What to do when your local subnet matches the subnet you just vpn-ed into.

by | Jul 2, 2018 | Uncategorized | 0 comments

Today I decided to get out of the office and work from the main Brooklyn library branch.  This place always inspires me and surprises me.  Plus I had two library books that were overdue and it would be great to stop the clock on those late fees.

I VPN’ed back into the office and I found that my office network (10.0.1.X/24) falls within the extremely wide network scope used by the BPL WiFi system (10.X.X.X/8).  I was able to connect without issue since my public IP isn’t in the 10.X.X.X but I wasn’t able to ping anything on my office network and of course, I couldn’t reach the server I needed over SSH either.

A quick read of the routing table (netstat -nr) shows that I should be able to ping one device  (10.0.1.1) oner the VPN and indeed I could.  I tried manually adding a route for my office LAN and directing it to the same Gateway IP that was working for the single host (sudo route add -host 10.0.1.36 10.0.1.231) and although I could add the route, the route did not help me ping anything on my LAN.

I gave the routing table another look.  This time I wanted to know why I could ping one host and not the others… and there was the answer.  The route that allowed me to ping a single host had the VPN interface specified while all the other routes used en0.

A quick read of the route command gave me the answer for a single host:

sudo route add -host 10.0.1.204 -interface ppp0

and for my entire office subnet:

sudo route add -net 10.0.1.0/24 -interface ppp0

What this is doing is saying: for any traffic going to host 10.0.1.204, send it over the VPN instead of the standard network interface even though the network interface’s scope includes this host.

I don’t expect the -net version of the command to work when the VPN and local WiFi scopes overlap perfectly (both using 192.168.0.1/24 for example) but I am not really sure.  Next time I see a network using 10.0.1.1/24, I’ll give it a try.

This was done on a MacBook Pro running 10.13.5.  The VPN device on the other end is a Sonicwall TZ300 running 6.2.9.0-21N.  The VPN protocol was L2TP over IPSEC and the VPN client was the built-in OS X VPN client.

Hope this helps someone.

Submit a Comment

Your email address will not be published. Required fields are marked *