VPNs and multiple users under Mac OS X
June 20, 2013 7:24 AM   Subscribe

Is it possible for a VPN to affect only the traffic of one logged in user under Mac OS X?

Mac OS X Mountain Lion, privateinternetaccess VPN through Viscosity.

When one user activates a VPN, then that appears to send all internet traffic from the entire computer (ie ALL other logged in users) through the VPN, even if the other users have not actually activated the VPN themselves. The only way to prevent this appears to be to abandon fast user switching and have the VPN user shut off the VPN manually or completely log out before the next user begins.

Ideally I would like the VPN to remain on for one user, even if that user is not currently the "active" user, but have the other users' data not go through the VPN. Thoughts?
posted by modernnomad to Computers & Internet (11 answers total)
That's not what the behavior the OP is looking for:

Ideally I would like the VPN to remain on for one user, even if that user is not currently the "active" user, but have the other users' data not go through the VPN. Thoughts?

For example, suppose one user on the machine is using the VPN to download files over bittorrent. When another user logs in, the downloading user shouldn't be disconnected.
posted by sbutler at 7:46 AM on June 20, 2013

Ideally I would like the VPN to remain on for one user, even if that user is not currently the "active" user, but have the other users' data not go through the VPN. Thoughts?

It's not trivial, but you can set up routing tables so that certain traffic is routed through the VPN interface and other traffic is routed through another. You won't be able to do this on a per user basis - it will only work on a per network basis, however.

How easy or difficult this is depends on the VPN setup. Some VPN clients do not allow for split traffic - they basically own the network interface. Other VPN clients are virtual interfaces, and those are much easier to work with.
posted by Pogo_Fuzzybutt at 8:09 AM on June 20, 2013

Ok, any suggestions on how I could exclude Plex from running under the VPN? That's basically what I'm trying to do - when the VPN is active, I am unable to access Plex remotely. I had hoped that by running Plex under a separate user account it would not be fed through the VPN, but that was obviously wrong.

As I said, I'm using Viscosity as my client, but I'm happy to switch if I can achieve what I'm trying to do.
posted by modernnomad at 10:00 AM on June 20, 2013

I'm not familiar with Plex. If this is what you are talking about, and you have a setup whereby you have a local network device that Plex connects to, then yes that is somewhat doable.

This is a common problem with corporate VPNs and home office set ups - the client connects to the VPN and can't use the networked printer sitting on the desk.

Here is a click by click guide to setting up routing of local traffic with a VPN connection. I don't know how much of that will apply to your setup - but it should get you started anyway.
posted by Pogo_Fuzzybutt at 10:49 AM on June 20, 2013

That would be perfect if it were the reverse - I want to be able to exclude a single application from the VPN but include everything else.
posted by modernnomad at 12:08 PM on June 20, 2013

You won't be able to do that on per application or per user basis. You can only route/segment traffic on a per network or host basis.

If your application only needs access to a particular address or group of addresses, then set up the routing so that uses the VPN to get there, and that all other traffic goes through wherever else it should go.

Otherwise, it is not possible to do what you seem to be asking.
posted by Pogo_Fuzzybutt at 12:39 PM on June 20, 2013

Oh well, it was worth a shot.
posted by modernnomad at 1:40 PM on June 20, 2013

For what it's worth, I would screw around this for hours and then just grab a USB network interface(wired or wireless, under $10 if you don't already own one) and force plex to use it.

I'd also manually assign all the network info of that interface and make sure not to set the DNS so that I couldn't accidentally pass my VPNed web browsing and other WAN traffic through it as easily.

Note that I have played around with this type of setup before(as in, interface A = WAN only, interface B = WAN only). I think this is the easiest way out as low level network stuff on windows/Mac/Linux/basically anything seems to kinda be a bit setup in advance to make distinctions easily this way. There might be a software tomfoolery way to do it they someone stubborn could figure out, but how worthless is your time?
posted by emptythought at 1:44 PM on June 20, 2013

Emptythought, is your idea that I could plug in another wifi adapter, and then assign a second user account to connect through that interface only, and run plex through that user account rather than the main account, which I would leave connected through my built in wifi interface?

That sounds promising and relatively simple.
posted by modernnomad at 2:46 PM on June 20, 2013

Yep, That's exactly it. And the adapter could be something unobtrusive like this if need be, like if this is a portable system. And don't worry about having both cards connect to the same network/SSID. It works fine*

*on OSX, windows XP and possibly even newer can choke on this... ugh

One last thing i noticed though, as i can't really provide a step by step guide of exactly how to set this up on mountain lion...

As I said, I'm using Viscosity as my client, but I'm happy to switch if I can achieve what I'm trying to do.

I'm pretty sure you're going to want to use the in-built VPN support of OSX here, since that seems to do it by network interface, whereas the viscosity-type software seems to try and do it regardless of which interface/network you're on.

I'd definitely do this like

1. Set up the accounts to use their separate interfaces(which as i said, i am not 100% familiar with in 10.8, the last time i played with this was in 10.5 or so and the menu doesn't even look remotely the same)
2. Set up the VPN on one of the interfaces, from the network menu

Anything else, including attempting to continue to use that software while you figure this out will likely result in hours of hell.
posted by emptythought at 3:08 PM on June 20, 2013

You could also set up a virtual bridge on your physical ethernet adapter, like what you'd do with virtual machines, and then let each user have their own virtual network adapter.

But yeah, a better option would be to set up routing correctly. The trouble with routing and VPNs is that each time you activate the VPN, it rewrites the routing table. So you'd probably have to reconfigure the VPN client to not improperly route local traffic.

The way routing tables work is that the computer will use the most specific, least costly route to a network. The VPN just creates a route through itself that is "cheaper" than the local LAN. So what you need to do is add a specific route to your local LAN that tells it to use the local network and not the VPN network.
posted by gjc at 7:03 AM on June 21, 2013

« Older 'Stuff' found in the supplement gelcap, what my...   |   Best hidden features of popular apps? Newer »
This thread is closed to new comments.