(RSS)  

VPN connections and local network traffic on Mac

January 21, 2022

These days I’ve been trying to be more conscious about my online footprint and privacy in general. I’ve been using one-off email addresses for years now (btw check out my recent post on masked emails if you haven’t yet), and have a bunch of little scripts that spit out things like random usernames when I hit !” 3 times.

But honestly speaking, IP addresses were one of those things I just kind of didn’t really care about.

What changed my view drastically was when I hacked on a cloudflare workers project and for debug purpose decided to console.log() the Request object. Here’s what got printed

{
      "message": [
        {
          "cf": {
            "longitude": "REDACTED",
            "latitude": "REDACTED",
            "continent": "AS",
            "country": "JP",
            "tlsVersion": "TLSv1.3",
            "colo": "NRT",
            "timezone": "Asia/Tokyo",
            "city": "REDACTED",
            "edgeRequestKeepAliveStatus": 1,
            "requestPriority": "",
            "httpProtocol": "HTTP/3",
            "region": "Tokyo",
            "regionCode": "13",
            "asOrganization": "REDACTED",
            "postalCode": "REDACTED"
          },
        }
      ],
    }

I cut out some of the details here, but the request had longitude, latitude, my internet provider name and a postal code that is very close to mine. Meaning every site I interact with basically knows where I live to a certain degree. That ain’t good.

I now have a VPN running almost all of the time, which brings me to the main topic of this post:

When using a VPN, like NordVPN, and you want to let that run 24/7 so that you can move all traffic without leaks through the it, you’ll sooner or later end up running into issues with things like local network no longer resolving because it’s not part of the virtual network.

How do you fix that?

Temporary rules with route

Mac has a bunch of neat network tools that you can use to get around this, the easiest is route:

# route <target> <gateway>
sudo route -nv add -net 10.0 192.168.1.1

with the -net flag (there is also -host), 10.0 expands to 10.0.0.0, so the entire subnet of 10.0.* will get routed to the gateway 192.168.1.1 instead of the VPN network, sweet! (10.0.5.* is my network for services and smaller devices)

Routes added with route are temporary, so once you restart they’re gone which makes them good for experimenting and quickly setting things up in a non-destructive way.

Making things persist

For persistent rules, mac comes with the networksetup tool:

❯ networksetup -listallnetworkservices

An asterisk (*) denotes that a network service is disabled.
Ethernet
USB 10/100/1000 LAN
Wi-Fi
Thunderbolt Bridge
NordVPN NordLynx

The command we want is -setadditionalroutes. This command takes a interface, and then triplets of <target> <netmask> <gateway>

networksetup -setadditionalroutes "Ethernet" 10.0.5.0 255.255.255.0 192.168.1.1

This command adds a route for 10.0.5.* (designated by the netmask 255.255.255.0) and routes all traffic to the gateway 192.168.1.1 instead.

Repeat that for all your interfaces that you use to connect, and done.

To add multiple routes you’ll have to specify them in the same go, in triplets:

networksetup -setadditionalroutes "Ethernet" 192.168.0.0 255.255.0.0 192.168.1.1 10.0.5.0 255.255.255.0 192.168.1.1

Now everything from 192.168.* and 10.0.5.* will get routed to my router

About NordVPN

I never talked to NordVPN, but after trialing 4-5 different VPN services that were recommended for privacy, I ended up at Nord and am very happy with them (dark patterns like difficulty to unsubscribe aside). The speed is very consistent and it’s one of the only options I was really able to keep turned on 24h a day.

If you’re thinking of signing up for NordVPN, consider using my referal


If you have any comments or feedback for me, please feel free to reach out over on Twitter @dvcrn