Networking – Mac OS X 10.8 VPN Server: Bypass VPN for LAN traffic (routing LAN traffic to secondary connection)


I have somewhat of an odd setup for a VPN server with OS X Mountain Lion. It's essentially being used as a bridge to bypass my company's firewall to our extranet connection – certain things our team needs to do require unfettered access to the outside, and changing IT policies to allow traffic through the main firewall is just not an option.

The extranet connection is provided through a Wireless-N router (let's call it Wi-Fi X). My Mac Mini server is configured with the connection to this router as the primary connection, thus unfettered access to the internet via the router. Connections to this device on the immediate subnet are possible through the LAN port, but outside the subnet things are less reliable.

I was able to configure the VPN server to provide IP addresses to clients in the range using both PPTP and L2TP, and I'm able to connect to the extranet through the VPN using the standard Mac OS X VPN client in System Preferences, however unsurprisingly, a local address (let's call it returns nothing.

I tried to bypass the limitation of the VPN Server by setting up Routes in the VPN settings. Our company uses 13.x.x.x for all internal traffic, instead of 10.x.x.x, so the routing table looked something like this:

IP Address ---------- Subnet Mask ---------- Configuration                   Private                   Private                  Private                  Public                  Private                  Private                  Private                  Private                 Private

I was under the impression that if nothing was entered here, all traffic was routed through the VPN. With something entered, only traffic specifically marked to go through the VPN would go through the VPN, and all other traffic would be up to the client to access using its own default connection. This is why I had to specifically mark every subnet except 13.x.x.x as Private.

My suspicion is that since I can't reach the VPN server from outside the local subnet, it's not making a connection to the main DNS server and thus can't be reached on the larger network. I'm thinking that entering hostnames like aren't kicked back to the client to resolve, because the server has no idea that the IP address falls in the public range, since I suspect (probably should ping test it but don't have access to it right now) that it can't reach the DNS server to find out anything about that hostname.

It seems to me that all my options for resolving this all boil down to the same type of solution:

Figure out how to reach the DNS with the secondary connection on the server. I'm thinking that if I'm able to do [something] to get my server to recognize that it should also check my local gateway (let's say Server IP == and Gateway IP == From there Gateway IP can tell me to go find DNS Server at and give me information about my internal network. I'm very confused about this path — really not sure if I'm even making sense.

I thought about trying to do this client side, but that doesn't make sense either, since that would add time to each and every client side setup. Plus, it just seems more logical to solve it on the server – I could either get rid of my routing table altogether or keep it – I think the only difference would be that internal traffic would also go through the server – probably an unnecessary burden on it.

Any help out there? Or am I in over my head? Forward proxy or transparent proxy is also an option for me, although I have no idea how to set either of those up. (I know, Google is my friend.)

Best Answer

Well, I give it a shot:

I'm not sure of how to get only some traffic to go through I can solve your problem, but it would take a little changing of your setup. I'm assuming your Mac has two network interfaces, let's call them eth0 and eth1 :-)

we'll assume that eth0 is connected to your work network and has an internal (work network) address of, subnet

we'll also assume that eth1 is connected to your WiFi X and has an address (eth1 <---> WiFi X network) of, subnet, to keep things simple.

I've setup VPN servers on BSD and Linux, but not Mac, however the concept will still be the same, you have options, I'll list one:

1)Ensure that the routing table on the Mac has an entry as follows:

$>sudo route add eth0

What this will do is make sure any traffic coming in over the WiFi X or VPN interface that is destined for your company's network (the 13 network) will make it there. Without this, the Mac (which provides the bridge) really has no way to know how to route traffic between the two interfaces, and by default it will try to send it out of whatever interface is the default, which is WiFi X you stated.

I would undo what you did to the VPN routing table above and try this if its not (hopefully) already there.

If the above doesn't do it please update w/ your VPN Server's routing table and ip address list, or update w/ any fix you came across. Hope this points you in the right direction.