Skip to content
Routing some traffic to alternate interface
Got a problem with Viscosity or need help? Ask here!
I have a complicated setup and maybe Viscosity cannot manage it on its own, but it seems close, so I thought I'd ask if it can.
I'm running a MacBook with 2 network connections and a VPN.
Connection 1 is a WiFi connection. It can connect to the internet but is heavily filtered, blocking some connections I need. I run Viscosity to create a VPN to an unfiltered internet gateway. I want nearly all traffic to go over the VPN.
Connection 2 is an Ethernet connection to a private local network. It does not have internet access and thus Viscosity cannot use it to set up a VPN because it cannot connect to the VPN server over it.
I need Connection 2 in order to reach a local server that is not accessible from the internet. So I want to set up a route for the private internet to go over Connection 2 with all other traffic going over Connection 1.
So far, it seems I have to bring up the network in the following order: Connection 1, VPN, Connection 2. Otherwise Viscosity does not find the VPN server or connections fail because they are blocked by the connections' firewalls.
If I add the route for the local server in the VPN configuration, it attaches to the VPN tunnel interface and does not switch to Connection 2 when it comes up. Currently I have to manually (from the terminal) add the route after Connection 2 comes up in order to properly route the traffic.
What I cannot figure out is how to set up a route in Viscosity that will switch to Connection 2 when Connection 2 comes up. Is this possible?
I'm running a MacBook with 2 network connections and a VPN.
Connection 1 is a WiFi connection. It can connect to the internet but is heavily filtered, blocking some connections I need. I run Viscosity to create a VPN to an unfiltered internet gateway. I want nearly all traffic to go over the VPN.
Connection 2 is an Ethernet connection to a private local network. It does not have internet access and thus Viscosity cannot use it to set up a VPN because it cannot connect to the VPN server over it.
I need Connection 2 in order to reach a local server that is not accessible from the internet. So I want to set up a route for the private internet to go over Connection 2 with all other traffic going over Connection 1.
So far, it seems I have to bring up the network in the following order: Connection 1, VPN, Connection 2. Otherwise Viscosity does not find the VPN server or connections fail because they are blocked by the connections' firewalls.
If I add the route for the local server in the VPN configuration, it attaches to the VPN tunnel interface and does not switch to Connection 2 when it comes up. Currently I have to manually (from the terminal) add the route after Connection 2 comes up in order to properly route the traffic.
What I cannot figure out is how to set up a route in Viscosity that will switch to Connection 2 when Connection 2 comes up. Is this possible?
Hi Jeremy,
It sounds like your secondary interface doesn't have a gateway set, in which case it's not going to be possible to make use of OpenVPN's routing syntax to route to it (as requires a destination gateway). If you need a custom interface scoped route you'll need to add one yourself - you can make use of Viscosity's Connected/Disconnected AppleScript support or OpenVPN's up/down scripting support to automatically add and remove such a route if desired.
However if the server is on the same range as your secondary interface's network (e.g. the network is 192.168.0.x, and your server's IP is 192.168.0.123) then it shouldn't be necessary to add a route. macOS will prioritise the local subnet range over the VPN's routes in such as instance. The only reason this might not be happening is if there is a network range clash, in which case simply changing the IP range of your local network or remote VPN network should work. I'd recommend checking the OpenVPN log to see whether it has any warnings regarding a clash - please see the following support article for more information regarding such warnings:
http://www.sparklabs.com/support/kb/art ... connected/
Cheers,
James
It sounds like your secondary interface doesn't have a gateway set, in which case it's not going to be possible to make use of OpenVPN's routing syntax to route to it (as requires a destination gateway). If you need a custom interface scoped route you'll need to add one yourself - you can make use of Viscosity's Connected/Disconnected AppleScript support or OpenVPN's up/down scripting support to automatically add and remove such a route if desired.
However if the server is on the same range as your secondary interface's network (e.g. the network is 192.168.0.x, and your server's IP is 192.168.0.123) then it shouldn't be necessary to add a route. macOS will prioritise the local subnet range over the VPN's routes in such as instance. The only reason this might not be happening is if there is a network range clash, in which case simply changing the IP range of your local network or remote VPN network should work. I'd recommend checking the OpenVPN log to see whether it has any warnings regarding a clash - please see the following support article for more information regarding such warnings:
http://www.sparklabs.com/support/kb/art ... connected/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Thanks for taking a swing at this, James.
The server is not on the local net. Connection 2 gets an address, gateway, and netmask set by DHCP when the connection comes up. After it comes up I can add the routes I want using "route add" from the terminal.
The problem is that at the time the VPN network comes up, Connection 2 is down. It has to be in order to ensure the VPN itself does not try to use Connection 2. I don't see a way to add the route at the time the VPN comes up (because Connection 2 is still down and has no gateway set) or to trigger a script when Connection 2 comes up but only if the VPN is already up.
BTW, how do I ensure that all DNS requests are still going to the VPN's DNS server after Connection 2 comes up and gets a DNS server assigned by DHCP?
The server is not on the local net. Connection 2 gets an address, gateway, and netmask set by DHCP when the connection comes up. After it comes up I can add the routes I want using "route add" from the terminal.
The problem is that at the time the VPN network comes up, Connection 2 is down. It has to be in order to ensure the VPN itself does not try to use Connection 2. I don't see a way to add the route at the time the VPN comes up (because Connection 2 is still down and has no gateway set) or to trigger a script when Connection 2 comes up but only if the VPN is already up.
BTW, how do I ensure that all DNS requests are still going to the VPN's DNS server after Connection 2 comes up and gets a DNS server assigned by DHCP?
Hi Jeremy,
It shouldn't be necessary to disable your Ethernet connection while connecting to the VPN. Simply adjust the Service Order (under Apple Menu->System Preferences->Network->Cog Icon->Set Service Order...) so your Wi-Fi connection is above your Ethernet connection. Your Wi-Fi's connection will then be used by default for addresses that aren't reachable locally.
http://www.sparklabs.com/support/kb/art ... being-used
Cheers,
James
It shouldn't be necessary to disable your Ethernet connection while connecting to the VPN. Simply adjust the Service Order (under Apple Menu->System Preferences->Network->Cog Icon->Set Service Order...) so your Wi-Fi connection is above your Ethernet connection. Your Wi-Fi's connection will then be used by default for addresses that aren't reachable locally.
BTW, how do I ensure that all DNS requests are still going to the VPN's DNS server after Connection 2 comes up and gets a DNS server assigned by DHCP?Viscosity automatically takes care of this. Instructions for confirming this can be found at:
http://www.sparklabs.com/support/kb/art ... being-used
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts
Page 1 of 1