Community Pick: Many members of our community have endorsed this article.

Creating Static Routes in Windows and Mac OS X When Servers and Clients Use Separate Gateways from the VPN Clients

Britt ThompsonSr. Systems Engineer


Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case, we must manually create persistent routes in order for the VPN clients to communicate with these servers or workstations over the VPN tunnel.

The following routes should be created on the clients and servers only if you do not have an additional router you can access to include the static routes. Often in small business situations the second router is ISP owned and there's no access to create rules of this nature. If you do have a router you can add a static route to the same basic principles apply.

Essentially, you must create a route from the VPN client subnet to the VPN router's internal interface address. IE: If "Company's" Exchange server is on the subnet and uses the gateway but the VPN appliance is and the VPN clients are connecting on the subnet you must create the following routes in order for the connected VPN clients to communicate with the Exchange Server:


This has been tested on Windows 2000 - Windows 2008 R2. The "-p" makes the route persistent so if it's not it included the route will disappear after the server is restarted.

Adding the Route
Open up an elevated command prompt and type:

route add mask -p

Open in new window

Deleting the Route
Open up an elevated command prompt and type:

route delete mask

Open in new window

Mac OS X

Of course this process in OS X is considerably more complicated if you need it to be persistent. We can easily create temporary routes that will clear after the machine restarts. See below.

Adding the Route
Open up the terminal and type (enter the password for the current logged in user when prompted)

sudo route add -net -netmask -gateway

Open in new window

Above will add the temporary route that can be removed by simply restarting the machine and it's a good idea to do that as a test before running through the process of creating a persistent route.
Note: All of these commands must be run within the "/System/Library/StartupItems" directory


Create a start up item called "AddVPNRoutes"

cd /System/Library/StartupItems
sudo mkdir AddVPNRoutes
cd AddVPNRoutes

Open in new window


Create a file called "AddVPNRoutes""VI" is a command line based text editor that makes it much much easier to modify files in these system directories. Here is the MAN page for the VI editor VI MAN Page

sudo vi AddVPNRoutes

Open in new window

Once the VI editor is open you must type i to begin insert and copy/paste the following script into the terminal window. Hit "Escape" to exit insert mode and to save and quit you must type ":wq" to write and quit:

. /etc/rc.common
route add -net -netmask -gateway

Open in new window


Create a file "StartupParameters.plist"

sudo vi StartupParameters.plist

Open in new window

Copy/Paste the below code (after typeing i to enable insert mode)

Description = "Add Static Routes For VPN Clients";
Provides = ("AddVPNRoutes");
Requires = ("Network");
OrderPreference = "None";

Open in new window

Type Esc and :wq to exit insert mode and to write and quit.


You must change the permissions on the .plist file

sudo chmod 755 AddVPNRoutes StartupParameters.plist

Open in new window


Reboot your computer and verify the route with netstat -nr

Deleting the Route
Simply remove the files we've just created from "/System/Library/StartupItems"

sudo rm -r /System/Library/StartupItems/AddVPNRoutes

Open in new window


Creating these system files in Mac OS X can be done using something other than VI but it actually IS much more trouble. There's only 3 VI commands you need for this procedure. i to enable you to insert, Esc to exit insert mode and :wq to write and quit.
As mentioned before this procedure can be done in most routers for all of your clients and servers. I typically use this method when the company does not have access to a router where these changes can be made, a temporary fix or if the VPN clients only need access to a single resource on a server or workstation.


Britt ThompsonSr. Systems Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community