This is for once not a security related post, but as I couldn’t find one important detail on the Internet, I thought I’ll share my story.<\/p>\n
When connecting with the MacOS built-in VPN service to a server, MacOS (12, Monterey) will happily accept all the parameters coming from the VPN server: Force their DNS setting, force their IP address routes (in this case route all traffic through VPN), etc. and there is no GUI to change it.<\/p>\n
As I didn’t want to route all traffic through the VPN and as I didn’t want DNS resolutions to go through the VPN (except for certain domains), I wanted to reconfigure MacOS to do as I like. The routing issue was straight forward by adding a couple of specific routes (10.0.0.0\/8) and then telling MacOS to use my usual default gateway in my network (192.168.1.1):<\/p>\n
\r\n\/sbin\/route -nv add -net 10.0.0.0\/8 -interface ipsec0\r\n\/sbin\/route change default 192.168.1.1\r\n<\/pre>\nHowever, when it came to changing the DNS settings, there are many not very helpful<\/a> links that suggest that you change the “Service Order” (you can’t, IKEv2 VPNs do not get a Service entry) via GUI (network settings) or command line (
networksetup<\/code>). So that was not an option.<\/p>\nWhat sounded absolutely plausible is to change the SearchOrder (sometimes shown as just “order” in MacOS tools) of the VPN-DNS server to a higher value. This was attempted by Rakhesh<\/a> but also didn’t work as he explains. He then explains that he overwrites the VPN’s DNS IP address with the one we want (
d.add ServerAddresses * 192.168.1.1<\/code>), but that didn’t work for me either and that just lead to not being able to do DNS resolving at all (my guess would be MacOS then tries to reach 192.168.1.1 via the VPN interface, which doesn’t work). So for me all available approaches didn’t work.<\/p>\nHowever, I found out that I can change something called “PrimaryRank” from “first” to “second”, which then made the DNS server of the VPN disappear as a resolver in the “DNS configuration” section of
scutil --dns<\/code> and everything worked as expected:<\/p>\n\r\n$ sudo scutil\r\n> get State:\/Network\/Service\/E6[REDACTED]57C\r\n> d.show\r\n<dictionary> {\r\n PrimaryRank : First\r\n}\r\n> d.add PrimaryRank Second\r\n> set State:\/Network\/Service\/E6[REDACTED]57C\r\n> exit\r\n<\/pre>\nThe only problem is that I need to change that value back to “first” before I connect again. So the entire script I run and then prompts me to connect the VPN:<\/p>\n
\r\n#!\/bin\/bash\r\n\r\n# OPTIONS: default gateway and DNS server to use for normal Internet connection\r\nGW_TO_USE="192.168.1.1"\r\nDNS_TO_USE="$GW_TO_USE"\r\n\r\n# Run this script after connection in the Network settings of MacOS to the VPN\r\n\r\n# Check if running as root\r\nif [ $EUID -ne 0 ]; then\r\n echo "This script should be run as root." > \/dev\/stderr\r\n exit 1\r\nfi\r\n\r\necho "+ Fixing PrimaryRank to the original value"\r\nscutil << EOF\r\nget State:\/Network\/Service\/E6[REDACTED]57C\r\nd.add PrimaryRank First\r\nset State:\/Network\/Service\/E6[REDACTED]57C\r\nexit\r\nEOF\r\n\r\nread -p "Connect VPN now, then press Enter to continue" <\/dev\/tty\r\n\r\necho "+ Sleeping 3 seconds to make sure VPN is correctly connected..."\r\nsleep 3\r\n\r\n##\r\n# Routing part\r\n##\r\n\r\necho "+ Adding a manual route for VPN IP address range"\r\n\/sbin\/route -nv add -net 10.0.0.0\/8 -interface ipsec0\r\n\r\necho "+ Removing VPN as the default gateway"\r\n\/sbin\/route change default "$GW_TO_USE"\r\n\r\n##\r\n# DNS part\r\n##\r\n\r\necho "+ Last line of \/etc\/resolv.conf:"\r\ntail -1 \/etc\/resolv.conf\r\n\r\necho "+ add DNS for *.example.org in \/etc\/resolver\/example.org, it will be the last line from \/etc\/resolv.conf!"\r\ntail -1 \/etc\/resolv.conf > \/etc\/resolver\/example.org\r\necho "+ Last time we checked this was:"\r\necho 'nameserver 10.15.7.8'\r\n\r\necho "+ Fixing VPN DNS always being used"\r\nscutil << EOF\r\nget State:\/Network\/Service\/E6[REDACTED]57C\r\nd.add PrimaryRank Second\r\nset State:\/Network\/Service\/E6[REDACTED]57C\r\nexit\r\nEOF\r\n\r\necho "+ sleeping for 2 seconds"\r\nsleep 2\r\n\r\necho "+ Your new \/etc\/resolv.conf:"\r\ntail -1 \/etc\/resolv.conf\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"This is for once not a security related post, but as I couldn’t find one important detail on the Internet, I thought I’ll share my story. When connecting with the MacOS built-in VPN service to a server, MacOS (12, Monterey) … Continue reading