Can I use screensharing with an external VPN?
August 4, 2010 8:56 PM   Subscribe

osx -> osx screen sharing works fine until I connect to work VPN at which point the screen sharing session dies and the machine is unpingable etc. Workaround?

I've got 2 macs at home plugged into the same switch, one personal and 1 for work. I'd like to just use screen sharing for the work one and run it headless. All works fine until on the work one I connect to the work VPN (Nortel client if that matters) then the screen sharing session loses connection. The vpn client says I have a new IP address, but thats not pingable from outside etc.

Is there any way to do this? I'm not sure if I can get ssh opened on the work computer as they are worried about files leaving the machine/vpn environment.

The work one is 10.5, the personal one is 10.6
posted by H. Roark to Computers & Internet (9 answers total) 2 users marked this as a favorite
 
When I was in a similar situation using the Cisco VPN client I couldn't figure it out. There were some settings that VPN admin could change to let my work computer see the local network so I'd just had to deal with disconnecting the VPN to access the other Mac. I also had to do this print anything from my work computer on my home networked printer. Far from ideal.
posted by birdherder at 9:01 PM on August 4, 2010


When you connect with the VPN, your computer is on the VPN, not on your LAN. This is by design. There may be an option in the VPN software for your machine to still respond to LAN traffic, but many companies have a policy against connecting a machine to two networks because this is a security risk.
posted by kindall at 9:20 PM on August 4, 2010


Different VPN implementations handle this differently. Some VPN clients are configured to route all network traffic through the VPN link. It sounds like this is what's happening to you, and it is what is causing your screen sharing session to drop.

Other VPN clients can be configured to only route certain network traffic over the VPN connection based on IP ranges.

It's worth investigating your Nortel VPN client and see if it can be configured to only route some network traffic, not all. Your work IP folks may be able to help in this endeavor.
posted by browse at 10:03 PM on August 4, 2010


If you can't ping it, it just sounds like routing issues. Perhaps the VPN client sets its own default router, or static route for the network you are also on at home. Run "netstat -nr" before and after connection VPN and you can see what changes it makes. You can also manually over-ride them if needed. Assuming you have sudo/root of course.
posted by lundman at 10:41 PM on August 4, 2010


If there's no option in your client to allow local network access, and the client doesn't do anything really weird like mess with the kernel then you can probably get around it with some creative route manipulation. The VPN clients I've know (Cisco, OpenVPN, OpenSSH) just set up a tunnel interface and muck about the routing tables.

Start with the VPN disconnected and open up a root terminal and check your routes, they'll probably look something like:
root@zim:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
My computer is on the 192.168.1.0/255.255.255.0 network, and the interfaces are called 'eth#', yours may be different. There will be a route to the local network pointing out eth0 with no gateway, and a default route (0.0.0.0/0.0.0.0) pointing to the gateway address (192.168.1.254) pointing out the eth0 and just don't worry about the 169.254.0.0 local link stuff.

Start your VPN and look again, if it's doing what I think it is it would look like this:
root@zim:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
VPN_IP          192.168.1.254   255.255.255.255 UGH   0      0        0 eth0
192.168.1.254   0.0.0.0         255.255.255.255 U     0      0        0 eth0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tun0
VPN_NET         0.0.0.0         255.255.255.252 U     0      0        0 tun0
If it looks close to this, what the client has done is this:
  • created a tun0 interface.
  • routed the vpn server address directly out the ethernet interface.
  • set the default route to point through the tunnel.
  • removed the route to your local network.
If this is the case, all you need to do is re-add your route to your local network.
root@zim~# route add -net 192.168.1.0/24 dev eth0
# or alternatively
root@zim:~# route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
Some of the details depend on your local network range, the interface names, and how the tunnel is setup, but this is the general picture.

However, it's just as possible the Nortel client is completely replacing your ethernet device and this will not work. :(
Good Luck.
posted by zengargoyle at 11:23 PM on August 4, 2010


Whenever I've used any VPN on my Macs, it's always been an all-or-nothing deal. You're either on the VPN, or you're on your local network. The streams never cross, nor do they exist simultaneously. It's one or the other.
posted by Thorzdad at 5:16 AM on August 5, 2010


Thanks guys, Im thinking this is not going to happen. zengargoyle thanks for the detailed response but Im a little confused - the osx "route" command appears to have different arguments but more importantly if Im headless and dont have ssh how would I know the new route post-vpn? Or am I being dense here?

Also using the network utility that runs netstat it looks like nothing at all changes pre-post vpn connection.

I tried one more thing, using eth0 (cable) and eth1 (wifi) with 2 diff ip's, but same deal - I thought maybe vpn would leave one of those open but no luck.

Sadly, I see a clutter of KVM in my future.
posted by H. Roark at 6:30 AM on August 5, 2010


Might I suggest LogMeIn free version as a reasonable way to do screen sharing? If you have internet access once you are VPNed in, you should still be able to use LogMeIn.

It does require installing a client, however.

I use it for supporting family members and remotely accessing my home systems when I need to.
posted by MonsieurBon at 9:59 AM on August 5, 2010


Most of the above is excellent advice.

There are two concepts for VPNs (which overlap). One is the road warrior or dial-up concept, where the VPN allows the user to grab any ol' connection and the VPN will guarantee the security of the company data and the user's machine. Instead of dialing up through a phone line, you dial up through the vpn tunnel. The VPN *replaces* the local connection. In this case, you DO want the VPN to take over all the networking.

But the other case is like you want- the VPN just *adds* a secure route into the private network, while leaving the other network traffic alone.

If you can't get your IT people to turn off the "disable local networking" option, you have to look at the routes as above.

If the headless machine is the work machine, and you are committed to that layout, I don't think you have many options. You might try using the eth0 eth1 setup and using two different subnets.

Another thought- is the IP address the VPN gives you when you are connected in the same subnet as your local lan? This is a common issue- your home router gives you addresses in the 192.168.0.x network, and so does the VPN. If you change the home router to say 192.168.100.x, it might work.

Using LogMeIn might work, but it sure isn't the most elegant of solutions. Plus, all of your screen sharing data is going through your work's internet connection. Even if it is encrypted, they may not appreciate all the traffic.
posted by gjc at 5:05 PM on August 5, 2010


« Older What coach said this?   |   Best combo for desired workflow? Newer »
This thread is closed to new comments.