Articles March 18, 2005 at 1:59 pm

Split routing for VPNs

We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".Ed. Note: This is only of use if you are NOT using OS X Server as your VPN server.

Fixing the split routing issue
—–

We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".

So – what to do and where to do it?

All of this is taken from Macosxhints and links gotten to from there and from some Cisco manuals and liberal use of the netstat -rn command.

What I mostly need help vetting on is this –
a) is Kicker.bundle "safe" to tinker with for a large scale deployment?
Are Apple incremental updates likely to "whack" my changes requiring further system touching?

b) I’m NOT a brilliant programmer – is there a better/faster/safer way to implement this?

c) would _YOU_ want to deploy something like this to potentially hundreds of laptops with _YOUR_ name on it?

————————————

first make a "proper" local directory (if it doesn’t already exist)

sudo mkdir -p /usr/local/bin

now let’s create our shell script

sudo touch /usr/local/bin/fix_vpn_routing.sh

set the ownership to root
sudo chown root:wheel /usr/local/bin/fix_vpn_routing.sh

set the permissions so that it better "protected"
sudo chmod 755 /usr/local/bin/fix_vpn_routing.sh

now lets edit/copy the script

sudo pico /usr/local/bin/fix_vpn_routing.sh
(now copy/paste the script below into the the terminal window with pico running)

#!/bin/sh
##############################################################################
# fix_vpn_routing.sh
# Author: Daniel Giribet
# Improvement over shell script published by ‘Anonymous’ on macosxhints.com
# ‘silas’ perl script did not work for me, so I use this one.
# Though the scipt is trivial, use at your own risk.
# Changes RMLeonard 7 March 2005 fix ppp.log parsing for OSX panther 10.3
# Also added breakout logic for exiting and annotations and descriptions for logging

# Variables
PPP_LOG=/var/log/ppp.log
default_=$(/usr/sbin/netstat -nr | grep ‘ UHLW ‘ | awk ‘{print $1}’)
remote_vpn_str=$(/usr/bin/tail -5 $PPP_LOG|/usr/bin/grep ‘remote IP address’)
n=$(echo $remote_vpn_str |/usr/bin/wc -w|/usr/bin/tr -d ‘n’ |/usr/bin/tr -d ‘ ‘)
remote_vpn=$(echo $remote_vpn_str | awk ‘{print $’$n’}’)
mask=$(echo $remote_vpn|/usr/bin/sed -e ‘s/./ /g’|awk ‘{print $1"."$2".0.0"}’)

# begin
# Check to see if there is a remote IP address – if not exit
if [ $remote_vpn ="" ] ; then
/usr/bin/logger "No remote VPN – exiting"
exit 0
fi

#logger sends message to the /var/log/system.log file

/usr/bin/logger "Remote Route Detected: modifying routes…"
/usr/bin/logger "deleting $remote_vpn"
/sbin/route delete default $remote_vpn

/usr/bin/logger "adding $default_"
/sbin/route add default $default_

/usr/bin/logger "adding $mask $remote_vpn"
/sbin/route add $mask $remote_vpn

/usr/bin/logger "Remote Route Repaired: Split Routing Enabled or Removed

#end script
################################################################################

save and exit

Part two –
make the following change to the set-hostname script in the Kicker.bundle as follows:

sudo pico /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/set-hostname

before the last line "exit 0" add the following lines:

logger "fixing VPN routing if need be"
/usr/local/bin/fix_vpn_routing.sh

save and exit

this will invoke the fix_vpn script everytime the network host_id changes as the VPN is invoked and it will check to see if the default route needs "tweaking".

Thoughts?

Rich

No Comments

  • I don’t have a Windows server setup right now to check this on, but on
    Mac OS X Server’s VPN setup you can define private routes. Then the
    clients will only send traffic destined for those networks over the VPN
    and just use the existing internet connection for everything else.

    We have an article about how to set this up.


    Breaking my server to save yours.

    Josh Wisenbaker
    http://www.afp548.com

    • Understood – but if you have no control over the SERVER side – only the client
      – does this do the job – and does it do it well enough and safe enough to
      deploy to say 100 laptops?

    • As much as you can define private routes, how do you tell Tiger (or panther)
      to also query DNS information for over the VPN tunnel?

      My issue is that I connect to my office via Windows VPN PPTP tunnel. Where
      I can ping all of the IP addresses fine, all of my DNS requests are performed
      from my local NIC DNS.

      On a MacOS X server VPN, you can setup a Private network, and it happens to
      also route the DNS. (Correct me if I am wrong, but that has been my
      experience).

      Thoughts, Ideas?

  • Actually, to achieve split tunnel routing you must have your VPN connection
    listed below your native network connections in the Network Control Pane. This
    drove me nuts for quite a while, since it isn’t mentioned in the VPN
    documentation.

Leave a reply

You must be logged in to post a comment.