Setting default routes with a VPN and OS X

Aug 12, 2007 11:54 · 475 words · 3 minute read

Setting up a VPN connection in OS X is incredibly simple - just use the Internet Connect wizard, and away you go. But if you use the wizard to set up a VPN connection, it assumes that you want all traffic to go down the VPN tunnel. That’s fine in some circumstances, but it can be a pain if the upstream connection to the Internet at the VPN end is slow - and in any case, it’s most likely to be adding additional hops to your destination if that destination isn’t at the VPN end. A much better scenario would be for normal traffic to go via the default Internet route, and only VPN-specific traffic to go via the VPN.

It’s quite easy to fix, but it does involve a certain amount of command line wrangling. The process goes like this:

  • Fire up a terminal session and go to the /etc/ppp directory with cd /etc/ppp Then create a subdirectory in here called peers if it doesn’t already exist. You’ll probably need to invoke sudo to do this so that you get root privileges - so the command will be sudo mkdir peers

  • Create a file in here with the same name as your VPN connection - so for example, my VPN connection is called ‘Headshift’, so I create a file called Headshift by using sudo touch Headshift (this is case-sensitive, so make sure that the case of your VPN connection name and the file agree)

  • Open up this file and edit it to include the line ‘nodefaultroute’ - sudo nano Headshift, entering the line then saving the file will do the trick here.

  • Restart the VPN connection, and check that the default routes have changed. You can do this by using the netstat -rn command in a terminal window. This will throw back a whole chunk of data, but the part we’re interested in is right at the start. The top line is the default route which shows the gateway which all traffic will go through - this should show the IP address for your default network connection. In my case, it’s the Airport interface which is listed as en1, with a default gateway of 192.168.1.1, but this will change depending on the setup.

  • Further down the list will be the entry for the network at the other end of the VPN connection, and this will show it’s gateway as ppp0, which is the VPN link. So for example, if the network at the other end is 172.168.1.0, then you’ll see an entry for 172.168.0 in the list with a gateway of ppp0

  • You can also check this by doing a traceroute to a host on the VPN-connected network, which should show that the packets are passing across the VPN link; then tracerouting to an Internet host, which will go via the default LAN connection.