Pages

Wednesday, 30 October 2019

mac-split-tunnel-vpn

Simple app to make it easy to set up and maintain Split Tunneling over VPN on Mac OS X. 

Split Tunnel VPN Routing for Mac

This is a simple script that makes it super easy for you to manage one or more VPN connections with split tunneling.
In particular this makes it very easy to connect to multiple VPNs simultaneously, and all traffic is kept going to the right place at the right time.

Installation

$ git clone https://github.com/vube/mac-split-tunnel-vpn.git
$ cd mac-split-tunnel-vpn
$ sudo install -c -m 0755 ip-up.php /etc/ppp/ip-up
$ cd /etc/ppp
$ sudo ln -sf $HOME/.routes.json routes.json

Configuration

You only need a file in your home directory that contains the routes. In the install instructions, we symlink'd the routes.json config file to your home directory, a file named $HOME/.routes.json

Example $HOME/.routes.json file

{ "remotes": {
 "1.2.3.4": [
  "9.8.7"
 ]
} }
The above example will route all the traffic for the class C block 9.8.7.* to your VPN server whose IP is 1.2.3.4

Configuring your VPN

You must configure your VPN such that the "Send all traffic over VPN connection" checkbox is not checked in the Advanced settings screen.
See below for an example of a correctly configured VPN.
Screenshot of VPN Advanced Settings Dialog

Advanced Example $HOME/.routes.json file

{ "remotes": {
    // Simple end-of-line comments like this are allowed
    // VPN #1
 "1.2.3.4": [
  "9.8.7", // one network
  "8.7.6", // another network
  "7.6.5" // yet a third network
 ],
 // VPN #2
 "2.3.4.5": [
  "4.5.6", // first network for VPN 2
  "5.6.7" // second network for VPN 2
 ]
} }
The above file configures 2 VPNs, 1.2.3.4 and 2.3.4.5
There are 3 networks routed through the 1.2.3.4 VPN: 9.8.7.*, 8.7.6.* and 7.6.5.*
There are 2 networks routed through the 2.3.4.5 VPN: 4.5.6.* and 5.6.7.*

Reconnect to VPN for changes to take effect

After editing your $HOME/.routes.json file, you must disconnect from and reconnect to your VPN for the changes to take effect.

Why use this

This allows you to set up your VPN links such that the ONLY traffic that goes over the VPN is traffic that really NEEDS to be on the VPN link. All other traffic will go over your default internet connection, which means you will have the fastest possible Internet speed at all times.
This routing manager uses a JSON file to keep track of which routes you really need to go to your VPN so then you can just edit that file if/when there are updates to it. No need to think about system utilities etc. Edit a file, reconnect to VPN, voila!

Log for troubleshooting purposees

Each time you connect to a VPN, a log message is written in /tmp/ppp.ip-up.log so you can see exactly what is happening.

Example log

VPN Connection at 2014-04-22 12:15:01
System arguments:
 [0] path to this script: '/etc/ppp/ip-up'
 [1] pppd Interface name: 'ppp1'
 [2] TTY device name: ''
 [3] TTY devide speed: '0'
 [4] Local IP: '192.168.200.2'
 [5] Remote IP: '1.2.3.4'
 [6] pppd ipparam option: 'x.x.x.x'
Configuring routes for 1.2.3.4
Exec: /sbin/route add -net '9.8.7' -interface 'ppp1' 2>&1
add net 9.8.7: gateway ppp1
In the above log dump, the remote VPN IP is 1.2.3.4 which you can see in the System arguments dump near [5] Remote IP: '1.2.3.4'
If you are unsure what your actual VPN IP address is, connect to your VPN and then look at this log file to see what the Remote IP is. The Remote IP is what you need to list in your $HOME/.routes.json file as the VPN identifier.

from https://github.com/vube/mac-split-tunnel-vpn
------

vpnc split tunnel script  

vpnc-split-tunnel

Overview

Basic script to be used inconjunction vpnc-scipt (comes with the installation of vpnc). This script also leverages dnsmasq to allow for you to define specific domains to query over the VPN connection while forwarding the rest of your dns queries to your local DNS. This allows for a truely transparent split tunnel experience.

Dependencies

  • vpnc
  • dnsmasq

Setup

  • Install the dependencies
  • Copy vpnc-split-tunnel.sh to /etc/vpnc/
  • Modify your existing vpnc.conf to reference vpnc-split-tunnel.sh using the "Script" variable
  • Start vpnc and verify the routes with netstat -rn

Configuration

Defaults

By default vpnc-split-tunnel.sh assumes the following:
  • The DNS server(s) are pushed from the VPN gateway
  • The domain(s) are pushed from the VPN gateway
If either or both of these assumptions are false you will need to modify some variables insidevpnc-split-tunnel.sh:
  • INTERNAL_IP4_DNS Set this variable to your DNS server IPs beyond the VPN gateway
  • CISCO_DEF_DOMAIN Set this variable to the domains of servers you would like to access by internal DNS

Additional Options

  • SUBNET_LIST Add a list of additional internal subnets to be accessible over the split tunnel.
  • RESOLV_CONF Locatin of resolv.conf
  • DNSMASQ_CONF Location of where to put the dnsmasq.conf that will be generated by this script
  • DNSMASQ_CONF_BACKUP Location of where to put the dnsmasq.conf backup file if a file exists before we generate the VPN specific config
  • DNSMASQ_LISTEN The IP the dnsmasq daemon will bind to
  • DNSMASQ_BIN dnsmasq binary
 from https://github.com/l2ol33rt/vpnc-split-tunnel
--------

相关帖子:https://briteming.blogspot.com/2019/11/vpn-slice.html