Accessing local resources over VPN

Written By Dag-Inge Aas

If you’ve ever tried to access local resources, such as a NAS on your VPN connection, but not been able to connect to the server, this article is here to help! After hours of searching I have found not only why it goes wrong, but also how to fix it on Mac OS automatically, every time you connect to your VPN.

What’s going on?

What’s happening is that the local network you are connected to, as well as the remote network, is using the same IP range for their respective local networks. Since the most common home network range is 192.168.1.0/24, a lot of places you’ll end up wanting to access your home NAS may share the same IP range, causing problems on Mac OS.

At this point, you’ll have two options available for most home users:

  1. Change your home network IP range to something uncommon. If you don’t have a lot of static IPs or port forwarding rules set up, this is easy enough. But if you, like me, have that, you best try option 2.

  2. Use a local routing rule to tell Mac OS to specifically route the local IP range through you VPN connection.

Setting up the local routing rule

First and foremost, let’s ensure the VPN is configured correctly and routing traffic. To do this, you want to do the following:

First, in Network Preferences, click the three small dots in the left sidebar and click “Set service order”

Ensure that the VPN connection is at the top. Then, select the VPN connection and click “Advanced”. Ensure that “Send all traffic over VPN connection” is selected.

Now, open up the terminal, and create the following file as a superuser in /etc/ppp/ip-up, of course substituting the IP range with whatever is your colliding IP range.

#!/bin/sh
# /sbin/route add <SUBNET> -interface ppp0
/sbin/route add -net 192.168.1.0/25 -interface ppp0
/sbin/route add -net 192.168.1.128/25 -interface ppp0

After the file is created, add the correct rights with: 

sudo chmod 0755 /etc/ppp/ip-up

Now, every time you connect your VPN, these routing rules will be applied and you should be able to connect to local resources on your remote network. And don’t worry, if you disconnect the routing rules will be automatically reset back to normal!

Why does this work?

The reason why this works is the “longest prefix match” rule. Because your local routing rules are more specific (using 25 rather than 24 address space), they will be preferred when routing. This leads to packets routing to say 192.168.1.213 will now route through the ppp0 interface, which is your VPN, rather than the local network.

Pretty cool right?

Dag-Inge Aas
Previous

Running Whisper on an M1 Mac to transcribe audio data locally
Next

Managing internal comms during an acquisition