Community Pick: Many members of our community have endorsed this article.

Creating Static Routes in Windows and Mac OS X When Servers and Clients Use Separate Gateways from the VPN Clients

Britt ThompsonSr. Systems Engineer
Published:
Browse All Articles > Creating Static Routes in Windows and Mac OS X When Servers and Clients Use Separate Gateways from the VPN Clients

Overview

Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case, we must manually create persistent routes in order for the VPN clients to communicate with these servers or workstations over the VPN tunnel.

The following routes should be created on the clients and servers only if you do not have an additional router you can access to include the static routes. Often in small business situations the second router is ISP owned and there's no access to create rules of this nature. If you do have a router you can add a static route to the same basic principles apply.

Essentially, you must create a route from the VPN client subnet to the VPN router's internal interface address. IE: If "Company's" Exchange server is on the subnet 10.0.1.0 and uses the gateway 10.0.1.254 but the VPN appliance is 10.0.1.1 and the VPN clients are connecting on the 10.0.100.0 subnet you must create the following routes in order for the connected VPN clients to communicate with the Exchange Server:


Windows

This has been tested on Windows 2000 - Windows 2008 R2. The "-p" makes the route persistent so if it's not it included the route will disappear after the server is restarted.


Adding the Route
Open up an elevated command prompt and type: 

route add 10.0.100.0 mask 255.255.255.0 10.0.1.1 -p

Open in new window


Deleting the Route
Open up an elevated command prompt and type: 

route delete 10.0.100.0 mask 255.255.255.0 10.0.1.1

Open in new window



Mac OS X

Of course this process in OS X is considerably more complicated if you need it to be persistent. We can easily create temporary routes that will clear after the machine restarts. See below.


Adding the Route
Open up the terminal and type (enter the password for the current logged in user when prompted) 

sudo route add -net 10.0.100.0 -netmask 255.255.255.0 -gateway 10.0.1.1

Open in new window


Above will add the temporary route that can be removed by simply restarting the machine and it's a good idea to do that as a test before running through the process of creating a persistent route.
Note: All of these commands must be run within the "/System/Library/StartupIt ems" directory

1

Create a start up item called "AddVPNRoutes" 


cd /System/Library/StartupItems
                      sudo mkdir AddVPNRoutes
                      cd AddVPNRoutes

Open in new window

2

Create a file called "AddVPNRoutes""VI" is a command line based text editor that makes it much much easier to modify files in these system directories. Here is the MAN page for the VI editor VI MAN Page 

sudo vi AddVPNRoutes

Open in new window


Once the VI editor is open you must type i to begin insert and copy/paste the following script into the terminal window. Hit "Escape" to exit insert mode and to save and quit you must type ":wq" to write and quit: 

#!/bin/sh
                      . /etc/rc.common
                      route add -net 10.0.100.0 -netmask 255.255.255.0 -gateway 10.0.1.1

Open in new window

3

Create a file "StartupParameters.plist" 

sudo vi StartupParameters.plist

Open in new window


Copy/Paste the below code (after typeing i to enable insert mode) 

{
                      Description = "Add Static Routes For VPN Clients";
                      Provides = ("AddVPNRoutes");
                      Requires = ("Network");
                      OrderPreference = "None";
                      }

Open in new window


Type Esc and :wq to exit insert mode and to write and quit.

4

You must change the permissions on the .plist file 

sudo chmod 755 AddVPNRoutes StartupParameters.plist

Open in new window

5

Reboot your computer and verify the route with netstat -nr

Deleting the Route
Simply remove the files we've just created from "/System/Library/StartupIt ems" 

sudo rm -r /System/Library/StartupItems/AddVPNRoutes

Open in new window



Notes

Creating these system files in Mac OS X can be done using something other than VI but it actually IS much more trouble. There's only 3 VI commands you need for this procedure. i to enable you to insert, Esc to exit insert mode and :wq to write and quit.
As mentioned before this procedure can be done in most routers for all of your clients and servers. I typically use this method when the company does not have access to a router where these changes can be made, a temporary fix or if the VPN clients only need access to a single resource on a server or workstation.

Sources

Adding Routes in Windows XP
VI MAN Page
2
11,574 Views
Britt ThompsonSr. Systems Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.