Where is the "Send all traffic over VPN connection" setting in OSX 10.9 Mavericks?
I'm attempting to change the settings of a Cisco IPSec VPN connection which was set up through OSX's built in VPN client in system preferences. The VPN functions as expected, allowing me to access protected servers at my company. I would like to access other websites on the internet through this VPN (youtube, wikipedia, whatever). As far as I can tell, my regular web browsing is not being directed through the VPN.
This apple support page says there is a setting called "Send all traffic over VPN connection" which can be enabled through the Apple menu > System Preferences > Network > Advanced > Options
dialogue. However, when I select the VPN from the network interface list and click the "Advanced..." button, there is no "Options" tab or button. I see a dialogue with two tabs, "DNS" and "Proxies". There is no options button or "Send all traffic over VPN connection" anywhere to be found.
So, what gives? Does this have to do with what kind of VPN I am connected to (Cisco IPSec)? Is it related to the VPN's settings? Regardless, how can I route normal browsing through the VPN?
Solution 1:
I guess not all VPN connections of the build-in VPN client in Mac have that option.
The PPTP and L2TP do offer the option: Open your network settings:
Select your VPN connection and click on the advanced button.
A new window will pop up with three check-boxes under the heading "Session options". The last one of these checkboxes is the one you want: "redirect all traffic over VPN".
However, like you said. The advanced button does not pop up with Cisco IPSec.
I found this thread (https://superuser.com/questions/91191/how-to-force-split-tunnel-routing-on-mac-to-a-cisco-vpn) that maybe could be an answer to your problem (if you use it to route the whole ip range):
Any one know how to hack the routing table (on a mac) to defeat the forcing of VPN routing for every thing over a cisco VPN? pretty much what I want to do is have only 10.121.* and 10.122.* addresses over the VPN and everything else straight to the internet.
The following works for me. Run these after connecting to the cisco vpn. (I'm using OS X's built-in cisco client, not the Cisco branded client.)
sudo route -nv add -net 10 -interface utun0
sudo route change default 192.168.0.1
Replace "10" in the first command with the network that's on the other side of the tunnel.
Replace "192.168.0.1" with your local network's gateway.
I put it into a bash script, like this:
$ cat vpn.sh
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "Run this as root"
exit 1
fi
route -nv add -net 10 -interface utun0
route change default 192.168.0.1
I also found an explanation on how to run this automatically when you connect the VPN, but it's late on Friday and I don't feel like trying it :)
https://gist.github.com/675916
Edit:
I have since left the job where I was using the Cisco VPN, so this is from memory.
The "10" in the first command is the network that you want to route over the VPN. "10" is short hand for "10.0.0.0/8". In Tuan Anh Tran's case, it looks like the network is "192.168.5.0/24".
As for which gateway to specify in the second command, it should be your local gateway. When you log into a VPN that prevents split-tunneling, it is enforcing that policy by changing your routing tables so that all packets are routed on the virtual interface. So you want to change your default route back to what it was prior to getting on the VPN.
The easiest way to figure out the gateway is to run netstat -rn before logging into the VPN, and look at the IP address to the right of the "default" destination. For example, here's what it looks like on my box right now:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.1.1 UGSc 29 0 en1
10.0.1/24 link#5 UCS 3 0 en1
10.0.1.1 0:1e:52:xx:xx:xx UHLWIi 55 520896 en1 481
10.0.1.51 7c:c5:37:xx:xx:xx UHLWIi 0 1083 en1 350
10.0.1.52 127.0.0.1 UHS 0 0 lo0
My gateway is 10.0.1.1 -- it is to the right of the "default" destination.