7 Replies Latest reply: Sep 11, 2012 1:37 PM by vedranr
ollie61 Level 1 (0 points)

I have got OSXServer 10.8 running nicely and have a VPN configured.


The issue I have is that clients connected via the VPN cannot then browse the internet. I have read through the documentation and understand the principles but the details have me a bit lost. eg knowing which IP addresses we are talking about.


Here is the Sever Help Document with my comments and questions......


By using network routing definitions, you can choose whether to route data from VPN clients to an address group through the VPN tunnel (referred to as private) or over the VPN user’s ISP connection (referred to as public). Comment: Understood

For example, you can have all VPN client traffic that goes to the LAN IP address range go through the secure tunnel to the LAN, but make all traffic to other addresses be routed through the user’s normal, unsecured Internet connection.

This helps you have greater control over what goes through the VPN tunnel.

Question:  My LAN IP address range is what?

My static IP assigned by my ISP is 120.xxx.xxx.119

Is this the IP they speak of or are they speaking of 10.x.x.x?



Important notes about VPN routing definitions

  • If no routing definitions are added, traffic is routed through the VPN connection by default.
  • If routing definitions are added, the VPN connection is no longer set as the default route, and traffic destined for addresses not specifically declared as a private route will not go over the VPN connection.
  • DNS lookups go over the VPN connection regardless of the routes that are set.
  • Definitions are unordered. They only apply the description that most closely matches the packet being routed.


Comment: Understood


Suppose your LAN’s IP addresses are 17.x.x.x addresses. If you make no routing definitions, all VPN client network traffic (such as web browser URL requests, LPR printer queue print jobs, and file server browsing) is routed from the client computer through the VPN tunnel to the 17.x.x.x LAN.

You decide that you don’t want to manage all traffic to websites or file servers that aren’t located on your network. You can specify what traffic gets sent to the 17.x.x.x network and what goes through the client computer’s normal Internet connection.

To limit the traffic the VPN tunnel handles, enter a routing definition designating traffic to the 17.x.x.x network as private, which sends it through the VPN tunnel. In the routing definition table you’d enter Private.

Traffic to the LAN is now sent over the VPN connection and, by default, all other addresses not in the definitions table are sent over the client computer’s unencrypted Internet connection.

You then decide that there are a few IP addresses in the 17.x.x.x range that you don’t want accessed over the VPN connection. You want the traffic to go through the client computer’s Internet connection and not pass through the VPN tunnel. The addresses might be outside the firewall and not accessible from the 17.x.x.x LAN.

As an example, to use addresses in the range 17.100.100.x, enter an extra routing definition as follows: Public.

Because the address definition is more specific than 17.x.x.x, this rule takes precedence over the broader, more general rule, and traffic heading to any address in the 17.100.100.x range is sent through the client computer’s Internet connection.

In summary, if you add routes, any routes you specify as private go over the VPN connection, and any declared as public do not. All others not specified also do not go over the VPN connection.

Comment: See above question about IP address

iMac G5, Mac OS X (10.4.6)