Categories
Code Mac TechSupport

Catalina VPN Same Subnet Issues

We have a client that we setup an L2TP VPN connection for, as their prior IT company had (for some unknown reason) opened up RDP stratight to their terminal server for all users and NLA disabled. We tested L2TP from our end and we were able to connect and then RDP on a mac (Catalina and Mojave) successfully. We sent instructions to the owner to set it up on their mac at home and called it a day.

Then they reported that there were problems, they could get connected, but couldn’t access the terminal server across the vpn, they were getting an Error code: 0x204 from Microsoft Remote Desktop. We remoted into their machine which they brought to work, had them hotspot to their phone and tried again and it of course worked. Anyway after playing pingpong quite a bit we found out the issue… their home network was 192.168.1.x and their work network was 192.168.1.x also. So although the VPN was handing out 10.2.0.x addresses the mac was not caring when it came to addressing a 192.168.1.x address as it was already connected to that network locally and the routing table contained an entry for it. So we tried choosing the option for the VPN to “Send all traffic over VPN connection” but since it’s considered local traffic and the mac already has a route entry for 192.168.1.x subnet it sends that locally to the router.

After quite some searching we were able to see here that we could connect the VPN and then add a route simply from terminal by inputting:

$ sudo route add -host 192.168.1.205 -interface ppp0

The issue with this was that after you disconnect the VPN the route was gone and so this was not a valid solution, so then we did more searching and came across this and we were able to peace together an actual solution.

We created an “ip-up” file at /etc/ppp by running:

$ sudo nano /etc/ppp/ip-up

This brought us into the nano editor and then we put in the following (they had 2 machines they needed rdp access to across the vpn)

#!/bin/sh
# Script to automate forcing access to 2 servers
# across VPN connection so that even if local 
# network is same subnet as remote it will still
# route successfully
/sbin/route add -host 192.168.1.205 -interface ppp0
/sbin/route add -host 192.168.1.206 -interface ppp0

If you haven’t used nano before you will need to CTRL-X and then choose press Y button to exit and save. After creating this file we continued to have issues but found we needed to give it the proper permissions:

sudo chmod 0755 /etc/ppp/ip-up

Tada! Now everytime the VPN is connected this route will get created and then destroyed after the connection is disconnected. If you are looking to add a range of machines or IPs (be careful as you may cause issues on the local side if you, say reroute traffic for the router IP locally) you can use a network addressing with subnet like this:

route add -net 192.168.1.205/32 -interface ppp0

Leave a Reply

Your email address will not be published. Required fields are marked *