OS X >10.6.5 DNS Lookup Order with VPN
In my case, FQDN requests weren't resolving to the correct internal address. Instead, they were pointing to the external address.
I connect to my Cisco ASA via IPsec. While the order is setup correctly in network connection, the DNS requests do not follow the order since updating to 10.6.5.
To work around it, I manually assigned the DNS server for my VPN into Airport connection (since I'm wireless). After I'm done with the VPN connect, I remove the manually added DNS address.
To stop OS X 10.8 from creating a default route to your VPN connection, open Internet Connect (in Applications). Choose Options from the Connect menu, then uncheck the "Send all traffic over VPN connection" option. Click OK, and you're done.
To make a custom route to the subnet on the other side of the VPN connection, read the rest of the hint...
As root, create /etc/ppp/ip-up, and put in the following code:
#!/bin/sh
# When the ppp link comes up, this script is called with the following
# parameters
# $1 the interface name used by pppd (e.g. ppp3)
# $2 the tty device name
# $3 the tty device speed
# $4 the local IP address for the interface
# $5 the remote IP address
# $6 the parameter specified by the 'ipparam' option to pppd
DEBUGFILE=/tmp/ip-up-debug.txt
## echo "1:$1 2:$2 3:$3 4:$4 5:$5 6:$6" > $DEBUGFILE
NET=`echo $5 | cut -d. -f1,2,3`
## echo $NET >> $DEBUGFILE
case $NET in 192.168.3)
## echo "CASE1" >> $DEBUGFILE
RESULT=`/sbin/route add -net 192.168.30.0 $5 255.255.255.0`
##echo $RESULT >> $DEBUGFILE
;;
192.168.2)
## echo "CASE2" >> $DEBUGFILE
RESULT=`/sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw $5`
## echo $RESULT >> $DEBUGFILE
;;
192.168.1)
## echo "CASE3" >> $DEBUGFILE
RESULT=`/sbin/route add -net 192.168.10.0 netmask 255.255.255.0 gw $5`
## echo $RESULT >> $DEBUGFILE
;;
*)
## echo "No match" >> $DEBUGFILE
;;
esac
Notes:
- Once you create the file, do a
chmod u+x /etc/ppp/ip-up
. - The $5 variable is your remote IP address (your IP address on the remote network).
- In the first case statement, change the 192.168.x entry to the first three octets of your remote network. In this instance, the remote IP is 192.168.3.1, and the remote network is 192.168.30.0/24 (the remote VPN box is doing the routing -- this is so SAMBA will work without needing to proxy ARP).
- Uncomment (remove the ##'s) from the debug lines to see what this script is doing. Output will be written to the /tmp/ip-up-debug.txt file. Remember to put the ##'s back in when you are done testing.
- This script has options for three different VPN connections. Just change the 192.168.x entries to the different network addresses of your different VPNs.
Found here