How to use split tunneling on OSx Ventura 13.4.1?

Question

Level 1

4 points

How to use split tunneling on OSx Ventura 13.4.1?

I saw many entries lamenting the inability to use split tunneling on Big Sur, Monterey, and Ventura.

When using the built-in Apple VPN client to connect, it is possible to enable split tunneling and force desired traffic through the tunnel while allowing other traffic to avoid it.

In example, if I am in Eastern Europe and I want to reach Jira and Confluence via the VPN tunnel because I have applied IP restrictions to accessing them, I can do the following:

Navigate to System Settings → VPN
Select the i symbol on the desired VPN entry
Enter your User Name and Password when challenged.
Select Options on the left pane
Toggle the “Send all traffic over VPN connection” to OFF in the right pane and click OK at the bottom
Determine what IP scope Atlassian is using for Jira and Confluence by checking https://ip-ranges.atlassian.com
Do geolocation of the IP numbers in the table, in this example the 185.166.140.0 - 185.166.143.0 (184.166.140.0/22) networks are geolocated in Amsterdam, Netherlands and will be offered by Atlassian for use to a source IP number in Eastern Europe. (You may note that 104.192.136 - 104.192.143.0 (104.192.136.0/21) are on the list, are geolocated in Des Moines, IA, USA, and will be offered by Atlassian for use to a source IP number in the USA.)
Open Terminal
Elevate to Super User by issuing the sudo su command.
Provide your PW when challenged
Issue the following: route add -net "185.166.140.0" -netmask "255.255.252.0" -interface ppp0
OSx will respond add net 185.166.140.0 gateway ppp0
Repeat step 11 for any other IP network scope that you want to force over the VPN.
Issue the exit command to remove Super User privileges when done.
Quit Terminal

Issuing a netstat -r command will allow you to examine the effective route table applied to your Macbook and you can confirm what traffic is appended to the VPN interface (ppp0). You should see that your home office network is not appended to interface ppp0 and you should see that the distant corporate network you are connected to is appended to ppp0 without you having to issue the routing addition for it.

The routes you add are not persistent and will extinguish when the VPN is closed so they need to be added each time the VPN is connected and you want to reach restricted IP ranges. They have to be added while on the VPN as OSx will error out and say that ppp0 doesn't exist if you are not connected. If you have a lot of IP network scopes that you want to force over the VPN, it may be helpful to create an AppleScript using the Script Editor application under Other on the Launchpad of your Mac as follows (replace the xxx with appropriate network information):

set networkUp to false

repeat until networkUp is true

try

do shell script "ping -c 4 xxx.xxx.xxx.xxx". -- IP number of a known internal node, e.g. your domain controller

set networkUp to true

do shell script "route add -net 185.166.140.0 -netmask 255.255.252.0 -interface ppp0" with administrator privileges

route add - net xxx.xxx.xxx.x -netmask xxx.xxx.xxx.x -interface ppp0

on error

-- something went wrong, so try again in 5 seconds

delay 5

end try

end repeat

The above script will confirm a node on the distant network you VPN into is live prior to attempting to apply the routes. If it doesn't see the node (e.g. Domain Controller), it will try to see it again every 5 seconds until it does it see and then it will proceed to apply the addition of the route(s).

MacBook Air (M1, 2020)

Posted on Jul 8, 2023 10:01 AM

Reply

Answer 1

Top-ranking reply

steve626

Level 6

13,035 points

Jul 8, 2023 10:30 AM in response to adroitcyber

My employer requires VPN (a different one that it provides) for remote access. For a while they allowed split tunneling but it is no longer permitted due to security vulnerabilities that it introduces that were deemed unacceptable risks, details of which I will not go into here. So be aware that use of split tunneling introduces security vulnerabilities. I can't see a situation where split tunneling is really REQUIRED, although it is somewhat more convenient. But certainly not as safe.

Reply

Answer 2

adroitcyber Author

Level 1

4 points

Jul 8, 2023 02:46 PM in response to steve626

Good input. I advised against enabling Split Tunnel but I was in the minority and it was authorized because the performance hit suffered from routing all traffic via the VPN tunnel subjected a heavy business use toll that the combined-business-cybersecurity committee weighed and determined caused the balance to tip the resolution toward Split Tunnel.

One alternative mitigation for the business performance hit is to beef up the channel to the Internet from the office that is offering VPN but that only addresses the upstream funnel from the corporate office to the Internet (and can impose a significant business fiscal impact). The home office channel bandwidth may none-the-less impose a significant hit on business process impact that can be mitigated via removal of some traffic from the VPN tunnel.

A cybersecurity mitigation that must be applied to the home office/client environment is beefed up AV and Intrusion Detection/Prevention. This at least partially mitigates the additional risk introduced by the added threat surface provided by Split Tunnel.

Reply

Answer 3

BobHarris

Level 9

56,471 points

Jul 8, 2023 07:08 PM in response to adroitcyber

My company blocks local LAN access, but they do explicitly allow split tunnel for Zoom, and a few other high bandwidth services.

We the users have no control over this, and for the most part it is annoying, because if we want to print something to our network attached printers, we have to disconnect from the VPN, print, then reconnect to the VPN. Disconnecting has other negative side-effects, such as breaking ssh connections to hosted development systems (and yes tmux can mitigate the disconnect, but it is annoying to have to re-ssh, then attach to the multiple tmux sessions any given developer may have running).

Cisco AnyConnect is what my company uses for VPN connections, with the explicit split tunnel for specific high bandwidth services so they do not saturate the company VPN servers.

Reply

Answer 4

Jul 16, 2023 12:02 AM in response to adroitcyber

Good afternoon @adroitcyber,

Thankyou very much for this detailed contribution.

I too am using Ventura 13.4.1 and a Cisco IPSec VPN to connect to a remote site, and there are no Options (step 4) for this connection type. Do you know how to split tunnel on this connection type? Does this type even allow it?

I do understand the security risks involved as others mention, however this is a connection to a small shop I own (to manage devices) so there is no risk in this case). Alternatively (to the native VPN client) what other VPN client would you recommend that might do this?

Any advice would be greatly appreciated.

Thanks,

Greg

Reply

Answer 5

adroitcyber Author

Level 1

4 points

Jul 17, 2023 08:47 AM in response to greg_hains

Hello Greg_Hains, it depends somewhat on what you are connecting to at the distant end. Since you have a small business I suspect you are not connecting to a Cisco ASA. Here is an entry from Cisco Community that may be helpful.

Reply

Answer 6

Jul 17, 2023 02:29 PM in response to adroitcyber

Hi Adroitcyber - I will look through this forum and see what I can find.

Cheers,

Greg

Reply

How to use split tunneling on OSx Ventura 13.4.1?

Similar questions