Awards
- Community Pick
Overview
Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case, we must manually create persistent routes in order for the VPN clients to communicate with these servers or workstations over the VPN tunnel.
The following routes should be created on the clients and servers only if you do not have an additional router you can access to include the static routes. Often in small business situations the second router is ISP owned and there's no access to create rules of this nature. If you do have a router you can add a static route to the same basic principles apply.
Essentially, you must create a route from the VPN client subnet to the VPN router's internal interface address. IE: If "Company's" Exchange server is on the subnet 10.0.1.0 and uses the gateway 10.0.1.254 but the VPN appliance is 10.0.1.1 and the VPN clients are connecting on the 10.0.100.0 subnet you must create the following routes in order for the connected VPN clients to communicate with the Exchange Server:
Windows
This has been tested on Windows 2000 - Windows 2008 R2. The "-p" makes the route persistent so if it's not it included the route will disappear after the server is restarted.
Adding the Route
Open up an elevated command prompt and type:
Deleting the Route
Open up an elevated command prompt and type:
Mac OS X
Of course this process in OS X is considerably more complicated if you need it to be persistent. We can easily create temporary routes that will clear after the machine restarts. See below.
Adding the Route
Open up the terminal and type (enter the password for the current logged in user when prompted)
Above will add the temporary route that can be removed by simply restarting the machine and it's a good idea to do that as a test before running through the process of creating a persistent route.
Note: All of these commands must be run within the "/System/Library/StartupIt
- 1
- Create a start up item called "AddVPNRoutes"
- 2
- Create a file called "AddVPNRoutes""VI" is a command line based text editor that makes it much much easier to modify files in these system directories. Here is the MAN page for the VI editor VI MAN Page
Once the VI editor is open you must type i to begin insert and copy/paste the following script into the terminal window. Hit "Escape" to exit insert mode and to save and quit you must type ":wq" to write and quit:
- 3
- Create a file "StartupParameters.plist"
Copy/Paste the below code (after typeing i to enable insert mode)
Type Esc and :wq to exit insert mode and to write and quit.
- 4
- You must change the permissions on the .plist file
- 5
- Reboot your computer and verify the route with netstat -nr
Deleting the Route
Simply remove the files we've just created from "/System/Library/StartupIt
Notes
- Creating these system files in Mac OS X can be done using something other than VI but it actually IS much more trouble. There's only 3 VI commands you need for this procedure. i to enable you to insert, Esc to exit insert mode and :wq to write and quit.
- As mentioned before this procedure can be done in most routers for all of your clients and servers. I typically use this method when the company does not have access to a router where these changes can be made, a temporary fix or if the VPN clients only need access to a single resource on a server or workstation.