b/16, and so on.

/etc/ppp/ip-up:
#!/bin/sh
/sbin/route -n add -net a.b.c1 $IPREMOTE >> /tmp/ppp.log 2>&1
/sbin/route -n add -net a.b.c2 $IPREMOTE >> /tmp/ppp.log 2>&1

/etc/ppp/ip-down:
#!/bin/sh
route -n delete -net a.b.c1 $IPREMOTE >> /tmp/ppp.log 2>&1
route -n delete -net a.b.c2 $IPREMOTE >> /tmp/ppp.log 2>&1

Don't forget to make them both executable: chmod +x ip-up ip-down


Patching DNS is even easier. There's a special set of redirects in /etc/resolver. Add appropriate ones for your VPN. Copy the resolv.conf provided by your VPN into a suitable place in your /etc/resolver, and name it (for example) my.vpn.com. Any lookups for my.vpn.com will use this alternative resolver. Tip: copy it BEFORE you make any of the above changes.

You also need to set reverse lookups as well:

ln -s my.vpn.com c1.b.a.in-addr.arpa
ln -s my.vpn.com c2.b.a.in-addr.arpa

In theory, this all works. :)



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: jalbrecht2000 on Oct 05, '04 12:37:39PM

I agree with NOM, that is the only correct way to acheive a "correct" split route vpn. However there is a problem that pops up when you have more than one VPN you connect to.

I have a VPN connection that I use to connect to work from home, and vice-versa. Both VPN connections assign me different IP addresses when I connect. I didn' t want to have to manually update ip-up and ip-down everytime I chose to connect to one of the VPN's, so after a little digging here is what I came up with:

ip-up script:
-----CUT HERE-----
#!/bin/sh
#
# This script is run by the pppd after the link is established.
# It should be used to add routes, set IP address
# etc.
#
# This script is called with the following arguments:
# Arg Name Example
# $1 Interface name ppp0
# $2 The tty ttyS1
# $3 The link speed 38400
# $4 Local IP number 12.34.56.78
# $5 Peer IP number 12.34.56.99

case "$5" in
192.168.0.202) /sbin/route -n add -net 192.168.0.0/24 192.168.0.202 >> /var/log/ppp.log 2>&1 ;;
204.118.193.6) /sbin/route -n add -net 10.0.0.0/24 204.118.193.6 >> /varl/log/ppp.log 2>&1 ;;
esac
----CUT HERE----

ip-down script:
----CUT HERE----
#! /bin/sh
#
# This script is run by the pppd after the link is disconnected.
# It should be used to delete routes, remove IP address
# etc.
#
# This script is called with the following arguments:
# Arg Name Example
# $1 Interface name ppp0
# $2 The tty ttyS1
# $3 The link speed 38400
# $4 Local IP number 12.34.56.78
# $5 Peer IP number 12.34.56.99

case "$5" in
192.168.###.###) /sbin/route -n delete -net 192.168.0.0/24 192.168.###.### >> /var/log/ppp.log 2>&1 ;;
204.118.###.###) /sbin/route -n delete -net 10.0.0.0/24 204.118.###.### >> /varl/log/ppp.log 2>&1 ;;
esac
----CUT HERE----

What these scripts do is use a couple of variables to determine the remote IP address you have connected to. Depending on what IP address it finds it will modify the routing table accordingly. Of course you will want to subsitute my numbers with your own IP addresses. I've been using this script for quite awhile now, it works beautifully. Hope this is useful for someone else!

---
__________
Justin



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: Kirke on Oct 09, '04 02:54:58AM

This hint is great, but I have a couple of questions just to clarify what's going on and a bit of a problem that maybe someone can help solve.

First, is it fair to assume that ip-up (and ip-down) are files that [something] looks for and executes when initiating (and ending) a VPN session? It just happens that they are missing/not used by default? Is "[something]" Internet Connect or is this a more standard unix thing?

Ok, now here's my problem--a bit of a catch-22 actually. The DNS that can resolve the names of internal servers to their corresponding IP addresses is itself only available "internally." Let me give an example; maybe that will explain this better.

Pretend I work for Zippy Foods and want to connect to zippyfoods.com VPN. The VPN server's address is vpn.zippyfoods.com, the public Web site is www.zippyfoods.com and there is an internal server called private.zippyfoods.com. The DNS that can resolve the private.zippyfoods.com name is at 101.102.103.104 and is only reachable from inside the network.

So, following the instructions from hint, I get to the resolver step and create a new file called zippyfoods.com that looks like:
nameserver 101.102.103.104
nameserver [something cryptic]
port 53
timeout 1

So now I try to connect to the VPN at vpn.zippyfoods.com or go to the public Web site and get an error since it can't resolve those names. Since they are part of zippyfood.com, my computer tries to ask 101.102.103.104 about them and gets no response (because it's not reachable from outside the network).

I can fix the VPN part by changing my parameters to look for the IP address of the VPN server instead (no big deal). But that doesn't solve the issue of not being able to get to the public zippyfoods.com Web site when not connected to the VPN.

I thought maybe a new entry in the /etc/resolver directory for www.zippyfoods.com pointing to local ("ln -s local www.zippyfoods.com") might solve this, but it doesn't seem to. There must be a way to resolve this issue. Any suggestions? It seems silly to have to connect to the VPN even to connect to public servers.

Thanks,
Kirke



[ Reply to This | # ]
Nevermind...
Authored by: Kirke on Oct 09, '04 03:09:31AM

Sheesh, I should read more carefully. All my questions were answered very clearly by other posts. In my defense, when I read them before trying anything I didn't really "get it." Then I played around and came up with the questions I had, but didn't go back and re-read the posts.

Anyway, thanks! This is a great resource.

Kirke



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: scstraus on Aug 20, '04 10:35:04AM

To anyone looking to do this, I recommend using the hint directly above me (the end of the thread) rather than the one at the beginning of the thread. The one at the end is very elegant, works perfectly and gives great control. In short, it is the "right" way to do this under os x (at least 10.3.4 on- didn't try anything in earlier versions). The original hint is more of a hack (and didn't work for me- internet connect complained).

Just one caveat with it. In my case the domain I wanted to VPN to was also the same one with that the VPN server I wanted to connect to was in, and I was connecting by hostname. Since I copied only the private DNS addresses into the "my.vpn.com" file, it couldn't resolve the name of the VPN server, and therefore couldn't connect to get to those DNS servers. The fixes are easy and appearent. Either connect by IP address, or append your standard DNS servers to the my.vpn.com file.

Also the line where he says

/etc/ppp/peers/My_VPN:
nodefaultroute

He means create a text file with the same name as you named your VPN in internet connect and inside the file put only that word- "nodefaultroute".

Works great. This should be the only hint for this topic, as I said it's the right way to do it and gives you full control.

Also to the guy wondering why anyone does this, basically if you are connecting to a VPN (Virtual Private Network), internet connect routes all your traffic through the private network by default. This changes your IP address to the world and for me was messing up my Asterisk SIP (VoIP) PBX, as well as instant messenger and file sharing whenever I was connected to my VPN tunnel to work. Anyone who uses VPN's to get to their work servers for email or whatever needs this hint to fix the things that that tunnel default route breaks.

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: LotzaPhunn on Sep 30, '04 04:37:01AM
this looks very promising, but i'm too much of a newbie to implement it. i was hoping it would fix the following problem: when i connect into my work VPN, i lose internet connection and am not able to access websites, use iChat, etc... i was hoping someone might take my hand and walk me through...
Then, to patch up routing you need an ip-up and an ip-down. Here, we assume that your remote network has two independent class C subnets, a.b.c1/24 and a.b.c2/24. If your remote has a single class B, you would use a.b/16, and so on.
uh??? what the hell is a class C or a class B? how do I find out which one my Win XP box at work (which I VPN into) has?
/etc/ppp/ip-up: #!/bin/sh /sbin/route -n add -net a.b.c1 $IPREMOTE >> /tmp/ppp.log 2>&1 /sbin/route -n add -net a.b.c2 $IPREMOTE >> /tmp/ppp.log 2>&1 /etc/ppp/ip-down: #!/bin/sh route -n delete -net a.b.c1 $IPREMOTE >> /tmp/ppp.log 2>&1 route -n delete -net a.b.c2 $IPREMOTE >> /tmp/ppp.log 2>&1
am i supposed to substitute $IPREMOTE with that win xp machine's IP address? or leave it as is?
Patching DNS is even easier. There's a special set of redirects in /etc/resolver. Add appropriate ones for your VPN.
how do i find out what the "appropriate ones for your VPN" are? are these the same DNS servers that my work win xp box has in its LAN properties? anything else in this that I am supposed to substitute with my own values?? thanks in advance!

[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: scstraus on Jan 03, '07 06:53:52AM

Yeah, he's using network admin terms. A Class C network is simply one who's subnet mask would be 255.255.255.0 , So if the network was 192.168.1.0 with 255.255.255.0, it would be a class C network describing all addresses between 192.168.1.0 and 192.168.1.254.

So, you can guess what a class B is then, right? It's one with a subnet mask of 255.255.0.0. So the network of 192.168.0.0 with subnet mask 255.255.0.0 describes all addresses between 192.168.0.0 and 192.168.254.254.

Hope that helps.

I've reinstalled my machine so I'm gonna try this hint again and see if it still works on 10.4.8. The builtin vpn routing didn't do much for me.

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: scstraus on Jan 03, '07 07:13:44AM

To clarify a bit further, in my ip-up I have

#!/bin/sh
/sbin/route -n add -net 192.168 $IPREMOTE >> /tmp/ppp.log 2>&1

because I want to route all addresses from 192.168.0.0 until 192.168.254.254 over the VPN.

Hope that helps!

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]
Re: Avoid creating PPTP default routes
Authored by: halesgarcia on Feb 12, '05 02:37:38PM

Also to the guy wondering why anyone does this, basically if you are connecting to a VPN (Virtual Private Network), internet connect routes all your traffic through the private network by default...

I'm using Panther 10.3.8 and VPN without customizations but I am not getting the default route changed. The default route instead remains the local public network that I was connected to before connecting to my VPN server. Has the behavior of VPN changed since these postings were written?

I'm trying to do what everyone in this thread is trying to avoid, that is, set my default route to my VPN server when I'm on a particular network.



[ Reply to This | # ]
Re: Avoid creating PPTP default routes
Authored by: ework on Feb 13, '05 09:00:55PM

This is still a problem for me with 10.3.8. I used these hints and they worked perfectly for me. You can following these hints and create a file in /etc/ppp/peers with the option defaultroute instead of nodefaultroute. Look at the posts above to see what I mean.



[ Reply to This | # ]
Another Solution Using PPP and Resolver
Authored by: ework on Feb 13, '05 09:47:46PM

Hey everyone, here's another solution I came up with after following some hints in this forum. This script requires creating only two new files, no other modifications needed to exisiting files. It works correctly with OS X, using PPP like it was intended to be used, and taking advantage of /etc/resolver for domain based DNS lookups. (Some applications might not support resolver, so in that case you will have to modify /etc/resolv.conf instead)

The first file you need to create is /etc/ppp/peers/VPN_Connection where VPN_Connection is the exact name of the connection you created in Internet Connection. I had some problems when renaming a connection I made previously. Delete and recreate your connection if you have problems. The contents of the file are below.

[ /etc/ppp/peers/VPN_Connection ]
ipparam {DOMAIN_NAME}
nodefaultroute

The first line is the domain suffix for your VPN. If you don't need a domain suffix (or don't care) then you will have to modify these files accordingly, or use another solution in this forum. The next file you need to create is /etc/ppp/ip-up (and /etc/ppp/ip-down through a symlink to ip-up) with chmod 755. The contents of this file are below.

[ /etc/ppp/ip-up ]
#!/bin/sh

DOMAIN=$6
NETMASK=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $1,$2,$3}'`
REVERSE=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $3,$2,$1}'`

if [ `basename $0` = "ip-up" ] ; then
/sbin/route -n add -net $NETMASK $IPREMOTE
echo "search $DOMAIN" > /etc/resolver/$DOMAIN
echo "nameserver $DNS1" >> /etc/resolver/$DOMAIN
echo "nameserver $DNS2" >> /etc/resolver/$DOMAIN
ln -s $DOMAIN /etc/resolver/$REVERSE.in-addr.arpa
else
/sbin/route -n delete -net $NETMASK $IPREMOTE
rm -f /etc/resolver/$DOMAIN
rm -f /etc/resolver/$REVERSE.in-addr.arpa
fi

As you can see this script will handle both connects and disconnects (with the use of a symlink). Read "man pppd" for the command line arguments and variables available in this script, if you feel like modifying it ($6 is the value set above by ipparam). You will also need to change the number of octets used in the netmask for your network. Here I have 255.255.255.0 or /24. If you have a dial-up PPP connection put an if block around the code and pass a new ipparam specific to your dial-up connection (create a file like above in the peers directory for your dial-up connection). I had no need for this so I didn't include it here, but would like to mention it.

Now after you connect you can verify the routing by using "netstat -nr". Also if you would like, look in /etc/resolver for two new files representing the forward and reverse lookup zones for your VPN domain. If you find things incorrect tweak the script.

Known issue:
Although I put the domain name as a search option in my resolver file it has no effect unless its in resolv.conf (which make sense, because it doesnt know which domain name to guess). Ex. "ping computer.domain" will resolve but not "ping computer". I might try having the script patch the search line into /etc/resolv.conf, who knows.

I hope this helps someone out there. Feel free to reply if you have any suggestions, I made an error, or left something out.

Eric



[ Reply to This | # ]
Another Solution, Problem Resolved
Authored by: ework on Feb 13, '05 11:54:09PM

Ok I worked up a solution for that known issue from before. I found that if I change the domain option in resolv.conf it allows me to do "ping computer.domain". The new script below, when you connect, will comment out your old domain directive and append a new one. When you disconnect it will remove the new domain directive and uncomment the old one. This eliminates the need to copy the file to a temporay location and copy it back when finished.

[ /etc/ppp/ip-up ] (symlink to /etc/ppp/ip-down)
#!/bin/sh

DOMAIN=$6
NETMASK=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $1,$2,$3}'`
REVERSE=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $3,$2,$1}'`

if [ `basename $0` = "ip-up" ] ; then
/sbin/route -n add -net $NETMASK $IPREMOTE
cat /etc/resolv.conf | sed s/^domain/#domain/ > /etc/resolv.conf
echo "domain $DOMAIN" >> /etc/resolv.conf
echo "nameserver $DNS1" > /etc/resolver/$DOMAIN
echo "nameserver $DNS2" >> /etc/resolver/$DOMAIN
ln -s $DOMAIN /etc/resolver/$REVERSE.in-addr.arpa
else
/sbin/route -n delete -net $NETMASK $IPREMOTE
cat /etc/resolv.conf | grep -v "domain $DOMAIN" > /etc/resolv.conf
cat /etc/resolv.conf | sed s/^#domain/domain/ > /etc/resolv.conf
rm -f /etc/resolver/$DOMAIN
rm -f /etc/resolver/$REVERSE.in-addr.arpa
fi

Eric



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: ework on Feb 14, '05 05:41:22PM

Sorry I made an error again. I tried these scripts on a new network that only gives one DNS value. I have fixed the script for the these situations below.

[ /etc/ppp/ip-up ]
#!/bin/sh

DOMAIN=$6
NETMASK=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $1,$2,$3}'`
REVERSE=`echo $IPLOCAL | awk -F. '{OFS = "."}{print $3,$2,$1}'`

if [ `basename $0` = "ip-up" ] ; then
/sbin/route -n add -net $NETMASK $IPREMOTE
cat /etc/resolv.conf | sed s/^domain/#domain/ > /etc/resolv.conf
echo "domain $DOMAIN" >> /etc/resolv.conf
echo "nameserver $DNS1" > /etc/resolver/$DOMAIN
if [ "$DNS2" != "" ] ; then
echo "nameserver $DNS2" >> /etc/resolver/$DOMAIN
fi
ln -s $DOMAIN /etc/resolver/$REVERSE.in-addr.arpa
else
/sbin/route -n delete -net $NETMASK $IPREMOTE
cat /etc/resolv.conf | grep -v "domain $DOMAIN" > /etc/resolv.conf
cat /etc/resolv.conf | sed s/^#domain/domain/ > /etc/resolv.conf
rm -f /etc/resolver/$DOMAIN
rm -f /etc/resolver/$REVERSE.in-addr.arpa
fi



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: ybizeul on Feb 21, '05 10:33:58AM

That's a **really** great tip.
By the way, I found the resolver does not always seem to update itself with the new file in /etc/resolver
When that happen, it seems renaming the file to .tmp, the move it back to the good name solve the issue.
I tried to touch the file or touch the directory without success.

The only thing I did to make it work is generating the file in /tmp, the mv it to /etc/resolver.



[ Reply to This | # ]
New solution with Tiger!
Authored by: tempel on Apr 13, '05 07:39:12AM

With Tiger (OS X 10.4), it'll be much easier:

After creating your VPN PPTP or L2TP access account using the "Internet Connect" app, choose "Edit Configurations..." from the "Configuration:" popup menu.

In the new window that appears, select your VPN config on the left and then you can choose on the right whether you want to have this account define the default route or not.



[ Reply to This | # ]
New solution with Tiger!
Authored by: ework on Apr 21, '05 05:20:43AM

Thats great to hear. I can't wait till my copies arrives.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: kneeslasher on Apr 27, '05 05:43:21AM

Re: Tiger will solve this.

It doesn't. There is still no option to select default route or not.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: emarmite on May 01, '05 02:41:17AM

Yep, it's official, Tiger now allows nodefaultroute option. Just open Internet Connect, select the 'Connect->Options...' menu and uncheck 'Send all traffic over VPN connection'.

No more hacking around with pppd, thanks Apple!

M.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: kingsillini on May 02, '05 11:13:22PM

>>Re: Tiger will solve this.

>>It doesn't. There is still no option to select default route or not.

Not quite right. In tiger, check Internet Connect->Connect menu->Options and uncheck the "Send all traffic over VPN connection". This stops the default route issue.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: kneeslasher on May 11, '05 09:46:59AM

Er, apologies. You're absolutely right. Tiger now means we don't have to use tortuous methods to do split routing, thank goodness.



[ Reply to This | # ]
Avoid creating PPTP default routes - Tiger
Authored by: TheOne on May 28, '05 03:11:38AM
Tiger solves this problem I thought this deserved to be at the top level. I found it myself and only then noticed it was listed in a reply to a single posting which shows up as a link on this page.
  1. Internet Connect->Connect menu->Options
  2. uncheck Send all traffic over VPN connection
This stops the default route issue. Go Tigers!

[ Reply to This | # ]
Avoid creating PPTP default routes - Tiger
Authored by: ssexton on Aug 08, '05 06:44:10PM

Silly me, I kept looking under the Internet Connect menu for a "Preferences", and in the Edit Configuration for my connection. At least its there. Now if we can just get Apple to follow their own UI guidelines, we'll be set.

For folks that don't have Tiger, or don't want to do the Perl hack listed above (it's clever, but I wouldn't recommend it), here's the "right" way to get your default route back:

sudo route change default 10.0.1.3

Change the 10.0.1.3 to your gateway i.p. You'll have to do this manually every time you up the link, but it'll work. If you're not sure what value to put in there, do netstat -r before you up the link and see what is listed for the "default" route (should be the first one listed).



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: scstraus on Jan 03, '07 07:11:52AM

So just to clarify further. In my case I wanted everything from 192.168.0.0 thru 192.168.254.254 to go over vpn so my ip-up contains:

#!/bin/sh
/sbin/route -n add -net 192.168 $IPREMOTE >> /tmp/ppp.log 2>&1

Hope that helps.

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]
Avoid creating PPTP default routes
Authored by: scstraus on Jan 03, '07 08:07:58AM

The tiger stuff didn't work for me, as I had multiple domains needed and it wouldn't resolve a lot of the names of stuff I need for VPN. I needed greater control, so I'm still using the hint halfway down the comments which I said earlier works perfectly. I am using it on 10.4.8.

I'll describe it here for newbies, because I think it's useful:

Let's assume you work for yahoo.com and you want to route all traffic to your internal network at 192.168.0.0-192.168.254.254 to your private network at yahoo.com and you wnat all name resolution at yahoo.com to go through the private nameservers there

Step 1- Ping your pptp server, find it's IP address, and use that in your PPTP settings in internet connect (don't use hostname) This bypasses DNS lookup when your VPN server is in the same domain as the one your trying to use private DNS lookup for (since the private DNS servers won't be available when you are connecting to them).

Step 2 - Connect to your existing VPN without any modification

Step 3 - copy /etc/resolv.conf to /etc/resolver/yahoo.com (where yahoo.com is the domain you want to resolve using the VPN's DNS servers.

Step 4 - Disconnect from your VPN

Step 5 - type the following command:

cat /etc/resolv.conf

copy the resulting output to the end of the file /etc/resolver/yahoo.com that you made earlier. This allows for DNS lookup to use your standard resolvers should the private ones not be available for that domain (such as when your VPN server is in the same domain).

Step 6 - Say you've used Internet Connect to create a new VPN 'My_VPN' (yes, that underscore is important). To suppress default route allocation create a file called

/etc/ppp/peers/My_VPN

inside that file, put only the line

nodefaultroute

You can't put this in the global options (/etc/ppp/peers) because a configuration error results.

Step 7 -
Then, to patch up routing you need an ip-up script file and an ip-down script file. Here, we assume that you want to route all traffic between addresses 192.168.0.0 and 192.168.254.254 over the VPN, and also all traffic between 10.10.10.0 and 10.10.10.254 .

create the file /etc/ppp/ip-up and include the follwing lines:

#!/bin/sh
/sbin/route -n add -net 192.168 $IPREMOTE >> /tmp/ppp.log 2>&1
/sbin/route -n add -net 10.10.10 $IPREMOTE >> /tmp/ppp.log 2>&1

now create the file /etc/ppp/ip-down: and include the following lines:

#!/bin/sh
route -n delete -net 192.168 $IPREMOTE >> /tmp/ppp.log 2>&1
route -n delete -net 10.10.10 $IPREMOTE >> /tmp/ppp.log 2>&1

Don't forget to make them both executable by entering the command

chmod +x /etc/ppp/ip-up /etc/ppp/ip-down

Step 8 - Sit back and enjoy watching all your filesharing and porn downloads go over your standard internet connection while only work related stuff goes over the VPN.

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]
One more thing based on my above comment
Authored by: scstraus on Jan 04, '07 02:37:17AM

Also do the reverse lookup

ln -s /etc/resolver/yahoo.com /etc/resolver/10.10.10.in-addr.arpa
ln -s /etc/resolver/yahoo.com /etc/resolver/168.192.in-addr.arpa

(make sure and reverse the order of the IP address sections so their backwards).



Also, I was kinda being stupid by using the IP address or doing what I did in step 5. Much better is to be disconnected from the VPN and simply do the following:

cp /etc/resolv.conf /etc/resolver/vpn.yahoo.com

where vpn.yahoo.com is the full hostname of your vpn server you are connecting to.

This way it will use your normal resolvers for that host, but the private network's ones for the rest of the domain.

Duh. Don't know what I was thinking.



---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]