How do I send traffic from my Mac's wifi to my VPN client?
- by Heath Borders
I need to connect my Android to a Juniper VPN. Unfortunately, Juniper doesn't support Android on our VPN version. We've already put in a feature request for it, but we have no idea how long it will take to be complete.
Right now, I connect to the Juniper VPN with a Juniper Mac OSX VPN client that uses Java to install kernel extensions to start and stop the VPN. Thus, I can't use the Network panel in System Preferences to create a VPN device, which means it won't show up in the 'Sharing' panel's Internet Sharing Share your connection from: menu, as suggested here.
I used newproc.d to see what /usr/libexec/InternetSharing did when it ran, and it runs the following processes:
2013 Nov 1 00:26:54 5565 <1> 64b /usr/libexec/launchdadd
2013 Nov 1 00:26:55 5566 <1> 64b /usr/libexec/InternetSharing
2013 Nov 1 00:26:56 5568 <5566> 64b natpmpd -d -y bridge100 en0
2013 Nov 1 00:26:56 5569 <1> 64b /usr/libexec/pfd -d
2013 Nov 1 00:26:56 5567 <5566> 64b bootpd -d -P
My Juniper VPN client creates the following devices (output of ifconfig):
jnc0: flags=841<UP,RUNNING,SIMPLEX> mtu 1400
inet 10.61.9.61 netmask 0xffffffff
open (pid 920)
jnc1: flags=841<UP,RUNNING,SIMPLEX> mtu 1450
closed
So, it seems like I should just be able to do this and have everything work:
sudo killall -9 natpmpd
sudo /usr/libexec/natpmpd -y bridge100 jnc0
My android connected fine and could hit public internet sites, but it couldn't hit private VPN sites. I assume this is because I need to change the routes that /usr/libexec/InternetSharing sets up.
This is the output from sudo pfctl -s all before starting Internet Sharing:
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat-anchor "com.apple/*" all
rdr-anchor "com.apple/*" all
FILTER RULES:
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
DUMMYNET RULES:
dummynet-anchor "com.apple/*" all
INFO:
Status: Disabled for 0 days 00:11:02 Debug: Urgent
State Table Total Rate
current entries 0
searches 22875 34.6/s
inserts 1558 2.4/s
removals 1558 2.4/s
Counters
match 2005 3.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 0.0/s
proto-cksum 0 0.0/s
state-mismatch 1 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
dummynet 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 60s
udp.first 60s
udp.single 30s
udp.multiple 120s
icmp.first 20s
icmp.error 10s
grev1.first 120s
grev1.initiating 30s
grev1.estblished 1800s
esp.first 120s
esp.estblished 900s
other.first 60s
other.single 30s
other.multiple 120s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
app-states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
696 fingerprints loaded
This is the output from sudo pfctl -s all after starting Internet Sharing:
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat-anchor "com.apple/*" all
nat-anchor "com.apple.internet-sharing" all
rdr-anchor "com.apple/*" all
rdr-anchor "com.apple.internet-sharing" all
FILTER RULES:
scrub-anchor "com.apple/*" all fragment reassemble
scrub-anchor "com.apple.internet-sharing" all fragment reassemble
anchor "com.apple/*" all
anchor "com.apple.internet-sharing" all
DUMMYNET RULES:
dummynet-anchor "com.apple/*" all
STATES:
ALL tcp 10.0.1.32:50593 -> 74.125.225.113:443 SYN_SENT:CLOSED
ALL udp 10.0.1.32:61534 -> 10.0.1.1:53 SINGLE:NO_TRAFFIC
ALL udp 10.0.1.32:55433 -> 10.0.1.1:53 SINGLE:NO_TRAFFIC
ALL udp 10.0.1.32:64041 -> 10.0.1.1:53 SINGLE:NO_TRAFFIC
ALL tcp 10.0.1.32:50619 -> 74.125.225.131:443 SYN_SENT:CLOSED
INFO:
Status: Enabled for 0 days 00:00:01 Debug: Urgent
State Table Total Rate
current entries 5
searches 22886 22886.0/s
inserts 1563 1563.0/s
removals 1558 1558.0/s
Counters
match 2010 2010.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 12.0/s
proto-cksum 0 0.0/s
state-mismatch 1 1.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
dummynet 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 60s
udp.first 60s
udp.single 30s
udp.multiple 120s
icmp.first 20s
icmp.error 10s
grev1.first 120s
grev1.initiating 30s
grev1.estblished 1800s
esp.first 120s
esp.estblished 900s
other.first 60s
other.single 30s
other.multiple 120s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
app-states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
TABLES:
OS FINGERPRINTS:
696 fingerprints loaded
It looks like I need to change the pf settings that /usr/libexec/InternetSharing set up, but I have no idea how to do that.
