Issue with Routing Traffic Separately for Two VPNs (OpenVPN and L2TP)

Got a problem with Viscosity or need help? Ask here!

kalloc

Posts: 1
Joined: Mon Nov 13, 2023 7:40 am

Post by kalloc » Mon Nov 13, 2023 7:44 am
Hello!

I'm facing a routing challenge with two VPNs on my macOS: a personal VPN (MyVPN, OpenVPN) and a work-related one (WorkVPN, L2TP). Below are the specifics of my situation:

When connected to MyVPN, I can ping WorkVPN directly, bypassing MyVPN.
Once I connect to WorkVPN, the traffic to WorkVPN's gateway starts going through MyVPN, causing significant latency.
Attempts to add WorkVPN's address to exclusions in Viscosity (both IP and /24 subnets of WorkVPN with net_gateway) were unsuccessful, as macOS still reroutes the traffic through MyVPN.

Additional Information:

MyVPN is set to route all traffic through it.
Static routing attempts before connecting to MyVPN did not resolve the issue.
Routing Tables:

Before connecting to MyVPN:
Code: Select all
$ netstat -anr | grep WorkVPNNET
After connecting to MyVPN:
Code: Select all
$ netstat -anr | grep WorkVPNNET
WorkVPNNET          192.168.1.1        UGSc           en0
WorkVPNHOST/32     192.168.1.1        UGSc           en0
After connecting to WorkVPN:
Code: Select all
$ netstat -anr | grep WorkVPNNET
WorkVPNNET          192.168.1.1        UGSc           en0
WorkVPNHOST       192.168.253.205    UH            ppp0
WorkVPNHOST/32    0.0.0.0            UCS         utun10
WorkVPNHOST       0.0.0.0            UHWIi       utun10
If I first connect to WorkVPN and then to MyVPN, the issue does not occur.

Question: How can I ensure that traffic to WorkVPNHOST/WorkVPN always bypasses MyVPN?

Any guidance or solutions for this configuration would be greatly appreciated.

Thank you!

James

User avatar
Posts: 2309
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 14, 2023 1:53 pm
Hi kalloc,

From Viscosity's end it sounds like you're setting things up mostly correctly: based on your description it sounds like all traffic is being routed through the VPN connection, and you've added route/s to exclude the remote address of the L2TP server.

You'll only want to exclude the VPN server's IP address itself though. I don't recommend attempting to exclude the remote network IP range: let the L2TP connection handle this itself. By specifying the routes yourself as part of the connection in Viscosity you'll either end up with the routes remaining in place (meaning the L2TP connection won't be used), or them resulting in a routing clash.

Beyond that, it sounds like the L2TP connection is creating the direct route to the L2TP server (likely to prevent a potential routing loop). I'm afraid we don't use L2TP here at all, so I can only speculate as to why. A few thoughts:

1. It may create the route when all traffic is set to be routed through the VPN connection in a similar fashion to OpenVPN. In which case, try making sure the "Send all traffic over VPN connection" is set to Off when configuring the L2TP connection in macOS.

2. If it creates the route either way and changing the all traffic setting makes no difference to the behaviour, I recommend checking online whether there are any hidden macOS options to control this behaviour. There are a number of hidden macOS VPN options only exposed via command line commands.

3. If you can't find a way to turn the behaviour off, it seems apparent that it's pointing the route at what it considers the "default" network interface to be, which happens to be your OpenVPN connection. You could try changing the DNS Mode for your connection in Viscosity to "Disable" and see if that makes a difference. This will turn off your VPN DNS settings, so please keep that in mind. However, it also disables Viscosity registering the VPN network interface with macOS.

4. Finally, if you're still stuck, you may need to delete the route the L2TP connection creates yourself (i.e. using something like "sudo route delete WorkVPNHOST/32" after connecting).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1