VPN Tunnelbear Manual Configuration Options

Question

Level 1

2 points

VPN Tunnelbear Manual Configuration Options

Some background: I'm attempting to share my Internet connection over WiFi while manually connecting to the TunnelBear servers (a VPN service). This means that I'm not using the TunnelBear app, but rather got the backend L2TP settings from tech support at TunnelBear. You can not share the TunnelBear service using their native app (I've confirmed this with TunnelBear).

This is what I can successfully do: create the TunnelBear VPN account in Network Settings (using L2TP settings from TunnelBear). Connect to the TunnelBear server and login. And even share the VPN network over WiFi:

What I can not do is get a fast connection to the VPN server, when I've manual configured the account in this manner.

TunnelBear App (US server)

TunnelBear Manual Settings (US Server)

No VPN (Actual location)

I've tried messing with the MTU number on the incoming ethernet connection (up and down, to some common know VPN numbers, and to the lowest size), but this has had no effect. I'm using all Google's DNS servers (on the VPN connection, and on the ethernet connection) and I've also tried logging in directly to the TunnelBear's IP address. I've also altered the service order (via Set Serve Order) to every possible option. And have tried it with and without "Send all traffic over VPN connection". None of this had changed the download speed.

So there you go. I'm stumped as to why the manual setup would be so much slower then the app's setup. I also don't know what else to try to get the VPN connection to behave. I'm willing to purchase Server.app, if anyone thinks that setting up the VPN there will work better.

I'm using a MacBook Air, with OSX 10.9.4

MacBook Air (13-inch, Mid 2012), OS X Mountain Lion (10.8.2)

Posted on Aug 1, 2014 10:15 AM

Reply

Answer 1

Best reply

Cody.Pope Author

Level 1

2 points

Aug 8, 2014 2:31 AM in response to Cody.Pope

This is an update for anyone else having the same problems. I've solved this problem with a little help from a few other websites.The complete steps are below after the intro.

TunnelBlick: https://code.google.com/p/tunnelblick/

OVPN files from TunnelBear: https://www.tunnelbear.com/development/linux_support/

For the configurations check out this awesome post: http://rodrigo.sharpcube.com/2010/06/20/using-and-sharing-a-vpn-connection-on-yo ur-mac/

Intro:

First, I've confirmed with TunnelBear customer support that L2TP is too slow to really work for my uses. From the TunnelBear support bears: "L2TP is an alternative way of connecting to our servers, the normal app version connects via OpenVPN which is a different protocol and quite a bit faster. Unfortunately this is a side effect of the current workaround we are using coupled with the fact that you'll always see some kind of speed drop with a VPN connection as is."

As an aside, I'd like to say that the TunnelBear support services were great! They gave me all the advance configuration settings I needed to make the L2TP configuration work. Still, the L2TP settings weren't enough to make the connection strong enough. So, I needed a new workaround that actually let's me manually route through the MacBook Air without using the "Share My Internet" connection. So here are the steps to make your TunnelBear Giant or Grizzly account work with an Apple TV abroad. Please note, I don't think these settings will work with a free account.

Step 1:

You need to connect your Apple TV and MacBook to the same router or hub using ethernet cables, as far as I know, this will not work over WiFi. AirPlay over WiFi will still work as long as the AppleTV is on the same network that is creating the WiFi.

Step 2:

Download TunnelBlick (for Mavericks you might need the beta version, depending on what's been recently released, this is a free download) and the OpenVNPconfigurationfiles from TunnelBear (zip file). Don't yet install TunnelBlick.

Step 3:

Unzip the TunnelBear Configuration files, and move this entire unzipped directory to wherever you want it to permanently live your machine. If you want to connect your Apple TV to a US server located the following file in the TunnelBear unzipped directory from Step 2: "TunnelBear United States.ovpn". Duplicate this file, and rename it "TunnelBear United States_push.ovpn". If you want to use a different server (UK, for example), just choose the UK ovpn file.

Step 4:

Open "TunnelBear United States_push.ovpn" with TextEdit (right-click --> Open With --> Other --> TextEdit.app). Once you have the file open, add the following line to the file at the end:

push "redirect-gateway def1"

including the "". Save and close the file. To read about what this add in does, see the OpenVPN.net guide.

Step 5:

Install TunnelBlick, when prompted, enter your admin passwords to install the application. When TunnelBlick asks you if you have configuration files, select yes. Once TunnelBlick is installed and running, locate the "TunnelBear United States_push.ovpn" file and double click it. This should launch TunnelBlick and ask you for your user name and password. Here enter the password and user name that you used for your TunnelBear Giant or Grizzly account (email and password, usually). At this point TunnelBlick should have confirmed that you have successfully connected to the server, if it is not connect check your regular Internet connection, and your user name and password for TunnelBear.

Step 6:

Now that you've successfully connected to the VPN on your Mac, you need to make a few more changes to let you share this connection with your Apple TV. Namely, you need to turn your MacBook into a gateway. For most of the next steps, I used this great guide.

Open your favorite text editor and create a new file. Paste the following lines in it:

#!/bin/sh

natd -interface tun0

ipfw -f flush

ipfw add divert natd ip from any to any via tun0

ipfw add pass all from any to any

sysctl -w net.inet.ip.forwarding=1

Save this file as "natvpn.sh". Make sure this is a text only file, and not a rich text document.

Step 7:

Now you need to make your new shell file executable. So, open up Terminal. Navigate to the folder where you made your natvpn.sh file (if you are new to Terminal, try Apple's guide). Once you are in the same directory as natvpn.sh, inenter:

chmod 755 natvpn.sh

This is the command for Mavericks. For pervious versions of OSX this command may be different. At this point, you should connect to the TunnelBear server using TunnelBlick, if you are not already connected.

Step 8:

Now that you have your shell file as executable, in Terminal enter:

sudo ./natvpn.sh

It will prompt you for your system password and may give you a warning, enter password and hit enter. If all is going well, Terminal should output:

Flushed all rules.

00100 divert 8668 ip from any to any via tun0

00200 allow ip from any to any

net.inet.ip.forwarding: 0 -> 1

Hurray! Your MacBook is now working as a gateway. Note: If this didn't happen, you may have Internet sharing turned on in your System Preferences. Make sure this is not on, and try again. Otherwise see the troubleshooting guidelines here.

Step 9:

Now that your MacBook is acting as a gateway, you need to connect your AppleTV through your MacBook. First, you'll need your MacBook's IP address. You can get this via System Preferences --> Network --> select your active ethernet network, and find the IP Address, it should be something like 192.168.0.10. Write down the IP address.

Step 10:

Turn on your AppleTV. It should be hardwired to the same router as your MacBook. As I said above, this will not work over WiFi. On your AppleTV go to Settings --> General --> Network --> Ethernet --> Configure IP --> Manual

The AppleTV should now prompt you to enter several different settings:

IP Address - Don't change this

Subnet Mask - Don't change this

Router - Here enter the IP address of your MacBook air, in our example it will be 192.168.0.10

DNS - Here you should use an Open DNS server of your choice, for GoogleDNS use 8.8.8.8

Step 11:

Once you've entered those settings, your AppleTV should cycle through and apply the changes. Sometimes, you have to restart your AppleTV to make it work (not always). Once this is done, your AppleTV should be using your MacBook as a gateway and you should be able to use Netflix, Hulu Plus, or whatever you want over your VPN.

Some Notes:

If you reset your network, the IP address of your MacBook may change, in which case you need to reconfigure your Apple TV. If you restart your computer, your IP address might change also, and you'll need to reconfigure the Apple TV. Also, if you turn off your VPN network, your Apple TV will stop working. Also, when you restart your MacBook, you may need to rerun the "natvpn.sh" file. For advanced trouble shooting, check out this article. If you have other questions, ask me below.

Reply

Answer 2

jkbull

Level 1

86 points

Aug 9, 2014 5:27 AM in response to Cody.Pope

Thanks very much for supplying your own answer. It should help a lot of people!

I'm not sure step 1 is correct about needing to use Ethernet connections. I don't see any reason that the AppleTV can't be connected via WiFi. It is a little trickier for the Mac running Tunnelblick, though, because of the way the VPN routing works, so I can understand how that could be problematic.

I have two corrections that may prevent confusion.

First, in step 4, you say to add

push "redirect-gatway def1"

to the configuration file. However, that won't work. OpenVPN's "push" option tells a server (a Tunnelbear or other OpenVPN server) to push the rest of the line to the client (your computer). What you want is:

redirect-gatway local def1

which tells the OpenVPN client (your computer) to send/receive all traffic through the VPN and that they are on the same network.

As an alternative to mucking about in the configuration file, Tunnelblick has a "Route all traffic through the VPN" checkbox to do this. The checkbox is on the "While Connected" tab of the "Advanced" settings page and applies to all connections that are selected on the "VPN Details" page.

Second, in step 5, you say to enter your Tunnelbear account username/password after double-clicking the "TunnelBear United States_push.ovpn" file. Actually, when you double-click that file using the "stable" version of Tunnelblick, nothing will happen (unless some other program does something). The "beta" version of Tunnelblick will ask you for your computer admin username/password so it can install the configuration as a Tunnelblick VPN configuration.

Once the configuration is installed as a Tunnelblick VPN configuration, you can connect to it using either of Tunnelblick's regular methods: click the Tunnelblick icon, then click "Connect Tunnelbear UnitedStates_push", click the Tunnelblick icon, then "VPN Details", then "Connect" in the window that appears. When you connect to the VPN, Tunnelblick will ask for the VPN username/password -- the username and password that Tunnelbear supplied. That login window also allows you to save the username and password in the Keychain. If you save them in the Keychain, you won't be asked for them again -- Tunnelblick will take them from the Keychain and supply them to Tunnelbear directly each time you connect the VPN. If you don't save them in the Keychain, you will be asked for them each time you connect the VPN.

I'm the Tunnelblick developer, so I'm pretty confident that the above is correct. But I have two caveats:

Some other program may do something if you double-click the "TunnelBear United States_push.ovpn" file -- it depends on what is installed on your computer. (Tunnelblick versions 3.4beta30 and higher will attempt to install the OpenVPN configuration as a Tunnelblick VPN Configuration.)
I don't know anything about the "sharing" part of this (which, I admit, is the main point of your post!) -- but you are right to link to Rodrigo's post about it -- Rodrigo is a great resource for this.

Finally, some advice for everyone:

The beta version of Tunnelblick is usually the best one to use. It is usually about as stable as the "stable" version and fixes some bugs in the "stable" version, and usually only has bugs in new features or that affect only very unusual setups.
Tunnelblick has an option to connect to the VPN as soon as you are logged in

Again, thanks to Cody for posting this very informative information.

Reply

Answer 3

Cody.Pope Author

Level 1

2 points

Aug 10, 2014 9:13 AM in response to jkbull

Thanks for the extra info! I am indeed using the beta version, which is why I can install the OVPN configuration file just by double clicking. Thanks for the information on 'push "redirect-gatway def1"' versus 'redirect-gatway def1'.

Reply

Answer 4

Jan 16, 2015 12:29 PM in response to Cody.Pope

Hi Cody.Pope,

Could you give me more information on how you used the L2TP settings in the first place? How did you obtain them?

Regards, Charlie

Reply

Answer 5

Sep 12, 2015 7:08 AM in response to Cody.Pope

Hi Folks,

Great, helpful article! One small problem if you're using Yosemite - the shell file does not execute properly as some of the commands used are deprecated; namely 'natd' and 'ipfw'.

There is a post by a user named 'Dyn' in this article that hints at a solution, but it requires some amendment to work. I don't know what those amendments are 😟

Hopefully someone can 'Yosemite-ify' the shell commands for Yosemite users and update the article.

Reply

Answer 6

Nov 30, 2015 6:48 PM in response to Inkwisitiv

I am also stumped on this section of the instructions. My computer is running Yosemite and 'natd' and 'ipfw' are no longer supported commands so I've essentially hit a dead end.

Hopefully someone can update the text lines within the shell file so this technique can be used on more modern versions of OSX.

Reply