We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".Ed. Note: This is only of use if you are NOT using OS X Server as your VPN server.
Fixing the split routing issue
We are getting to roll out Laptops to bunches of Faculty and staff and the Windows VPN server and the Windows Laptops play well with each other and the Windows laptops even have a little check box that you can check to tell it to NOT use the default gateway on the remote host. The Macs have no such "little check box".
So – what to do and where to do it?
All of this is taken from Macosxhints and links gotten to from there and from some Cisco manuals and liberal use of the netstat -rn command.
What I mostly need help vetting on is this –
a) is Kicker.bundle "safe" to tinker with for a large scale deployment?
Are Apple incremental updates likely to "whack" my changes requiring further system touching?
b) I’m NOT a brilliant programmer – is there a better/faster/safer way to implement this?
c) would YOU want to deploy something like this to potentially hundreds of laptops with YOUR name on it?
first make a "proper" local directory (if it doesn’t already exist)
sudo mkdir -p /usr/local/bin
now let’s create our shell script
sudo touch /usr/local/bin/fix_vpn_routing.sh
set the ownership to root
sudo chown root:wheel /usr/local/bin/fix_vpn_routing.sh
set the permissions so that it better "protected"
sudo chmod 755 /usr/local/bin/fix_vpn_routing.sh
now lets edit/copy the script
sudo pico /usr/local/bin/fix_vpn_routing.sh
(now copy/paste the script below into the the terminal window with pico running)
!/bin/sh
#
fix_vpn_routing.sh
Author: Daniel Giribet
Improvement over shell script published by ‘Anonymous’ on macosxhints.com
‘silas’ perl script did not work for me, so I use this one.
Though the scipt is trivial, use at your own risk.
Changes RMLeonard 7 March 2005 fix ppp.log parsing for OSX panther 10.3
Also added breakout logic for exiting and annotations and descriptions for logging
Variables
PPP_LOG=/var/log/ppp.log
default_=$(/usr/sbin/netstat -nr | grep ‘ UHLW ‘ | awk ‘{print $1}’)
remote_vpn_str=$(/usr/bin/tail -5 $PPP_LOG|/usr/bin/grep ‘remote IP address’)
n=$(echo $remote_vpn_str |/usr/bin/wc -w|/usr/bin/tr -d ‘n’ |/usr/bin/tr -d ‘ ‘)
remote_vpn=$(echo $remote_vpn_str | awk ‘{print $’$n’}’)
mask=$(echo $remote_vpn|/usr/bin/sed -e ‘s/./ /g’|awk ‘{print $1"."$2".0.0"}’)
begin
Check to see if there is a remote IP address – if not exit
if [ $remote_vpn ="" ] ; then
/usr/bin/logger "No remote VPN – exiting"
exit 0
fi
logger sends message to the /var/log/system.log file
/usr/bin/logger "Remote Route Detected: modifying routes…"
/usr/bin/logger "deleting $remote_vpn"
/sbin/route delete default $remote_vpn
/usr/bin/logger "adding $default_"
/sbin/route add default $default_
/usr/bin/logger "adding $mask $remote_vpn"
/sbin/route add $mask $remote_vpn
/usr/bin/logger "Remote Route Repaired: Split Routing Enabled or Removed
end script
#
save and exit
Part two –
make the following change to the set-hostname script in the Kicker.bundle as follows:
sudo pico /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/set-hostname
before the last line "exit 0" add the following lines:
logger "fixing VPN routing if need be"
/usr/local/bin/fix_vpn_routing.sh
save and exit
this will invoke the fix_vpn script everytime the network host_id changes as the VPN is invoked and it will check to see if the default route needs "tweaking".
Thoughts?
Rich
I don’t have a Windows server setup right now to check this on, but on
Mac OS X Server’s VPN setup you can define private routes. Then the
clients will only send traffic destined for those networks over the VPN
and just use the existing internet connection for everything else.
We have an article about how to set this up.
—
Breaking my server to save yours.
Josh Wisenbaker
http://www.afp548.com
Understood – but if you have no control over the SERVER side – only the client
– does this do the job – and does it do it well enough and safe enough to
deploy to say 100 laptops?
As much as you can define private routes, how do you tell Tiger (or panther)
to also query DNS information for over the VPN tunnel?
My issue is that I connect to my office via Windows VPN PPTP tunnel. Where
I can ping all of the IP addresses fine, all of my DNS requests are performed
from my local NIC DNS.
On a MacOS X server VPN, you can setup a Private network, and it happens to
also route the DNS. (Correct me if I am wrong, but that has been my
experience).
Thoughts, Ideas?
Actually, to achieve split tunnel routing you must have your VPN connection
listed below your native network connections in the Network Control Pane. This
drove me nuts for quite a while, since it isn’t mentioned in the VPN
documentation.