I'm running a few services on my Mac at home: Timbuktu, for remote access to my Mac while away from home; accessTunes, for music streaming; ssh shell access; and I'm playing around with the Apache web server now.
Normally, all of these services work fine. I've configured my gateway/router to do all of the appropriate port forwarding. I've also recently set up a dyndns.org account so that I have a domain name for my home system, making access much easier.
However, all of these services used to go to hell when I started up my VPN connection from home into my office network. I could still access these services using other computers on my home network, but from the outside world, nothing would work. This was particularly frustrating if I'd left the VPN running by accident, got to work, wanted to connect home, and couldn't get in -- especially to do the one thing I'd really like to do at that point, which is to shut down the VPN.
I finally figured out what was going on: All of these services were happily listening on their assigned ports for incoming connections on both my LAN IP (through which all WAN access arrives) and on the VPN-assigned IP. But, when these services sent replies, they tried to reply back through the VPN to every client with a non-LAN IP address -- in other words, a request comes in one pipe, but the reply to that request get sent out down a different pipe, and never gets received. What I really want to happen is for all replies to go to the LAN IP except those which are replies to clients with IP addresses associated with other systems on the VPN.
I eventually came up with a perl script to solve the problem. There's still a momentary drop out in network activity as I connect to my VPN (iChat will disconnect), but I'm automatically and nearly instantly re-routing traffic the way I want it to go. Connecting to my company VPN now means access to the company network without that network becoming my primary IP network at the expense of web services I want to keep running from my home computer, and out through my home ISP. There are other benefits too, like being able to surf the web or chat while using the company VPN, and not having my web surfing and personal conversations going through the company network.
Logged in as root (not necessary, but convenient), I placed the above code in /Library/VPNHack/vpn_fix.pl and set it to be executable via chmod. I added the necessary XML (as noted in the comments in the script) to /System -> Library -> SystemConfiguration -> Kicker.bundle -> Contents -> Resources -> Kicker.xml, making a back-up of the original called Kicker.xml.orig, which I left in the same directory.
After doing the above, a reboot was needed to complete the task. The Perl script can then be tweaked at afterwards without having to reboot.
I'm no Unix guru, but I'm getting the impression that on a typical Unix system, doing the route add/route change commands once from a command line might have been enough. But OS X has its own ideas about automatically reconfiguring your routing tables, so you have to hook into that automatic process to apply and reapply the routing changes you want to make as needed.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20050906210114366