What to do when "Send all Traffic over VPN Connection" doesn't work

So I don't forget. On Leopard, there's a VPN setting called "Send all traffic over VPN connection." In theory, unchecking this box will make only connections to VPN-related IP addresses go over the VPN. This doesn't always work. The reason was explained by "Frank" on a comment to this post:

On Leopard there is a checkbox which enables or disables setting of the default route via the VPN. It is in the advanced settings and called something like "Send all traffic through the VPN".

HOWEVER, this only works if the order of the network configurations ("Ethernet", "AirPort", "Firewire", ...) is so that your VPN comes AFTER the interface you're connected to the internet. You can change the order by clicking on the little cog icon next to the +/- icons.

If your VPN comes before the Ethernet or AirPort then the default route will always be set to the VPN regardless of whether you ticked that little checkbox.

:) But wait - there is more.

For each VPN connection you can configure DNS servers. Those are only configured in the /etc/resolv.conf when the VPN connection is sorted above the Ethernet and not below.

So the net result is: You can have VPN with properly configured DNS servers but the default route will always be the VPN

OR

you have the VPN without the default route via the VPN but also no DNS.

This makes perfect sense... but it's not entirely intuitive in the OSX dialog.

By the way, if you happen to still be on Tiger. The above-referenced post itself provides the script-centric method to get the same effect on Tiger.

tagged with: OSX Routing SystemAdministration VPN | Comments (2)

2 Comments

By Matthew Tagg on August 21, 2009 1:19 AM | Reply

Very interesting post you got there. mmm I didn't know about the "order" thing. I found that if I move my VPN to the top of the ordering, then it seems to have the same effect as "send out all traffic over VPN"

What I can't seem to understand is that I'm at work on a corporate network, if I enable VPN it seems that to get to a local mail server on the 10.x.x.x network it goes through the VPN and back in on a public IP. How can I tell the VPN to ignore the 10.x.x.x range?

By AaronAuthor Profile Page on August 24, 2009 7:13 AM | Reply

It sounds like your internal IP range and the VPN's IP range might be overlapping. I'm not sure if there's a solution for this or not... sorry.

Leave a comment


Type the characters you see in the picture above.

Who's this guy?

Aaron Longwell is Chief Web Craftsman at New Media Logic Corporation in Coeur d' Alene, Idaho. As a professional software developer for 12 years and a student of public policy, he occasionally has interesting things to say about software, technology, culture and politics.

Subscribe to feed Subscribe to my RSS Feed

  • View Aaron Longwell's profile on LinkedIn
  • Recommend Me

Categories