Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Split routing with PPTP in Panther Network

I periodically need to use PPTP to access my systems inside a firwall, but want the rest of my traffic to go through my normal default route. To do this, i need to invoke pppd with the "nodefaultroute" option and have an ip-up script add a route to the private network.

The Internet Connect client provides a nice wrapper around pppd, but insists on setting all of its options on the command line, overriding those in the /etc/ppp/options file. While it is possible to ignore the Internet Connect.app, with Panther it is even more attractively integrated into the interface. To do this, we must set the mysterious "serviceid" parameter in our pppd parameters.

[robg adds: You're on your own with this one; I'm not even going to pretend to have tested it, as it's well beyond anything I do from a network persepective.]

We must first have a working PPTP configuration for Internet Connect. Having this, we need to find the parameters it sends to pppd. To do this, use your favorite text editor (vi, pico), and create /etc/ppp/options with the following:
debug
dump
The file should be be owned by root and only readable by root. Having done this, connect to the VPN and examine the Connection Log window; it will contain a complete list of all parameters passed to pppd:

Thu Jan  8 22:12:37 2004 : pppd options in effect:
Thu Jan  8 22:12:37 2004 : debug                # (from )
Thu Jan  8 22:12:37 2004 : nodetach          # (from command line)
Thu Jan  8 22:12:37 2004 : logfile /tmp/ppp.log          # (from command line)
Thu Jan  8 22:12:37 2004 : dump          # (from )
Thu Jan  8 22:12:37 2004 : plugin /System/Library/SystemConfiguration/
   PPPController.bundle/Contents/PlugIns/PPPDialogs.ppp           # (from command line)
Thu Jan  8 22:12:37 2004 : plugin PPTP.ppp               # (from command line)
Thu Jan  8 22:12:37 2004 : optionsfd 0           # (from command line)
Thu Jan  8 22:12:37 2004 : remoteaddress ###.###.###.###         # (from command line)
Thu Jan  8 22:12:37 2004 : noauth                # (from command line)
Thu Jan  8 22:12:37 2004 : refuse-eap            # (from command line)
Thu Jan  8 22:12:37 2004 : user ########         # (from command line)
Thu Jan  8 22:12:37 2004 : password ??????               # (from command line)
Thu Jan  8 22:12:37 2004 : noaskpassword         # (from command line)
Thu Jan  8 22:12:37 2004 : serviceid B926722E-2D9E-11D8-A90F-000393B8F328              
   # (from command line)
Thu Jan  8 22:12:37 2004 : pptp-tcp-keepalive 60         # (from command line)
Thu Jan  8 22:12:37 2004 : mru 1500              # (from command line)
Thu Jan  8 22:12:37 2004 : mtu 1448              # (from command line)
Thu Jan  8 22:12:37 2004 : lcp-echo-failure 5            # (from command line)
Thu Jan  8 22:12:37 2004 : lcp-echo-interval 60          # (from command line)
Thu Jan  8 22:12:37 2004 : receive-all           # (from command line)
Thu Jan  8 22:12:37 2004 : novj          # (from command line)
Thu Jan  8 22:12:37 2004 : ipcp-accept-local             # (from command line)
Thu Jan  8 22:12:37 2004 : ipcp-accept-remote            # (from command line)
Thu Jan  8 22:12:37 2004 : ipparam 192.168.0.1           # (from command line)
Thu Jan  8 22:12:37 2004 : noipdefault           # (from command line)
Thu Jan  8 22:12:37 2004 : defaultroute          # (from command line)
Thu Jan  8 22:12:37 2004 : usepeerdns            # (from command line)
Thu Jan  8 22:12:37 2004 : :             # (from command line)
Thu Jan  8 22:12:37 2004 : ip-src-address-filter 2               # (from command line)
Thu Jan  8 22:12:37 2004 : +ipv6         # (from command line)
Thu Jan  8 22:12:37 2004 : ipv6cp-use-persistent         # (from command line)
Thu Jan  8 22:12:37 2004 : noccp         # (from command line)
Copy all of these lines (removing the timestamps) to a file in /etc/ppp/peers with a name distinct from that of the connection name in Internet Connect. I'll refer to this file as MYVPN. Edit this file to make the following changes:
  1. remove the "password" line
  2. change "defaultroute" to "no defaultroute"
  3. remove the "usepeerdns"
  4. remove the "nodetach"
Next, create a file /etc/ppp/chap-secrets (or, shudder /etc/ppp/pap-secrets) with your username and password that you used in Internet Connect:
myname * mypassword *
Again, the file should be owned by root and readable only by root. Finally, create an ip-up script. You need a little bit of insight here, as you want to add a route to the VPN network. My VPN uses the 170.212.xxx.xxx address space, so I have:
#!/bin/sh -
/sbin/route add -net 170.212 $5
The $5 takes the parameter set in ipparam, which should be your normal gateway. This script should be executable. Having done all of this, the connection can be brought up from the command line:
%pppd call MYVPN
and taken down by Internet Connect. Bear in mind that when you do this, you are exposing the VPN to the risk of being connected to the unwashed internet, so it probably is good to have a firewall protecting your machine.
    •    
  • Currently 2.57 / 5
  You rated: 4 / 5 (7 votes cast)
 
[18,648 views]  

10.3: Split routing with PPTP in Panther | 4 comments | Create New Account
Click here to return to the '10.3: Split routing with PPTP in Panther' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Split routing with PPTP in Panther
Authored by: gpan on Jan 21, '04 05:56:28PM

This older hint does basically the same thing:

http://www.macosxhints.com/article.php?story=20030313194656474&query=split+routing



[ Reply to This | # ]
User space PPTP
Authored by: nyarlathotep on Jan 22, '04 12:19:17AM

What is a good user space PPTP server? I used to just use ssh & slirp, but that stopped working with the upgrade to Panther (new pppd broke slirp). Anyway, I need a user space server to run on a machine I do not have root on.. to provide internet access.



[ Reply to This | # ]
10.3: Split routing with PPTP in Panther
Authored by: emarmite on Feb 02, '04 04:28:29PM
All the solutions I've seen, including this one and the one referred to above don't cope well if the other end changes any parameters. As a result, I prefer this version.

However, this suffers from the need to add the routing for your VPN network manually, which is a real bore. Thanks to this tip, I can now get ip-up working correctly. Previously, the script would run but somehow the route changes would be forgotten. Now they are remembered.

So, personally, I would recommend the hint I've listed above and then create an ip-up script as shown but with your own parameters in.

M.

[ Reply to This | # ]
10.3: Split routing with PPTP in Panther
Authored by: scstraus on Aug 20, '04 10:45:02AM

I agree with the above post. The last procedure described in the thread linked in the above post is the correct way to do it and everyone should do it that way :). The method listed at the beginning of the linked thread is not as good as the one at the end of the thread.

---
I came into this game for the action, the excitement. Go anywhere, travel light, get in, get out, wherever there's trouble, a man alone.



[ Reply to This | # ]