OSX Snippets: VPN routing dynamically
admin on November 16th, 2007
This Snippet assumes you know how to setup a VPN Tunnel in OSX 10.4+. This Snippet shows you how to configure the VPN Tunnel to route certain IPs to certain interfaces.
I had to figure out a way to route just a few IPs through my Work’s VPN. They were in two separate /24’s, and routing the entire /24 was ok, as anything on those /24’s were going to be accessible via VPN only.
I did not want to push all my traffic through that VPN. Even though Work was ok with me doing that, I really value my privacy. I did not want to be pumping everything through them.
Here is what I did to create some static routes when the VPN Tunnel was up, then remove the static routes when the VPN Tunnel was down.
>cat /etc/ppp/ip-up
#!/bin/sh
# Create default route
# The below ONLY works if you have a DHCP connection, or Statically
# assigned IP address AND GATEWAY in Network Prefs. If the "Router" field
# is blank, you will end up getting "link#something" as your gateway.
# The below route change and gateway info grabber will not work.
gateway=$(/usr/sbin/netstat -r -n -f inet | grep '^default' | awk '{print $2}')
/sbin/route change default $gateway
# If you do NOT have the Router field in Netowrk Prefs populated, you
# will get "link#something" as your gateway. OS X knows what to do with
# this, but you cannot really use it too much.
# You can upcomment the below, and use your default gateway as
#
#if [ "$gateway" = "link#5" ] ; then
# /sbin/route change default ""
#else /sbin/route change default $gateway
#fi
# Fothe second line, where is says "", you need it to look
# like this: "192.169.0.1" you MUST leave the "'s on either side of the
# IP. This does not make this script easy
#Create VPN route. Add the same but 'delete' instead of 'add' to ip-down
/sbin/route -n add -net xxx.xxx.xxx $IPREMOTE >> /tmp/ppp.log 2>&1
/sbin/route -n add -net yyy.yyy.yyy $IPREMOTE >> /tmp/ppp.log 2>&1
The ‘xxx.xxx.xxx’ is an easy way to route an entire /24. If you need to route something smaller, you can add as many route statements as your need. Its not that difficult.
You now need to remove them when your VPN goes down:
>cat /etc/ppp/ip-down #!/bin/sh /sbin/route -n delete -net xxx.xxx.xxx $IPREMOTE >> /tmp/ppp.log 2>&1 /sbin/route -n delete -net yyy.yyy.yyy $IPREMOTE >> /tmp/ppp.log 2>&1
Obviously, you will need to put the same IPs in the ip-up as in the ip-down.
Here is a netstat -rn of my laptop with the VPN up:
>netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.0.1 UGSc 59 811097 en1 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 14 3967464 lo0 169.254 link#5 UCS 0 0 en1 192.168.0 link#5 UCS 2 0 en1 192.168.0.1 0:d0:c0:fc:0:42 UHLW 56 17 en1 425 192.168.0.2 0:50:ba:39:12:7f UHLW 0 0 en1 1021 192.168.0.26 127.0.0.1 UHS 0 0 lo0 xxx.xx.xxx zzz.zz.zzz.z UGSc 0 0 ppp0 yyy.yy.yyy zzz.zz.zzz.z UGSc 2 0 ppp0 zzz.zz.zzz.zz 192.168.0.1 UGHS 40576 44728 en1 zzz.zz.zzz ppp0 USc 0 0 ppp0 zzz.zz.zzz.z zzz.zz.zzz.zz UH 4 0 ppp0
The ‘zzz.zz.zzz.z’ is the VPN IP address.
Here is my routing tables without the VPN up:
>netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.0.1 UGSc 60 816887 en1 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 14 3986251 lo0 169.254 link#5 UCS 0 0 en1 192.168.0 link#5 UCS 2 0 en1 192.168.0.1 0:d0:c0:fc:0:42 UHLW 55 17 en1 7 192.168.0.2 0:50:ba:39:12:7f UHLW 0 0 en1 1184 192.168.0.26 127.0.0.1 UHS 0 0 lo0
