We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".Ed. Note: This is only of use if you are NOT using OS X Server as your VPN server.

Fixing the split routing issue

We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".

So – what to do and where to do it?

All of this is taken from Macosxhints and links gotten to from there and from some Cisco manuals and liberal use of the netstat -rn command.

What I mostly need help vetting on is this –
a) is Kicker.bundle "safe" to tinker with for a large scale deployment?
Are Apple incremental updates likely to "whack" my changes requiring further system touching?

b) I’m NOT a brilliant programmer – is there a better/faster/safer way to implement this?

c) would YOU want to deploy something like this to potentially hundreds of laptops with YOUR name on it?

---

first make a "proper" local directory (if it doesn’t already exist)

sudo mkdir -p /usr/local/bin

now let’s create our shell script

sudo touch /usr/local/bin/fix_vpn_routing.sh

set the ownership to root
sudo chown root:wheel /usr/local/bin/fix_vpn_routing.sh

set the permissions so that it better "protected"
sudo chmod 755 /usr/local/bin/fix_vpn_routing.sh

now lets edit/copy the script

sudo pico /usr/local/bin/fix_vpn_routing.sh
(now copy/paste the script below into the the terminal window with pico running)

!/bin/sh

#

fix_vpn_routing.sh

Author: Daniel Giribet

Improvement over shell script published by ‘Anonymous’ on macosxhints.com

‘silas’ perl script did not work for me, so I use this one.

Though the scipt is trivial, use at your own risk.

Changes RMLeonard 7 March 2005 fix ppp.log parsing for OSX panther 10.3

Also added breakout logic for exiting and annotations and descriptions for logging

Variables

PPP_LOG=/var/log/ppp.log
default_=$(/usr/sbin/netstat -nr | grep ‘ UHLW ‘ | awk ‘{print $1}’)
remote_vpn_str=$(/usr/bin/tail -5 $PPP_LOG|/usr/bin/grep ‘remote IP address’)
n=$(echo $remote_vpn_str |/usr/bin/wc -w|/usr/bin/tr -d ‘n’ |/usr/bin/tr -d ‘ ‘)
remote_vpn=$(echo $remote_vpn_str | awk ‘{print $’$n’}’)
mask=$(echo $remote_vpn|/usr/bin/sed -e ‘s/./ /g’|awk ‘{print $1"."$2".0.0"}’)

begin

Check to see if there is a remote IP address – if not exit

if [ $remote_vpn ="" ] ; then
/usr/bin/logger "No remote VPN – exiting"
exit 0
fi

logger sends message to the /var/log/system.log file

/usr/bin/logger "Remote Route Detected: modifying routes…"
/usr/bin/logger "deleting $remote_vpn"
/sbin/route delete default $remote_vpn

/usr/bin/logger "adding $default_"
/sbin/route add default $default_

/usr/bin/logger "adding $mask $remote_vpn"
/sbin/route add $mask $remote_vpn

/usr/bin/logger "Remote Route Repaired: Split Routing Enabled or Removed

end script

#

save and exit

Part two –
make the following change to the set-hostname script in the Kicker.bundle as follows:

sudo pico /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/set-hostname

before the last line "exit 0" add the following lines:

logger "fixing VPN routing if need be"
/usr/local/bin/fix_vpn_routing.sh

save and exit

this will invoke the fix_vpn script everytime the network host_id changes as the VPN is invoked and it will check to see if the default route needs "tweaking".

Thoughts?

Rich