Roelant.net

Share your VPN with Mac OS X El Capitan

If you found this page, like me, you probably used an ipfwd-and natd-based solution somewhere sometime to share a local VPN with one or more other clients, as explained in Using (and sharing) a VPN connection on your Mac - or a simular article.

TL;DR - just tell me what to do »

Background

If you want to share your VPN with another device, most articles like this one will explain how to share either the network interface that the VPN created, or share the ethernet interface's connection with wifi and vice versa. It's advantage is obviously simplicity. However, not all VPN's play nice with Internet Sharing and if the VPN doesn't create an interface of it's own, not everyone is willing or able to "sacrifice" one (either wifi or ethernet). The alternative is to work your wonders with natd and ipfwd.

However, ipfwd and natd both have been deprecated for a while in Mac OS. If you've been late to the party (like me) you only just found out, because both commands suddenly answered with "command not found".

When you search the internet there's many discussions, people asking for help, some suggestions, but no straight forward solution. You'll quickly learn that you need to use PF - but the examples and pointers given are more about when you used ipwfd as a firewall and want to do the same with PF in a persistant configuration. You can use PF in a more ad-hoc fashion using the pfctl command.

Finally NAT on Mac OSX Yosemite pointed me the right way. The offered solution doesn't work "as is" either, but with a little tweaking, it'll get the job done.

For it to be fully stand-alone, follow the steps offered in that article, and replace the rule in nat-rules with:

nat on utun1 from en0:network to any -> (utun1)

In this rule, utin1 is the VPN interface and en0 is the interface you're expecting the traffic to come from (e.g. wireless or wired). You can find both by using ifconfig.

In short, to get it working:

Enable forwarding on your mac, this is unchanged:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

Create a file with the one rule allowing for NAT. The pftcl-command doesn't allow passing this rule directly afaik.

nat on utun1 from en0:network to any -> (utun1)

Replace en0 with the local interface you wish to share your VPN with and utun1 with the interface of your VPN.

Stop/clear pf if you have to...

sudo pfctl -d

... and start it with the file you just created:

sudo pfctl -f ./nat-rules -e

Obviously, if you have a prior setup using PF, you can add this to your existing config and setup. If not: you're good to go. The rest of the routine is the same as before: use the Mac's internal IP as gateway on your other devices that aren't able to connect to the VPN themselves.

Written by Roelant, Nov 7th 2015, 12:58PM.