Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use a VPN without it taking over the network Network
I'm running a few services on my Mac at home: Timbuktu, for remote access to my Mac while away from home; accessTunes, for music streaming; ssh shell access; and I'm playing around with the Apache web server now.

Normally, all of these services work fine. I've configured my gateway/router to do all of the appropriate port forwarding. I've also recently set up a dyndns.org account so that I have a domain name for my home system, making access much easier.

However, all of these services used to go to hell when I started up my VPN connection from home into my office network. I could still access these services using other computers on my home network, but from the outside world, nothing would work. This was particularly frustrating if I'd left the VPN running by accident, got to work, wanted to connect home, and couldn't get in -- especially to do the one thing I'd really like to do at that point, which is to shut down the VPN.

I finally figured out what was going on: All of these services were happily listening on their assigned ports for incoming connections on both my LAN IP (through which all WAN access arrives) and on the VPN-assigned IP. But, when these services sent replies, they tried to reply back through the VPN to every client with a non-LAN IP address -- in other words, a request comes in one pipe, but the reply to that request get sent out down a different pipe, and never gets received. What I really want to happen is for all replies to go to the LAN IP except those which are replies to clients with IP addresses associated with other systems on the VPN.

I eventually came up with a perl script to solve the problem. There's still a momentary drop out in network activity as I connect to my VPN (iChat will disconnect), but I'm automatically and nearly instantly re-routing traffic the way I want it to go. Connecting to my company VPN now means access to the company network without that network becoming my primary IP network at the expense of web services I want to keep running from my home computer, and out through my home ISP. There are other benefits too, like being able to surf the web or chat while using the company VPN, and not having my web surfing and personal conversations going through the company network.

Logged in as root (not necessary, but convenient), I placed the above code in /Library/VPNHack/vpn_fix.pl and set it to be executable via chmod. I added the necessary XML (as noted in the comments in the script) to /System -> Library -> SystemConfiguration -> Kicker.bundle -> Contents -> Resources -> Kicker.xml, making a back-up of the original called Kicker.xml.orig, which I left in the same directory.

After doing the above, a reboot was needed to complete the task. The Perl script can then be tweaked at afterwards without having to reboot.

I'm no Unix guru, but I'm getting the impression that on a typical Unix system, doing the route add/route change commands once from a command line might have been enough. But OS X has its own ideas about automatically reconfiguring your routing tables, so you have to hook into that automatic process to apply and reapply the routing changes you want to make as needed.
    •    
  • Currently 2.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[19,990 views]  

Use a VPN without it taking over the network | 13 comments | Create New Account
Click here to return to the 'Use a VPN without it taking over the network' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use a VPN without it taking over the network
Authored by: mstolove on Sep 09, '05 12:46:29PM

Handy tip, but this can be a security risk and expose your corporate network to any compromised services or trojans that may be running on the client. It's less of an issue with Macs, but I do not allow my Windows clients to connect in this manner.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: Loren on Sep 09, '05 12:52:39PM

I agree. You are endangering your corporate network if you keep the VPN connected, and still allow incoming Timbuktu connections over your regular network connection.

However, is there a reason, with the VPN connected, you couldn't Timbuktu into your home machine from within the corporate net?

I can normally Tiimbuktu into my home machine using my cable modem's IP address. But if I leave my computer VPN'd into my company, then I can Timbuktu in using the internal 192.168 address that the VPN assigns my home computer.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: jvr on Sep 09, '05 02:09:03PM

But that option (connect using VPN-assigned IP) still presents an inconvenience, because the user cannot use his/her "dyndns.org" domain name to establish the connection. Suppose you leave your VPN client running on your home Mac, but you forget to make note of what IP address the VPN has assigned your Mac. Then, if you try to connect to home from the office, you're out of luck.

Personally, I always log out of my Mac at home when I'm done using it (thereby quitting the VPN client), so I have not run into this problem.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 10, '05 12:06:12AM
But that option (connect using VPN-assigned IP) still presents an inconvenience, because the user cannot use his/her "dyndns.org" domain name to establish the connection

When he turns on the VPN, he changes the primary network interface to the VPN-IP. The DNS-update client will report this change to dyndns.org, and his domain name will return the VPN IP.

This assumes he isn't using a router with the DNS-update client set to check the external IP number. I don't know what it will return in that case (probably a number from the VPN server).

[ Reply to This | # ]

Use a VPN without it taking over the network
Authored by: kshetline on Sep 10, '05 09:58:11PM

(Mypologies if this is an extra repost -- I didn't see the first reply attempt show up.)

First of all, I do use the built-in dynamic DNS support in my router for dyndns.org, rather that DDNS client software on one of my computers, so the resolution of my personal domain wouldn't get changed by hooking up to my company VPN, no matter how I have the VPN connection configured.

But even if I was using client software instead of my router, consider this:

Suppose my IP on the VPN is 172.18.99.99
Suppose the WAN-facing IP for my computer -- along with many other computers at the office sharing the same WAN-facing IP -- is 42.43.44.45.

When the client software phones home to dyndns.org, myhomedomain.org will be mapped to 42.42.44.45.

If someone types http://myhomedomain.org into their web browser, an attempt will be made to connect to 42.43.44.45 at port 80.

The connection attempt then hits my company's router and firewall... and those incoming packets will NOT get routed to 172.18.99.99 and its port 80. Nor will any other attempt to connect to any other ports on my home computer for SSH, Timbuktu, etc. get through, not without convincing my company to poke all of those holes in their firewall and to do all of that special port forwarding just for me and me alone -- that ain't gonna happen.

Further, even if my friendly company sys admin were so obliging, I wouldn't want her to set all of that up for me anyway. I really don't want my personal domain becoming my company's IP address on and off all of the time. Also, while dyndns.org works pretty well, the less remapping of my domain to different IP addresses all of the time -- with all of the propagation delays that can entail -- the better.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: gugod on Sep 09, '05 02:29:47PM

I think you could uncheck the "Send all traffic over VPN connection" option in the Connect/Option box from the menu of "Internet Connect.app".

By default, as the VPN connection is established, routing table is altered so that all outgoing packet are send via VPN interface. This might be the reason you mentioned in the text.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: morphis on Sep 10, '05 02:05:09AM

"Send all traffic over VPN connection" is only available on MacOS X 10.4.x



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: kshetline on Sep 10, '05 09:29:54PM

I'm the original poster for this VPN hint... I hadn't gotten around to signing up for these forums until now.

I'd set up my VPN connection up well before updating to Tiger, and hadn't even thought to see if there were new Internet Connect options available after updating. Even after seeing this tip about "Send all traffic over VPN connection", however, I didn't find the checkbox right away, because I'd first imagined something in the configuration for each particular VPN connection, not a general setting under "Options" in Internet Connect.app for all VPN connections.

At any rate, I gave it a try, and still find the solution I posted best for my needs. With "Send all traffic over VPN connection" unchecked I don't get any DNS resolution on my company network (I'm used to the convenience, for example, of having "myusername.mycompany.com" resolve to the internal IP of my office PC when hooked up to the VPN) and only one of three subnets (172.16.x.x, with 172.17.x.x and 172.18.x.x missing) are properly routed by default. Since I'm mostly interested in the 172.18.x.x subnet, this default configuration isn't helpful.

Of course, I can do a few "add route" commands and whatnot to get things working this way... I did that manually, and it works. But here's the problem: With "Send all traffic" unchecked, Kicker.xml doesn't get kicked.

Unless there's another trick for catching the VPN log-in event (perhaps Kicker.xml is kicked, but I need a different event flag) my current set up, as per the original hint, works best for me.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: kshetline on Sep 10, '05 09:53:34PM

First of all, I do use the built-in dynamic DNS support in my router for dyndns.org, rather that DDNS client software on one of my computers, so the resolution of my personal domain wouldn't get changed by hooking up to my company VPN, no matter how I have the VPN connection configured.

But even if I was using client software instead of my router, consider this:

Suppose my IP on the VPN is 172.18.99.99
Suppose the WAN-facing IP for my computer -- along with many other computers at the office sharing the same WAN-facing IP -- is 42.43.44.45.

When the client software phones home to dyndns.org, myhomedomain.org will be mapped to 42.42.44.45.

If someone types http://myhomedomain.org into their web browser, an attempt will be made to connect to 42.43.44.45 at port 80.

The connection attempt then hits my company's router and firewall... and those incoming packets will NOT get routed to 172.18.99.99 and its port 80. Nor will any other attempt to connect to any other ports on my home computer for SSH, Timbuktu, etc. get through, not without convincing my company to poke all of those holes in their firewall and to do all of that special port forwarding just for me and me alone -- that ain't gonna happen.

Further, even if my friendly company sys admin were so obliging, I wouldn't want her to set all of that up for me anyway. I really don't want my personal domain becoming my company's IP address on and off all of the time. Also, while dyndns.org works pretty well, the less remapping of my domain to different IP addresses all of the time -- with all of the propagation delays that can entail -- the better.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: beauh on Sep 12, '05 04:18:39AM

The issue lies in the fact that OS X does not support source-based routing. Any traffic that is not link-local is going to be sent out via your default route, which by default is going to be your IPSec tunnel when your VPN connection is active. When he's connecting from work to his home computer, his home machine sees an incoming connection from his office WAN IP: a publicly routable IP, notes that it is not link-local, and then fires the response via default route, straight down the VPN tunnel and ultimately to a destination that's going to drop it. Setting the internal subnet to be the default interface would then make all traffic go out through the nat router. Your still not going to have a problem on the VPN side, as the company subnet appears to be link-local.

The IPSec tunnel serves well as the default route as it adds a layer of intrusion prevention, leaving your company's site less vulnerable (unless your internal subnet is otherwise compromised). --> enabling this script might piss off yer admin.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 12, '05 06:23:40AM

suggestion:

Set up a second dyndns.org name for the Mac itself (not the router); the first five host names are free. Tell the DNS-update client to report the IP number of the Mac's Ethernet interface (ie, "internal", not "external").

When you are at work, and you find you left VPN running, you use the Mac's dyndns.org lookup to find your IP on the VPN, Timbuktu into your machine, and turn off VPN manually.

No routing magic required. If the DNS has failed to propogate, you can always go to the dyndns.org page and read the VPN IP number.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: kshetline on Sep 12, '05 03:26:31PM
No routing magic required. If the DNS has failed to propogate, you can always go to the dyndns.org page and read the VPN IP number.
No, no, no...

Before I did any hacking or playing with VPN settings at all, reaching my Mac at home was never the issue. I was indeed reaching the Mac -- I could see the packets coming in. The problem lay completely in having the computer at home respond to an external request via the correct route. Imagine that the speaker in the handset of your telephone was hooked up to one telephone number, but the microphone to a different telephone number. Someone calls you, you pick up the phone, you can hear the other guy saying "Hello? Hello?", but he never hears a word you say -- that's what my computer was doing with incoming and outgoing packets.

Further, I could never get back to my computer via the VPN WAN IP, because that IP would be for a whole block of computers at my company, not for my one specific computer, and nothing would reach my home computer via the VPN LAN IP which I'm assigned while connected to the VPN -- not past the company firewall and internal routing.

If you're suggesting that I actually try to make my domain name map to a LAN IP, rather than a WAN IP -- a LAN IP which is only meaningful on my company's network -- that's just weird. I don't even know if that would work -- if dyndns.org would accept a LAN IP and propagate it -- but if it did work, I'd have a domain name which was only useful for people on the company LAN. Anyone else would get the same IP address using my domain name, numerically speaking, but either nothing would be there to respond at that IP for them, or a random server which happened to have the same LAN IP on a different LAN would respond.

[ Reply to This | # ]

Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 18, '05 12:42:49PM
if it did work, I'd have a domain name which was only useful for people on the company LAN.

It does work. You're the only one who would want to use it. It doesn't matter if it's useful to others. (They can use your original dyndns.org name to find your router.)

[ Reply to This | # ]