Mysteries of VPN
I'm running a few services on my Mac at home: Timbuktu, for remote access to my Mac while away from home; accessTunes, for music streaming; ssh shell access; and I'm playing around with the Apache web server now.
Normally, all of these services work fine. I've configured my gateway/router to do all of the appropriate port forwarding. I've recently set up a dyndns.org account so that I have a domain name for my home system, making access much easier.
All of these services go to hell when I start up my VPN connection from home into my office network. I can still access the services on my local network at home from other computers, but from the outside world, nothing works. This is particularly frustrating if I've left the VPN running by accident, get to work, want to connect home, but can't get in -- especially to do the one thing I'd really like to do at that point, shut down the VPN.
If I can find out what IP address I was assigned on the VPN, I can connect to those services via that local address on the VPN, but it's generally difficult to find what that address is, and at any rate, I don't want WAN access to my home system shut down even if I can get in on the office LAN.
I think I've finally figured out what's going on: All of these services happily listen on their assigned ports for incoming connections on either my LAN IP (through which all WAN access arrives) or the VPN-assigned IP. But, when these services send replies, they try to reply back through the VPN to every client with a non-LAN IP address.
What I really want to happen is for all replies to go to the LAN IP except those which are replies to clients with IP addresses associated with other systems on the VPN.
If this can be done, there's no obvious GUI set-up for it. I'm pretty sure it'll take some Unix geekishness to do what I want -- and I'm fine with that, as long as someone can point me in the right direction. I've tried to Google all sorts of combinations and permutations of "mac os x", "tiger", "vpn" "configuration", "dual home", "ip address", "binding", etc., etc. All I keep coming up with is either the bare basics I already know or things which are completely irrelevant.
PS: I just got a tip that the answer I'm looking for might have something to do with "iptables" -- I'll have to look into that later.
Normally, all of these services work fine. I've configured my gateway/router to do all of the appropriate port forwarding. I've recently set up a dyndns.org account so that I have a domain name for my home system, making access much easier.
All of these services go to hell when I start up my VPN connection from home into my office network. I can still access the services on my local network at home from other computers, but from the outside world, nothing works. This is particularly frustrating if I've left the VPN running by accident, get to work, want to connect home, but can't get in -- especially to do the one thing I'd really like to do at that point, shut down the VPN.
If I can find out what IP address I was assigned on the VPN, I can connect to those services via that local address on the VPN, but it's generally difficult to find what that address is, and at any rate, I don't want WAN access to my home system shut down even if I can get in on the office LAN.
I think I've finally figured out what's going on: All of these services happily listen on their assigned ports for incoming connections on either my LAN IP (through which all WAN access arrives) or the VPN-assigned IP. But, when these services send replies, they try to reply back through the VPN to every client with a non-LAN IP address.
What I really want to happen is for all replies to go to the LAN IP except those which are replies to clients with IP addresses associated with other systems on the VPN.
If this can be done, there's no obvious GUI set-up for it. I'm pretty sure it'll take some Unix geekishness to do what I want -- and I'm fine with that, as long as someone can point me in the right direction. I've tried to Google all sorts of combinations and permutations of "mac os x", "tiger", "vpn" "configuration", "dual home", "ip address", "binding", etc., etc. All I keep coming up with is either the bare basics I already know or things which are completely irrelevant.
PS: I just got a tip that the answer I'm looking for might have something to do with "iptables" -- I'll have to look into that later.
Comments
1) I connected to my office VPN from home.
2) I used Timbuktu to bring up the desktop of my computer at work.
3) Using Mozilla on the computer at work, I tried to bring up my home web server, expecting it to fail -- as it did.
4) Again on the office system, I went to a web page which told me the WAN IP address that the outside world sees when my office computer connects (as opposed to the LAN IP the computer has that you'd get with the Windows ipconfig command).
5) Back on my Mac at home, I typed this command line:
sudo route add xxx.xxx.xxx.xxx 192.168.0.1
...where xxx.xxx.xxx.xxx is the IP address I found above, and 192.168.0.1 is the IP of the gateway on my home LAN.
6) I try to reach my home web page via the computer at work again... SUCCESS!
The thing is, of course, I don't want to merely fix the problem I'm having for one IP address out there in the world, I want to re-route every EXCEPT addresses on the company LAN (172.16-18.xxx.xxx) to the 192.168.0.1 gateway.
With the problem better defined, and a glimmer of hope at the right direction to go, can anyone help me take the next step?
And does anyone know if these things I do with the route command are persistent, or do they go away the next time I reboot my Mac?
sudo route change default 192.168.0.1
sudo route add 172.16.0.0 172.16.1.245 255.224.0.0
Using Netstat via Network Utility helped me figure things out a bit... like seeing that "default" might be a valid argument.
The main problem left is that when I reconnect to the VPN, the default routing immediately changes back to 172.16.1.245. I feel like I'm pretty close now, I'm just lacking the persistence I'd want for my desired default routing.
There's still a momentary drop out in network activity as I connect to my VPN, but I'm automatically and nearly instantly re-routing traffic the way I want it to go. Connecting to my company VPN now means access to the company network without that network becoming my primary IP address at the expense of web services I want to keep running from my home computer.
There are other benefits too, like being able to surf the web while on the company VPN and not have my web surfing going through the company network, or only having brief hiccups in iChat conversations when I connect to the VPN, instead of having to completely stop and restart chats which also end up going through the company network if I want to keep chatting.
It turns out that typical Unix network admin techniques don't apply that well to OS X because OS X has its own ideas about automatically reconfiguring routing tables (in what is typically the best way for non-technical users) when users connect and disconnect from various networks or change their network settings in System Preferences. These automatic changes often undo configuration changes Unix admin geeks are accustomed to setting up and having left alone.
Googling around, I found a hack someone had written to automatically reconfigure mail services whenever someone changed their network location. It involves inserting your own "execCommand" item into a XML set-up file, Kicker.xml, a file which lists tasks that are to be performed during automatic network updates.
Following that example, and writing my own Perl script to be executed by the Kicker, I came up with this:
#!/usr/bin/perl
#
# This file depends on the following addition to
# /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml:
#
# <dict>
# <key>execCommand</key>
# <string>/Library/VPNHack/vpn_fix.pl</string>
# <key>execUID</key>
# <integer>0</integer>
# <key>keys</key>
# <array>
# <string>Setup:/</string>
# <string>State:/Network/Global/IPv4</string>
# </array>
# <key>name</key>
# <string>vpn-hack</string>
# </dict>
$lanOK = 0;
$vpnGateway = "";
@lines = doCommand("ifconfig");
foreach $line (@lines) {
# Change the following to your usual LAN IP and network mask that you expect to have
# when your home network is up and running. I use a fixed IP address -- which makes
# this much easier -- for dependable port forwarding through my router.
if ($line =~ /inet 192\\.168\\.0\\.3 netmask 0xffffff00/) {
$lanOK = 1;
}
# Change the following to match the LAN you get connected to on your VPN.
elsif ($line =~ /inet 172\\.16\\.1\\.\\d{1,3} --> ([0-9\\.]{7,15}) netmask 0xffff0000/) {
$vpnGateway = $1;
}
}
if ($lanOK && $vpnGateway) {
# Change the following to match the gateway on your home LAN.
doCommand("route change default 192.168.0.1");
# Change the following to match the LAN your VPN connects you to.
doCommand("route add 172.16.0.0 $vpnGateway 255.240.0.0");
}
sub doCommand
{
my $cmd = shift;
my @lines;
if (open(CMD, "$cmd|")) {
@lines = <CMD>;
close(CMD);
return @lines;
}
else {
return ();
}
}
Logged in as root, I placed this code at /Library/VPNHack/vpn_fix.pl and set it to be executable.
I added the necessary XML to /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml, making a back-up of the original called Kicker.xml.orig, left in the same directory.
After rebooting, my VPN connection is finally, finally running (brief networking glitch aside) just the way I've been wanting my VPN connection to work for a couple of years now. w00t!
Thanks for keeping your thread updated, I'm sure this info. must be useful for quite a few people out there. Have you considered submitting a hint to MacOSXhints?
Originally posted by Mr. H
Have you considered submitting a hint to MacOSXhints?
Now I have... done!