Setting Client Side Routes on MacOS to L2TP Unifi Remote User VPN

Written by James McDonald

January 18, 2022

If you are connecting to a Unifi L2TP Server type Remote User VPN and you haven’t selected the “Send all traffic over VPN connection” option under advanced settings on the Mac.

You will need to set routes so you can access a LAN or LANs behind your UDM

If you are wondering what is being passed to the the /etc/ppp/ip-up echo the arguments to /tmp/ip-up by uncommenting the “# echo \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" \"$6\" >> /tmp/ip-up” line

I want to set routes based on the IP of the remote VPN-Server so argument $5 is the one that I have put into the case block to add routes.

I found I didn’t need an /etc/ppp/ip-down script because the routes added by /etc/ppp/ip-up go away when the ppp0 connection created by the L2TP / IPSec tunnel goes away

Create an ip-up script to set routes when L2TP/IPSec connection comes up on MacOS

This script was on the Unifi forums but posting here so I can find it easier than I did last time.

#!/bin/bash

#  /etc/ppp/ip-up

# uncomment this and start the connection to your UDM/USG to check what is being passed to this script
# escaping the quotes are needed because one of the arguments is there but empty
# echo \"$0\" \"$1\" \"$2\" \"$3\" \"$4\" \"$5\" \"$6\" >> /tmp/ip-up

# $0.                         $1                          $2               $3         $4                          $5                             $6
# this-script             interface-name   tty-device  speed  local-IP-address  remote-IP-address local-gateway
# "/etc/ppp/ip-up" "ppp0"                   ""                "0"        "192.168.73.1"    "10.255.255.0"         "192.168.1.1" 

case "$5" in
         # Based on vpn-server-ip, do different things
        10.255.255.0)
                /sbin/route add 10.197.4.0/24 10.255.255.0
                /sbin/route add 10.11.12.0/24 10.255.255.0
		        # anything else could also go here
                ;;
	some.other.ip.address)
               # some.other.ip.address could be another VPN server and you can 
               # do different stuff here.
                ;;
	yet.another.ip.address)
		;;
        *)
	;;
esac
exit 0

If you are more comfortable with GNU/Linux utilities for listing IP addresses then install

brew install iproute2mac
# you can then list routes easier with 

ip route
# output
default via 192.168.1.1 dev en0
default via link#17 dev ppp0
10.197.4.0/24 via 10.255.255.0 dev ppp0
10.255.255.0/32 via 192.168.73.1 dev ppp0
110.174.183.220/32 via 192.168.1.1 dev en0
127.0.0.0/8 via 127.0.0.1 dev lo0
127.0.0.1/32 via 127.0.0.1 dev lo0
169.254.0.0/16 dev en0  scope link
192.168.1.0/24 dev en0  scope link
192.168.1.1/32 dev en0  scope link
192.168.1.104/32 dev en0  scope link
192.168.73.0/24 via ppp0 dev ppp0
224.0.0.0/4 dev en0  scope link
224.0.0.0/4 dev ppp0  scope link
255.255.255.255/32 dev en0  scope link
255.255.255.255/32 dev ppp0  scope link

0 Comments

Submit a Comment

Your email address will not be published.

You May Also Like…

List your VSCode Extensions

Ever wondered what extensions you have installed and want to keep a list? This actually is a good way to audit your...

array_merge vs the + operator

<?php $options = [ 'rootNode' => 'response' ]; // array_merge // the same key appearing later will overwrite echo...