VPN insists you connect to the Internet through it?

Question

VPN insists you connect to the Internet through it?

Hey,

I connect to the Internet via my local LAN over a cable connection. It seems that when I connect to my VPN, all traffic gets routed through the VPN's Internet connection instead of remaining running over my LAN and then to the Internet.

In Network settings, normally it says:

Built-in Ethernet - "Built-in Ethernet is currently active and has the IP address .... You are connected to the Internet via Built-in Ethernet."

VPN (PPTP) - "VPN (PPTP) is configured, but is not connected."

but when I connect to the VPN, it says:

Built-in Ethernet - "Built-in Ethernet is currently active and has the IP address ...."

VPN (PPTP) - "VPN (PPTP) is connected to .... You are connected to the Internet via VPN (PPTP)."

I find that any active connections (e.g. chat, streams, etc.) break and I have to reconnect them after I connect to the VPN. The connection seems to be slower too, as though it is routing all the traffic to the VPN, then through the VPN's Internet connection.

Does anyone know how I can keep the Built-in Ethernet as the Internet connection while connected to the VPN? I can only relate it to the Windows setting to not "use default gateway on remote network".

Posted on Jul 19, 2005 11:27 AM

Reply

Answer 1

Jul 19, 2005 11:37 AM in response to Dave 'Trinity' Brown

Someone else may have something else to say, but:
When you are on VPN, you have altered all your network settings so that you are on a secure tunnel. right?
THat would mean that once you authenticate into your destination, (a desktop machine at the office?) you should be using the browser on that desktop, you are now connected tho THAT network (through the tunnel).
The nature of VPN is that a "Virtual Private Network" changes network settings so you are secure.

Things may be slower, since you're connecting into a desktop over routers and through VPN servers behind different firewalls...not your usual straight connection to your DSL/Cable/whatever. I'm not positive about this 😉

VPN client software varies, and it probably depends on the secure servers you're connecting to. make sense? Should probably ask the admins at the other end of your VPN for the complete details. Hope this helps a bit.

Reply

Answer 2

Jul 19, 2005 12:24 PM in response to Dave 'Trinity' Brown

My understanding of the VPN was that it would be a (relatively) secure tunnel into a remote network. Rather than actually altering my connection in any drastic way, I thought it would simply (with the use of the PPTP protocol) make a virtual subnet that would act as though I've got access to the remote network's local subnet.

What seems to happen though (indicated with breaking in transmissions of other connections) is that it dedicates the connection to the Internet to the remote location, and then passes the Internet traffic through it (I could be wrong about this part), but it definitely seems odd that my existing connections would break, and that the Network settings would say that it's connected to the Internet through the VPN.

Reply

Answer 3

Thorongil

Level 3

510 points

Jul 19, 2005 1:40 PM in response to Dave 'Trinity' Brown

By default, all traffic is sent through the tunnel. I have heard there is a way to change this config and send, say, Safari traffic out a different interface. Unfortunately, I have not done this myself.

Reply

Answer 4

Jul 20, 2005 1:35 AM in response to Dave 'Trinity' Brown

You're most likely right.

What happens in your case is probably that the default route is through the VPN when it's up.

It could also be that the DNS is "replaced" with your companys (internal) DNS or "none". Look in the VPN connection log to see what's in there.

If you want, publish your netstat -nr (edit any public ip's not to reveal the real figures) here so we can see what happens when you're connected.

There are some scripts you can run to fix a default route so you can have a split tunnel. Macintouch had a series of "articles" that described how to do it, probably over a year old though.

Reply

Answer 5

Jul 21, 2005 2:47 PM in response to Dave 'Trinity' Brown

I've found the actual solution to this problem! Yay!

When configuring the VPN with Internet Connect, go to:

Connect -> Options... (in the menu bar)

and there'll be an option to "send all traffic over VPN connection", which is checked by default. Uncheck it, click OK, connect, problem solved.

Reply

Answer 6

Jul 22, 2005 12:09 AM in response to Dave 'Trinity' Brown

This was news to me. Never saw that setting before (is it new?).

I tried it connecting to a WatchGuard Firebox III 1000 running PPTP VPN server and it did work - allowed me to use Internet too.

This might not work in all cases if administrators don't allow split tunnels.

Reply

Answer 7

Aug 2, 2005 9:48 PM in response to Dave 'Trinity' Brown

If the server is OS X Tiger Server, and you are using the VPN Service, there is a setting that the admin can configure for VPN Connections routing to only route private traffic over the VPN. Check out the OS X Server Tiger thread.

Reply

Answer 8

Aug 29, 2005 6:40 PM in response to Dave 'Trinity' Brown

Yes, I have found that option. I think it was added in Tiger. I still have a problem though. When I use this less secure method of VPN, I really need my DNS to switch to the one inside my company (through the tunnel). It resolves all the remote addresses like www.apple.com and knows about my company machines too. My ISP's DNS only handles public internet addresses.

It seems to me that this "feature" is missing an important capability. I could specify all my company machines by IP address, but that isn't very friendly.

I'd love a way to uncheck "send all traffic over VPN connection" and still have the DNS specified in /etc/resolv.conf to be changed while the VPN is active and put back to what I have in the "network" System Preferences when the VPN is disconnected. When the box is checked the DNS is switch and the default route goes through the tunnel.

David

Reply

Answer 9

Aug 30, 2005 12:03 AM in response to David Zafman

Do you mean if you don't uncheck the "send all traffic over VPN connection" you get the DNS via the VPN tunnel but otherwise not?

What type of VPN server are you connecting to?

You can also try manually add a DNS IP to the VPN connection in the Network preference panel (don't know if that's always effective or not yet).

I did a couple of test with or without the "send all traffic..." checked and I didn't always (infact rather seldom) get a change in resolv.conf.

I also tried getting at services on the remote network by name and it still worked.

Strange.

I also tried a couple of lookups in the Network Utility when connected via VPN and my ISP DNS resolved them (resolv.conf hadn't changed to the VPN setting).

This doesn't seem to be consistent.

Maybe something for Apple to look into?

I'm using Tiger client to Panther (VPN) server.

Reply

Answer 10

Sep 2, 2005 11:50 PM in response to Dave 'Trinity' Brown

I have a similar problem. I have a G4 Powerbook which I use at work and at home. When working from home I connect through a VPN network which also goes through the company firewall. I recently installed 10.4 Tiger on an external drive to make sure it would run all software before actually installing it on my powerbook hard drive. I've upgraded the external drive to 10.4.2. It seems to run everything just fine except for two things. When I'm connected through the VPN SAFARI won't open and gives me the message "you are not connected to the internet" and the radio will not work through iTunes. In 10.3.9 both of these things work fine. I believe Tiger has a problem with proxies when working through a VPN. Does anyone have any insight to this problem?

Reply

Answer 11

Sep 15, 2005 11:45 PM in response to David Zafman

It's not intuitive, but it can be done. After setting up the VPN connection using Internet Connect and unchecking "send all traffic over VPN connection", close Internet Connect and go to the Network preference pane. Select the VPN connection there and configure it. In the TCP/IP tab, enter your company's DNS server and domain name. Close System Preferences. In my case, I had to log out (or restart, I forget which) in order for this to take effect, but now it behaves exactly as you want it to. Hope this helps.

Best,
David

Reply

Answer 12

cookieme

Level 1

80 points

Oct 15, 2005 6:36 PM in response to Dave 'Trinity' Brown

Hi

I need to use VPN to access files etc at my university when I'm at home and I was just wondering how do I know after unchecking "send all traffic over VPN connection" what traffic is sent over the vpn connection to my university and what is sent over my regular ISP connection? I just want to know so that I don't get in trouble for doing anything while connected to the vpn to my uni.

Thanks

Reply

Answer 13

Oct 16, 2005 12:22 AM in response to cookieme

I haven't tested "all possible configurations" but if there is a routing definition ("uni" IP-range) at the server end only the IP-range in the definition should be sent through the tunnel and the rest directly to Internet.

There is also a chance your changeing of the setting woun't have any effect because the server dictates all (default route) traffic should go through the VPN.

I haven't tested it but I think it should be possible to setup a VPN server to provide Internet access through the tunnel because it would route traffic at the server end to/from Internet. This to be sure any firewall between the internal network at the "uni" and Internet would have to be "traversed" for all traffic - "just like if you where there".

I know one possible setting of a Cisco VPN even prevents you from accessing the local LAN and only lets you go through the VPN when the tunnel is up.
And you even can't see anthing of the routes using netstat -rn.

Reply

Answer 14

Jan 13, 2006 10:58 AM in response to Chan Mckearn

Did you find a solution to this problem. Please let me know.

Thanks.

iMac G5 Mac OS X (10.4.4)

Reply