Skip to content
Also will this connect automatically on startup? Or only reconnect an already-running connection when dropped?
Thanks, Ben
I would suggest that the "automatically re-connect" functionality would be better placed as a checkbox in that connection's setup details/preferences.
Thanks,
Ben
Block network connections if VPN not connected
Got a problem with Viscosity or need help? Ask here!
- Posts: 10
- Joined: Mon Apr 26, 2010 5:42 am
Hi,
I seem to remember this may have been asked before, but I can't find it....
I use Viscosity with Witopia and would like to have my Mac automatically connect to it and automatically reconnect if it drops. Basically I want that VPN connection running all the time with all traffic forced over it.
In addition, I would like for all network connections from the machine to be blocked IF the VPN connection is down (I guess except connections to that specific VPN server)
Is that at all possible?
Thanks,
Ben
I seem to remember this may have been asked before, but I can't find it....
I use Viscosity with Witopia and would like to have my Mac automatically connect to it and automatically reconnect if it drops. Basically I want that VPN connection running all the time with all traffic forced over it.
In addition, I would like for all network connections from the machine to be blocked IF the VPN connection is down (I guess except connections to that specific VPN server)
Is that at all possible?
Thanks,
Ben
Hi Ben,
In most cases OpenVPN itself should be automatically retrying if the connection to the VPN server drops. If this isn't occurring, make sure you have the Persist Tun and Persist Key options checked. For more serious dropouts (where your computer loses its network connection) Viscosity should inform you that the vpn connection has been disconnected and ask if you want it to automatically reconnect when the network becomes available again. Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.
See these two forum posts regarding blocking traffic when the VPN is not active:
http://www.thesparklabs.com/forum/viewt ... 1417#p1417
http://www.thesparklabs.com/forum/viewtopic.php?p=771
Cheers,
James
In most cases OpenVPN itself should be automatically retrying if the connection to the VPN server drops. If this isn't occurring, make sure you have the Persist Tun and Persist Key options checked. For more serious dropouts (where your computer loses its network connection) Viscosity should inform you that the vpn connection has been disconnected and ask if you want it to automatically reconnect when the network becomes available again. Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.
See these two forum posts regarding blocking traffic when the VPN is not active:
http://www.thesparklabs.com/forum/viewt ... 1417#p1417
http://www.thesparklabs.com/forum/viewtopic.php?p=771
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 10
- Joined: Mon Apr 26, 2010 5:42 am
James wrote:Click the "Automatically Connect" button, and tick the "Do not show this message again" checkbox so this action is always performed.Thanks James... Can you advse where to find this option exactly? Am running 1.3.4 (1030) Witopia edition and can't find it.
Also will this connect automatically on startup? Or only reconnect an already-running connection when dropped?
Thanks, Ben
Hi Ben,
While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.
To have a connection connect when Viscosity starts up, edit it in Viscosity and tick the "Connect when Viscosity opens" checkbox in the bottom left.
Cheers,
James
While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.
To have a connection connect when Viscosity starts up, edit it in Viscosity and tick the "Connect when Viscosity opens" checkbox in the bottom left.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 10
- Joined: Mon Apr 26, 2010 5:42 am
James wrote:While connected to your VPN server, pull your network cable out (or turn off your wifi) and you should see it.When I do that, the connection icon stays green, then eventually goes to orange, but I get no pop-up window. Tried it on wifi and ethernet.
I would suggest that the "automatically re-connect" functionality would be better placed as a checkbox in that connection's setup details/preferences.
Thanks,
Ben
Hi Ben,
Try with the latest beta version instead. It does contain a number of improvements regarding detecting server reachability:
http://www.thesparklabs.com/forum/viewt ... p=134#p134
Cheers,
James
Try with the latest beta version instead. It does contain a number of improvements regarding detecting server reachability:
http://www.thesparklabs.com/forum/viewt ... p=134#p134
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
- Posts: 10
- Joined: Mon Apr 26, 2010 5:42 am
The "automatically connect" is working now with the latest beta.
I'll look into the blocking-when-not-connected later.
Thanks....
I'll look into the blocking-when-not-connected later.
Thanks....
Hello,
I was able to block connections in case the VPN drops using the the new firewall utility that comes with Lion: pf
This is what I did to set new basic rules for the firewall, and enable It at startup:
First I went to /etc/pf.conf and added the following lines to the end of the txt file, after the "load anchor "com.apple" from "/etc/pf.anchors/com.apple"" line:
The rest is vpn-provider specific, my provider has 4 different servers, available on the 1194 udp port or 443 tcp port, using the tun0 interface.
My vpn uses ip addresses in Its config file, but some providers use a hostname instead (like server.vpnvprovider.com), I'm not sure if a hostname can be used inside the {} as in:
In case your provider provide you only with a hostname instead of an ip address, you can find out the ip addresses using the terminal with the command "nslookup". Example:
Finally, to start the firewall up and make It start at startup (It's off by default), go to /System/Library/LaunchDaemon/com.apple.pfctl.plist, and edit that file to add a "<string>-e</string>" line so that part looks like this:
I hope this helps, I tested this a little and It worked fine for me, but I barely know know to use pf, so I hope I haven't done anything wrong (:
To disable the firewall just edit /System/Library/LaunchDaemon/com.apple.pfctl.plist back to what It was and reboot.
I was able to block connections in case the VPN drops using the the new firewall utility that comes with Lion: pf
This is what I did to set new basic rules for the firewall, and enable It at startup:
First I went to /etc/pf.conf and added the following lines to the end of the txt file, after the "load anchor "com.apple" from "/etc/pf.anchors/com.apple"" line:
Code: Select all
The first line tells what interface you're using to connect, I'm connecting directly by a ethernet cable, that's why I used "IF = en0", you can change that to "IF = en1" if using wifi or "IF = ppp0" if using a usb 3g modem.IF = en0
IF_VPN = tun0
set skip on lo0
block log all
pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }
pass on $IF_VPN
The rest is vpn-provider specific, my provider has 4 different servers, available on the 1194 udp port or 443 tcp port, using the tun0 interface.
My vpn uses ip addresses in Its config file, but some providers use a hostname instead (like server.vpnvprovider.com), I'm not sure if a hostname can be used inside the {} as in:
Code: Select all
It's probably possible but we would have to leave port 53 open so the DNS resolves the hostname to an ip, and I suppose that could be considered a "leak" pass on $IF proto { udp, tcp } to { server.vpnvprovider.com } port { 1194, 443 }
In case your provider provide you only with a hostname instead of an ip address, you can find out the ip addresses using the terminal with the command "nslookup". Example:
Code: Select all
Now you can add the addresses It returns to the "pass on $IF proto { udp, tcp } to { server-ip1, server-ip2, server-ip3, server-ip4 } port { 1194, 443 }" line.nslookup google.com
Non-authoritative answer:
Name: google.com
Address: 173.194.34.112
Name: google.com
Address: 173.194.34.113
Name: google.com
Address: 173.194.34.114
Name: google.com
Address: 173.194.34.115
Name: google.com
Address: 173.194.34.116
Finally, to start the firewall up and make It start at startup (It's off by default), go to /System/Library/LaunchDaemon/com.apple.pfctl.plist, and edit that file to add a "<string>-e</string>" line so that part looks like this:
Code: Select all
Reboot and the the firewall should be be up now, It will appear as if you're not connect to any network, the only app that will be able to use the internet will be Viscosity, you can run It now and connect to your VPN <array>
<string>pfctl</string>
<string>-e</string>
<string>-f</string>
<string>/etc/pf.conf</string>
</array>
I hope this helps, I tested this a little and It worked fine for me, but I barely know know to use pf, so I hope I haven't done anything wrong (:
To disable the firewall just edit /System/Library/LaunchDaemon/com.apple.pfctl.plist back to what It was and reboot.
rink,
That's very useful. Thank you!
The only thing I'd mention would be that it's actually:
That's very useful. Thank you!
The only thing I'd mention would be that it's actually:
Code: Select all
not:/System/Library/LaunchDaemons/com.apple.pfctl.plist
Code: Select all
I.e., 'LaunchDaemons' is plural./System/Library/LaunchDaemon/com.apple.pfctl.plist