How to add routing for 2 VPN connections?

1

I am trying to setup second VPN connection over the first one, which is my only option at the moment. The first VPN connection works fine(utun1), providing me internet access and it looks like this:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.56.10.5         UGSc            0        0   utun1
default            192.168.1.1        UGSc            2        0     en0
default            10.56.10.5         UGScI          17        0   utun1
10.56.10.1/32      10.56.10.5         UGSc            0        0   utun1
10.56.10.5         10.56.10.6         UHr            31        0   utun1
10.56.10.5/32      link#14            UCS             0        0   utun1
127                127.0.0.1          UCS             0        4     lo0
127.0.0.1          127.0.0.1          UH             35  2531224     lo0
128.0/1            10.56.10.5         UGSc           10        0   utun1
169.254            link#4             UCS             0        0     en0
179.13.126.66/32   192.168.1.1        UGSc            1        0     en0
192.168.1          link#4             UCS             1        0     en0
192.168.1.1/32     link#4             UCS             1        0     en0
192.168.1.1        ec:88:8f:2b:4d:b6  UHLWIir         4       26     en0    750
192.168.1.103/32   link#4             UCS             0        0     en0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        7     en0
224.0.0/4          link#4             UmCS            2        0     en0
224.0.0/4          link#14            UmCSI           0        0   utun1
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0       20     en0
255.255.255.255/32 link#4             UCS             1        0     en0
255.255.255.255    ff:ff:ff:ff:ff:ff  UHLWbI          0        7     en0
255.255.255.255/32 link#14            UCSI            0        0   utun1

When connecting to second VPN(utun2), I don't have internet any more and I can't connect to host for which I am using second VPN. Second internet connection supposed to provide internet as well(providing when by luck I am able to connect to it directly). So the routing looks like this:

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.56.10.5         UGSc            0        0   utun1
default            link#16            UCS             0        0   utun2
default            192.168.1.1        UGScI           1        0     en0
default            10.56.10.5         UGScI           9        0   utun1
10.56.10.1/32      10.56.10.5         UGSc            0        0   utun1
10.56.10.5         10.56.10.6         UHr            19        0   utun1
10.56.10.5/32      link#14            UCS             0        0   utun1
127                127.0.0.1          UCS             0        4     lo0
127.0.0.1          127.0.0.1          UH             34  2536322     lo0
128.0/1            10.56.10.5         UGSc            5        0   utun1
32.169.33.64       10.56.10.5         UGHS            0        0   utun1
32.169.252.34      31.169.252.34      UH              0       11   utun2
169.254            link#4             UCS             0        0     en0
179.13.126.66/32   192.168.1.1        UGSc            1        0     en0
192.168.1          link#4             UCS             1        0     en0
192.168.1.1/32     link#4             UCS             1        0     en0
192.168.1.1        ec:88:8f:2b:4d:b6  UHLWIir         4       42     en0   1119
192.168.1.103/32   link#4             UCS             0        0     en0
192.168.1.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        5     en0
224.0.0/4          link#16            UmCS            0        0   utun2
224.0.0/4          link#4             UmCSI           1        0     en0
224.0.0/4          link#14            UmCSI           0        0   utun1
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0        4     en0
255.255.255.255/32 link#16            UCS             1        0   utun2
255.255.255.255/32 link#4             UCSI            0        0     en0
255.255.255.255/32 link#14            UCSI            0        0   utun1
255.255.255.255    link#16            UHW3bI          0        1   utun2      6

ifconfig shows this

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
    inet 10.56.10.6 --> 10.56.10.5 netmask 0xffffffff 
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
    inet 32.169.252.34 --> 32.169.252.34 netmask 0xfffffc00 

First VPN is created by some 3rd party VPN client. Second is built in OS X VPN connection, set to default.

The host that I am trying to connect via second vpn is in the subnet 32.169.0.0/16.

I've tried to add routing for that specific host, without much success

sudo route add -host 32.169.111.222 10.56.10.5 -interface utun2

What route would help me to add routing to the specific host via both tunnels? Just to be clear - utun1 is just helper tunnel for utun2.

networking
macos
vpn
routing
asked on Super User Jun 18, 2017 by Pablo

2 Answers

0

You will want to do policy routing with iproute2. /etc/iproute2/rt_tables lists tables and you can also add them. They have a number next to them which is their priority in which they are processed. You can use 'ip route add' and 'ip rule add' to modify rules and routes. IP rules also have a priority. Both of the commands are processed with higher numbered routes and rules taken last. A route is added to a table while a rule specifies what kind of source and destination addresses take the specified route and/or routing table. Use the 'table' keyword to 'ip route add' to specify which table to add the route to and use 'lookup' for 'ip rule add' to specify which table to take.

I edited this to show an example, although I have not tested this command syntax or setup, it should be pretty much this easy:

rt_tables:

125 vpn-1
150 vpn-2

ip rules:

ip route add <vpn_1_ip> via <real_default_gw_ip> dev <dev> table main
ip route add <vpn_2_ip> via <vpn_1_ip> dev <dev> table vpn-1
ip route add default via <vpn_2_ip> dev <dev> table vpn-2

Then add rules. Something like this:

ip rule add pref 1000 from <vpn_1_ip> to any lookup main
ip rule add pref 1001 from <vpn_2_ip> to any lookup vpn-1
ip rule add pref 30000 from any to any lookup vpn-2

Although are you sure you need to do this if you configure the second VPN on top of the first VPN as through the first VPN instead of letting it use the default gateway?

answered on Super User Jun 18, 2017 by infinmed • edited Jun 20, 2017 by infinmed
0

Your problems might be that the first VPN server is not configured to accept remote access VPN connections. Verify with your VPN supplier if this is indeed the case.

See for example this link for configuring what Microsoft calls "Pass-Through VPN":
Configuration of the Company B VPN Server.

answered on Super User Jun 27, 2017 by harrymc

User contributions licensed under CC BY-SA 3.0