First of all, sorry for the lack of posts, I’ve been kinda busy lately. I finally updated my development machine to Snow Leopard (I was on Leopard 10.5.7) and I took the opportunity to sort and organize all my backups, documents and stuff. I’m still not really done with my backup procedures, but at least I’m covered in case of a crash (after the capacitors incident, I decided to take my backups more seriously).
Anyway, one of the things I always wanted (and finally had time) to do was to setup my own OpenVPN server. In case you don’t know, VPN stands for “Virtual Private Network”, and it’s a way to have your own secure network no matter where you are. Whenever you’re at a cafe or an hotel and want to make sure no one can take a peek on what you’re doing (yes, it’s pretty easy to do that) you need a VPN. Having a VPN server can also help you circumvent geoblocking, if that’s what you’re up to.
I decided to write this article to share the experience I had configuring my own VPN, specially when I wanted to share the connection with other devices in my network. If that’s what you want to do, read on and I’ll try to explain what I did and how I did it.
The Server
If you want to have your own VPN, the first thing you need is an OpenVPN server. You have two options: using your own server or using an OpenVPN service provider. The whole process of setting up the server is out of the scope of this article, but if you have a Linux server you can find some great guides on Linode’s Library. By the way, Linode is a great VPS provider (I highly recommend it – this server is located there), so if you want to have your own server there you can use my referral code.
Another option is to use a VPN service provider. There are both free and paid VPN services, and if all you want is to have a VPN without bothering with server setup, this is the easiest way. Here’s a list of some VPN service providers (prices range from $0 to $15 per month, depending on the speed/bandwidth you need).
The Client
Okay, so you have your server, now you need a client to connect to your VPN. I’ll help you setup Tunnelblick on Mac OS X. Since I never used any VPN client on Windows I can’t help you there, but if you’re stuck on Windows I recommend using OpenVPN GUI.
The first time you open Tunnelblick after installing it will ask for your password. It’s ok, it needs your password to secure your keys and configuration files (and that’s very important, since anyone with access to your keys can connect to your VPN server). After that, it will ask if you want to create a sample configuration file. I suppose you already have your config file and keys (that’s part of the server setup) so let’s just ask for it to open the configuration folder, so we can put our files there. If you don’t have a config file from your server, you can let Tunnelblick create one for you. Close the program after that.
Copy your configuration and certificates to the configuration folder. Usually you’ll need to copy 4 files: client.conf, ca.crt, <yourclient>.crt and <yourclient>.key. Rename client.conf to the name you want to use to identify your server (i.e. MyServer.conf), open it in your favorite text editor and check if it already has at least the following lines (leave the rest untouched):
remote <your server address> <your server port> ca ca.crt cert <yourclient>.crt key <yourclient>.key
Save your files and launch Tunnelblick again. It will add a black tunnel icon to your menu bar. That’s where it’ll sit when it’s running, so you can quickly connect to your OpenVPN server whenever you want to. If you click on its icon, you’ll see an option to connect to your server, with the same name you used in your config file. But before you connect, let’s check your current external IP address first: enter this site, look for your IP address and write it down.
Ready to connect? Click on the tunnel icon and select Connect ‘YourServer’. It’ll try to connect to your VPN server (if it asks for your password again there’s nothing wrong, it’s securing the files you changed. It won’t ask every time). The menu icon will animate while it’s connecting, and if it connected successfully the icon will change to an open tunnel. Click on the menu icon again and the first line should read Tunnelblick: 1 connection active. Go back to this site and check your IP again. If it changed then congratulations, you’re already using your VPN connection and all your traffic is going through a secure connection.
If something went wrong and your VPN connection is not working, open Tunnelblick menu again and select Details. It will show you a very detailed log file, so you can check for errors and warnings there. And if you are connected to the VPN server but your IP address didn’t change, the problem is probably in the server: it needs to be configured to forward all VPN traffic and to be the default gateway on the client. All these options are covered in the Linode’s guide I mentioned earlier. Sure, if you’re using a VPN service provider you can also contact their support.
Sharing Your VPN Connection
So now you are connected to your server and your connection is securely being routed thought the VPN (go ahead and try Hulu, I’ll wait. I know you want to). But what if you want to use the same VPN in other devices in your network? Sure you can configure Tunnelblick in more than one Mac, but some devices like an iPhone or a XBOX 360 don’t have OpenVPN clients. What can you do about that?
The solution I found is simple: you can share the VPN connection in your Mac and then use your Mac as a gateway for your other devices. The problem is that the OSX’s native Internet Sharing doesn’t seem to play nice with OpenVPN. I really tried to use it in every way possible, but it didn’t work. So I spent some time researching how Internet Sharing works under the hood and I found a solution that is not so simple, but once configured works perfectly.
Open your favorite text editor and create a new file. Paste the following lines on it:
#!/bin/sh natd -interface tun0 ipfw -f flush ipfw add divert natd ip from any to any via tun0 ipfw add pass all from any to any sysctl -w net.inet.ip.forwarding=1
Save it with a name like natvpn.sh. Right click the file in Finder, select Get Info and under Permissions mark Execute. Close the Get Info window.
Now what the hell was that all about? Let me break it down to you. We’re using some native commands to allow your Mac to act like a gateway and forward all the packets to the VPN connection. This is very similar to what OSX’s Internet Sharing does for you. The name tun0 is the default interface name Tunnelblick will use for your VPN connection, and you can confirm that by opening Terminal and typing ifconfig while connected to your VPN.
Open Terminal. If you’re not connected to your VPN, connect now. Go to the directory you saved your file (if you saved it in your home folder, you’re already there) and type:
sudo ./natvpn.sh
You’ll need to replace natvpn.sh with the name you saved your file. It’ll ask for your password, type it and you’ll see something similar to this:
Flushed all rules. 00100 divert 8668 ip from any to any via tun0 00200 allow ip from any to any net.inet.ip.forwarding: 0 -> 1
It worked: your Mac is already a gateway! Now all you have to do is go to the device you want to use with the VPN connection and, under its network settings, change the default gateway to your Mac’s IP address. In most devices, to change the default gateway you’ll also need to configure it to use Static IP (my iPhone needed, for example). Just copy the same IP address, subnet mask and DNS server it’s currently using and change only the gateway to your Mac’s IP address. Oh, and if you don’t know your Mac’s IP address go to Preferences, open Network and select your network connection. In the right panel it’ll show your IP address under Status.
Test your device by going to the same site again and it should show you the server’s IP address. Congratulations, enjoy your new secure VPN connection!
Conclusion
As you can see, setting up a VPN connection is pretty simple. Sharing it might be a little more complicated, but now that it’s configured all you have to do is open Terminal and type sudo ./natvpn.sh while connected to the VPN everytime you want to share it. It’s not automatic, but it works pretty well. And of course, if all you want is to use the VPN on your Mac, then you only have to connect using Tunnelblick and you’re done.
This guide assumes you have at least a little experience using the terminal. If you don’t, you may find yourself a little lost in some parts, especially if you want to share your VPN connection. If that’s the case, feel free to leave a comment below and I promise I’ll try to help you!
Troubleshooting
The method I described above doesn’t work together with OSX Internet Sharing. So check if you have it enabled (under Preferences, go to Sharing) and disable it.
If you can’t find the option in Finder to make the script executable, you can also do it in Terminal. Just type chmod +x natvpn.sh.
Be sure to save the script in TextEdit (or your preferred editor) as a plain text file, not as rich text. You can check this by typing cat natvpn.sh in Terminal. If you see garbage instead of the script, the file was saved as rich text.
If you get the error “Address already in use” from natd when running the script, it’s because you already have natd running, and only one instance can be active. Check if you didn’t leave OSX Internet Sharing enabled (you have to disable it) or try to run the following code in the Terminal to see what app is running it:
ps aux | grep natd
When configuring your client device (the one which will be using your Mac’s connection) set the DNS servers to external addresses. You can use, for example, Google DNS (IPs 8.8.8.8 and 8.8.4.4) (thanks Damian).
If you’re using a PPTP VPN interface (OSX VPN Client) instead of OpenVPN you need to do a few additional steps. First, add a line IPFORWARDING=-YES- in the file /etc/hostconfig, then change the natd -interface tun0 line in the script with (thanks Zantiss):
natd -same_ports -use_sockets -unregistered_only -dynamic -interface ppp0 -clamp_mss
There are some reports of speed issues when using a PPTP VPN, but I don’t have access to a PPTP VPN so I can’t confirm it.
If your VPN server doesn’t register itself as your default gateway, you can override this in your client configuration file. Just add the line redirect-gateway def1 to the file (thanks Jon).
If you want to turn VPN sharing off, create another script called natvpnoff.sh (or something similar) and put the following lines inside it (thanks Yohann):
#!/bin/sh killall natd ipfw -f flush sysctl -w net.inet.ip.forwarding=0
After saving, run the script with sudo natvpnoff.sh. You could also reboot your machine to disable VPN sharing, since none of the changes in the script is permanent.
Rodrigo,
Excelent tutorial… you made my day.
thanks,
Israe
I’m having some trouble getting it to work. What IP address do i assign to my iPhone? the one from the airport or the one that’s from the wired connection? (sharing wired to airport)
Snow Lep
iPhone 4
Hello Jonathan!
Both your computer and your iPhone should be on the same network. So, suppose your Mac has the IP 192.168.1.5, you should give your iPhone an IP like 192.168.1.40 and the gateway (in the iPhone) should be 192.168.1.5 (the IP from your Mac).
If your Airport is creating a new network (for example, your wired network is 192.168.*.* and your Airport network is 10.0.*.*) you can use an IP from your wired network as the external IP for your Airport and set its gateway to your Mac’s IP. This way, your iPhone can keep using DHCP.
Both ways should work.
first way wont work bec i am sharing a wired connection over internal airport card and it assigns my phone a 10.0.*.* address
for the second way. my airport is creating the network like you say but how do i change the external IP and Gateway for that connection? there are no options for that in sys prefs. do i have to do it all through the terminal??
Thanks for the help
I guess what you want to do is possible, but since I never shared a connection via an airport card I don’t know for sure. It depends on how your connection is being shared.
Can you run “ifconfig” in your terminal, paste the result somewhere like pastie.org and send me the link? Maybe I can help by knowing how are your interfaces configured.
Hi rodrigo!
everything working fine! i’m using pptp vpn connection.
But i got strict nat on xbox.. how can i forward 3074 udp and tcp and 88 udp?
i’ve tried natd but it said already in use.
network configuration:
macosxlion
pptp: ppp0 (external address)
Wifi: en1 192.168.1.5
Xbox (same network macosx but cabled): 192.168.1.4
tks for your support! your script rules!
Walisson,
You can do it by using the option “-redirect_port” in natd. Instead of just running “natd -interface tun0″ (first line of the script), you can do something like “natd -interface tun0 -redirect_port:88 88″ for port 88.
I never tried it, but it should work. Good luck!
it executed the commands well, same output, bit isn’t working
since you are using ipfw commands I suppose the firewall needs to be turned on in osx and will not work if the fw is turned off ?
regards
You don’t need to turn the firewall on. Mine, by the way, is off.
Do you see any error messages?
Is the VPN connection working on your Mac or is it not working at all?
I get the following error:
Ammar-Awaads-MacBook-Pro:~ awaadster3$ cd desktop
Ammar-Awaads-MacBook-Pro:desktop awaadster3$ sudo ./natvpn.sh
./natvpn.sh: line 1: {rtf1ansiansicpg1252cocoartf1038cocoasubrtf320: command not found
./natvpn.sh: line 2: syntax error near unexpected token `}’
./natvpn.sh: line 2: `{\fonttbl\f0\fmodern\fcharset0 Courier-Oblique;\f1\fmodern\fcharset0 Courier;}’
can you help? thank you
Hello Ammar!
Sorry it took me so long to reply. I’ve been kinda busy, you know the drill…
I’m guessing you’re seeing these errors because you saved the script in TextEdit as Rich Text. Go back to TextEdit, open “natvpn.sh” and make sure you save it as a plain text file.
I don’t know why, but since I used you script, my VPN connection isn’t available anymore. Tunnelblick’s icon is lightened, but I cannot access any website… Of course, it’s ok before.
my output:
natd: Unable to bind divert socket.: Address already in use
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 1 -> 1
Hello AquarHEAD.
I googled the error you’re getting with natd and what I found is that you see this error when natd is already running (it can’t change its configuration while running).
Is your OSX’s connection sharing (the builtin one) enabled? Maybe that’s the reason. Or you may be using natd with another app/process. You can run “ps aux | grep natd” in the Terminal to check if any app is using it internally.
The reason your connection is not working is related to the error. If natd is not working, your data is not being redirected to the correct interface.
RODRIGO YOU ARE AWESOME! Your tutorial together with a VPN service I paid, I was able to configure the xbox 360 to connect through the mac (without cables) and bypass the region restrictions!
so 2 things that didn’t work for me and I had to change. first, I wasn’t able to run the .sh file, it said command not found :S so I just sudo each line of the script and it worked too.
the second one, I couldn’t use the DNS my internet connection uses, so I changed to the google ones (8.8.8.8) in the xbox and it worked
I’m as happy as dog with two bones to chew
Thanks man!
Hi Damian!
When I run the script, I always sudo it (sudo ./natvpn.sh) so I guess that’s why I didn’t need to sudo each command inside the script. But both ways should work.
About the DNS, all my devices are already using google’s (8.8.8.8), so I believe that’s why I didn’t have this problem. But anyway, thank you for the tips, they may help someone having the same problems you had!
Hi Damien, i am trying to do the exact same thing, how do u sudo each line in the script?
Nadia,
To sudo each line, just add “sudo” in front of the command.
For example, if the command you’re typing is:
$ natd -interface tun0
Just type, instead:
$ sudo natd -interface tun0
It will then ask you for your password, type it and the command will run.
Hey, I’m trying to share my YourFreedom + Tunnelblick connexion, but with no success. I’m connected on ethernet, and I’d like to share via wifi. I don’t get it, I guess. Must I create a wifi network and get the other person to connect on it (on a macbook too) ? If so, what IP is the other supposed to have ?
Thanks in advance.
Hi Nico!
Do you have a wifi router or are you using an ad-hoc connection?
If you’re creating an ad-hoc connection (no router) I suggest you try to create it without sharing first, just to see if it works. I don’t have much experience with ad-hoc networks, but in theory you will need to use fixed IPs in both computers (unless one of them acts as a DHCP server) and then you can use this connection’s IP address as your LAN address (and the gateway in the client machine).
Thanks for having replied.
To be clear, and be sure to understand, here’s all what I can tell about my network config :
Ethernet_
- IP : 192.168.25.208
- router : 192.168.25.254
- DNS : 85.214.18, 85.214.47.70
Now, for my Wireless config, should I let the “using DHCP with custom address” (or something like that) option in the TCP/IP Tab of my network preferences ? If so, what IP address must I use ? And if not, what IP + router addresses should I try ?
Sorry for having you wasting your time to help me, but thanks anyway.
Hello again, Nico!
You don’t have a router for your wi-fi connection, right? In that case, you need to use fixed IP addresses. Anything should work, as long as you use the same subnet, but let me give you an example you could use:
Your Mac
IP: 10.0.0.10
Mask: 255.255.255.0
Gateway: 10.0.0.10
DNS: 8.8.8.8 (Google)
Your other device
IP: 10.0.0.15
Mask: 255.255.255.0
Gateway: 10.0.0.10 (Your Mac)
DNS: 8.8.8.8 (Google)
Try that and see if it works!
I just tried, and it worked perfectly. Thanks a lot ! :)
Hi Rodrigo,
I wanted to let you know that after a week of endless frustration and unsuccessful troubleshooting trying to get my Google TV to work after the 3.1 update suddenly rendered it unable to connect to my wifi or ethernet connections, THIS post gave me the info that I needed to set a static IP and get it working again! Many many thanks!
Krystal
Hi Rodrigo,
thanks for the info!!! Unfortunatelly I cannot make it work. I have a router connected wirelessly (192.168.1.1) to my mac (192.168.1.35). I made everything you indicated on the mac and get other device with a fix IP on the same subnetwork and pointing to my mac as routing device. Well, before connecting the VPN it works! but after it does not :(
I am using google’s DNS …
Been a few days already, please any help or suggestion would be helpful!!
Thxs
Hi zantiss!
Are you using Tunnelblick to connect to the VPN? You could check with “ifconfig” in the Terminal if your VPN interface is indeed named “tun0″, otherwise you’ll have to modify the script.
After connecting to the VPN, does it work on your Mac?
Hi Rodrigo,
Thank for the prompt response. I am using the VPN Client from Mac GUI not tunnelblick. I changed the script to ppp0 that is the name of the interface once it is up. The Mac still access the Internet once VPN is connected
Some information that might help is that I am not sharing the connection over Ethernet. I have everything on the same subnetwork 192.168.1.xxx.
Once I execute the script I get the other dive point to the router which is indeed my Mac at 192.168.1.35
Many thanks!!!
Hi again!
When you connect to the VPN, your Mac is accessing the internet through the VPN connection?
Your Mac IP address is 192.168.1.35, right? Then its gateway should be 192.168.1.1 (your router). In your other device, the IP address should be something like 192.168.1.36, its gateway should be 192.168.1.35 (your Mac) and its DNS should be external, something like 8.8.8.8 (Google’s). Is that correct?
I don’t know exactly why it’s not working, to be frank. Are you running the script before or after you connect to the VPN? If you’re running before, you should try running after you’re conected to the VPN, when the “ppp0″ interface is valid and active.
Thxs rodrigo
Everything is done as indicated, I don’t understand neither why is not working neither but will still try and if I fifer out why I will leave a detailed explanation here should it helps others as well
Cheers
Well, finally made it work! I modified a bit your indications however speed is my next issue here
IPFORWARDING=-YES-
in /etc/hostconfig
natd -same_ports -use_sockets -unregistered_only -dynamic -interface ppp0 -clamp_mss
and had to modify MTU to 1400 on ppp0
hope it helps!
zantiss
So it’s working, but it’s slow? And only on the other machine?
terminal asked me for a password, but i couldn’t type anything
and then after a while i constantly get “command not found”
each time i try to do the first steps >> sudo ./natvpn.sh
Does it make any sense Rodrigo?
Hi gizzle!
When it asks for a password, type your OSX user’s password (assuming you are an administrator in your machine). By default, Terminal does not show the characters of your password as you type, so it appears as you’re not typing anything, but once you finish and press Return it will accept your password.
yo whatup Rod,
My bad for my noobishness, but still face the same “command not found” problem after entering my password.
I checked console(app in utilities) and it said chrome is denying read-data file.
after closing chrome apple’s console ‘app’ said “debugger () it was!”
Sounds like i’m messing with you, but i really got no time to be playing games.
Maybe you can figure this one out for me.
Already thanks for your time.
Gizzie,
Might be a silly suggestion but did you make the .sh executable? try chmod +x ./natvpn.sh
Hope it helps
zantiss,
did you solve the speed problem. I am stuck in the same situation that you described above…
Best, Jens
Unfortunately not. Did you have same problems as I did with the original script? If so maybe there some configuration issues with our mac. Otherwise I tend to believe the software natd is not that quick. I am considering buying a dedicated piece of hw, ie. Router. There are a few options around 50usd that work also with open firmware
Cheers
yeah, I had all of your problems and I am stuck in the same situation. However, if you find a solution let me know! :-)
Thanks!
Now i get “cannot execute binary file”
Can you tell me how to make it executable?
There are two things you can check.
1. Make sure you saved the script as a text file. If you used TextEdit, chances are that it was saved as RTF. Type “cat natvpn.sh” in the Terminal, if you only see the text you typed then it’s correctly saved as text.
2. Confirm that the first line of your script is “#!/bin/sh”. Be sure you didn’t leave any spaces or blank lines before that.
after following the procedure I still can’t get it to run.
I copy/pasted everything you said(without spaces or blanks) and still get the same errors.
after typing in “cat natvpn.sh” i get a txt with a lot of “???????” in it..
so it’s probably saved incorrectly..using word doesnt improve much..
Okay gizzle, let’s do it step by step!
1. Hold the apple key and press space to open spotlight in the top right corner.
2. Type “textedit” and press enter. It will launch TextEdit.\
3. Open the “Format” menu, and look for a “Make Plain Text” option.
4. If you found the option, click on it. The formatting and ruler toolbars should be gone now.
5. Type or paste the text from the post (the one starting with “#!/bin/sh”).
6. Open the “File” menu, select “Save As” and save it as “natvpn.sh”.
Now try to use this new file in the Terminal. It should work (and typing “cat natvpn.sh” should now show you only the text).
Feel free to come back if you’re stuck!
yo Rodrigo, thnx for breaking it down.
This time (after typing “cat natvpn.sh”) terminal shows me just the txt ……
but unfortunately it still didn’t do the trick..
So then i sudo the first line of the script directly in terminal (sudo natd -interface tun0)…
it gave the following error:
natd: Unable to bind divert socket.: Address already in use
(that’s the same problem what Aquarhead had) so then i typed “ps aux | grep natd”
which gave the this message:
oot 86 0.0 0.0 2434940 332 ?? Ss 1:19PM 0:04.13 /usr/sbin/natd -alias_address 192.168.2.6 -interface en1 -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0
ghm 735 0.0 0.0 2435468 0 s000 R+ 7:23PM 0:00.00 grep natd
This doesnt make any sense to me being a noob..but maybe you can figure it out
Thnx again..if this works I’ll donate something man
kudo’s to you, dude
Hello again!
Apparently, there’s something else using natd in your computer. It might be OSX’s internet sharing, or maybe a firewall. Open “Preferences”, then “Network” and look which interface is “en0″ and which is “en1″. It might help to figure out what’s already using natd. If some other app is using natd, I think you won’t be able to use it.
Don’t worry about donating anything. I’m here to help :)
Thnx again!…i got it worked out with terminal and even got my xbox live running….
for a short while though…the connection goes from slow to reall bad and then it just…dies.
So now xbox live is down and also my internet connection is gone(if i keep tunnelblick connected):S
dunno what went wrong..
Some people had this problem when using OSX’s VPN Client, but I don’t really know why (apparently no one figured it out yet). Anyway, with Tunnelblick I never had this problem (I downloaded a 4GB game from XBOX Live with no problems).
Do you also have this problem in your Mac (the one running Tunnelblick) or does it only happen in your XBOX?
is there any reason to use tunnelblick and not VPN Client from Mac GUI?
I tried with mac gui vpn and it did not seem to work but with tunnelblick was fine.
There’s a way to make it work with OSX’s VPN Client (check the previous comments). But the main reason is because OSX’s VPN Client isn’t compatible with OpenVPN.
Great tips. I have tried that on my Macbook and AppleTV over both PPTP and OpenVPN, both work great. However, on L2TP connects, i can get the appletv to share the vpn at all. do i need to modify the natvpn.sh?
What happens when you’re using L2TP? Does AppleTV uses your normal internet connection (instead of the VPN) or do you get no connection at all?
No, it doesn’t connect at all. I have set to pass all traffic thru the vpn, but there seems like no connection whenever L2TP is on, and i have tried sudo ./natvpn.sh and even flush all rules, but still no luck.
I am using the Mac VPN client, and when ifconfig, i got the same ppp0.
Any idea?
Hey there, thanks for getting me started on this. However, I’m having a bunch of problems. I’m running the OSX 10.6.5 native VPN Client connecting to a Cisco VPN concentrator. It, by default, diverts all traffic through the VPN. I’ve added IPFORWARDING=-YES- to /etc/hostconfig and changed the natd line in natvpn.sh to be:
natd -same_ports -use_sockets -unregistered_only -dynamic -interface utun0
because the Cisco connection using the Mac VPN client comes up at utun0 (not ppp0 as the other guy using the Mac client). When I change my Xbox360′s gateway to my Mac’s IP address on the local network (192.168.1.95), it can’t connect. I tried connecting thru the gateway with my other Mac as well. Any suggestions? Do I need to reboot after making the change to /etc/hostconfig? I’m dying to get this working with my Xbox360! Thanks in advance!
Did you run the other commands in natvpn.sh or just natd? Did you get any error?
Keep in mind that if you manually configure the network in your 360, you also need to manually set DNS servers, otherwise you may even have internet connection but no address will resolve, and your 360 will report as having no connection.
Hey Rodrigo,
thanks so much for writing this tutorial, I just have a quick question. I’ve gotten as far as setting up Tunnelblick, I am able to connect to my VPN successfully, and I have ran the natvpn.sh script, but no matter what I have tried I get the error in terminal natd: Unable to bind divert socket.: Address already in use
I tried the aux command you posted earlier, and determined that natd was being used by my en0 or en1 adapter.. only way I could get it to appear as if it wasn’t being used it by turning off my ethernet and airport.. and even once I’ve done that the error I get when I run the script is something along the lines of natd – unknown adapter tun0.
Any insight would be greatly appreciated. thanks.
Do you have OSX’s native connection sharing enabled? What about OSX’s firewall, is it active? If not, then maybe it could be some app like Little Snitch, do you use something like that?
Hi Rodrigo,
I got this working too but with OSX’s vpn. I just changed tun0 to ppp0. My only question is once I have it working how can I make OSX to stop fw the data?
Run “ipfw -f flush” to stop forwarding. And if you want you can also manually kill natd’s process.
It didnt work for me :( Could you help me please?
The mac is connected to the wifi and is working normally, then I start Tunnelblick and when is working, I execute the natvpn.sh and got the following error:
natd: Unable to bind divert socket.: Address already in use
Then my VPN connecttion isn’t working anymore, I can’t browse or do anything so I must execute sudo ipfw -f flush to get back my VPN connection.
ps aux | grep natd gave this message
vpnuser 10211 0.0 0.0 2434940 328 ?? Ss 1:47AM 0:00.42 natd -interface tun0
username 11756 0.0 0.0 2435040 536 s000 S+ 2:41AM 0:00.00 grep natd
Im not using Internet sharing because the mac is connected through airport, and the lan cable is unplugged.
Thank you
Hi JK.
Did you get that result you posted for when you ran “ps aux | grep natd” before connecting to the VPN or while connected? It appears you’re already running one instance of natd pointing to Tunnelblick’s interface, which is strange. That “vpnuser” in the first line is something you just edited for privacy or do you actually have a natd process running under “vpnuser”?
Sorry I edited the vpn part, that result was while the mac is connected thru the vpn so the steps are:
1. In my MacBook: connect to my VPN using Tunnelblick
2. Browse and check everything is fine
3. run sudo ./natvpn.sh and i got
natd: Unable to bind divert socket.: Address already in use
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 1 -> 1
4. At this time the VPN is not working anymore in the macbook, I cant browse
5. Run ps aux | grep natd
jkmac 15026 0.3 0.0 2435040 536 s000 S+ 1:23PM 0:00.00 grep natd
root 10211 0.0 0.0 2434940 280 ?? Ss Fri01AM 0:00.49 natd -interface tun0
Thank you for your time
Here’s something you can try: after step 2, and before running natvpn.sh, try to run “sudo killall natd”. This will kill any natd processes that are running before you try to share your connection. Then continue from step 3 normally. You shouldn’t see the natd error anymore.
If that works, than you indeed have something else using natd before you start sharing your connection, but I don’t know what it could be.
something strange happened hahah, ‘sudo kilall natd’ gave me:
No matching processes were found
so I continued and now everything is working!! I just restarted my mac a day ago, may be some natd process was still running or stuck since the last time I tried the script, and now nothing was running :D
Thank you for all your time =)
Last login: Thu Jan 20 15:14:47 on ttys000
/Users/sulie4real/natvpn.command ; exit;
Olamidokun-P-Fashanus-MacBook-Pro:~ sulie4real$ /Users/sulie4real/natvpn.command ; exit;
No matching processes were found
Flushed all rules.
00100 divert 8668 ip from any to any via ppp0
00200 allow ip from any to any
net.inet.ip.forwarding: 1 -> 1
logout
[Process completed]
how do i get the 1 to change to 0………….
i have already editted the etc/hostconfig
Last login: Thu Jan 20 15:14:38 on ttys000
Olamidokun-P-Fashanus-MacBook-Pro:~ sulie4real$ chmod +x natvpn.command
Olamidokun-P-Fashanus-MacBook-Pro:~ sulie4real$ cat /etc/hostconfig
# This file is going away
AFPSERVER=-NO-
AUTHSERVER=-NO-
TIMESYNC=-NO-
QTSSERVER=-NO-
IPFORWARDING=-YES-
IPFORWARDING=-YES-
Olamidokun-P-Fashanus-MacBook-Pro:~ sulie4real$
Have any of you tried to access Wii’s Netflix using this method? My Wii is connected thru the VPN but for some reason Netflix does not work. I checked my speed test and it is above 2.5. When I use my regular connection I can see my instant queue.
Hey Jorge, I finally got mine working with some help from a colleague at work. I just got my netflix working last night on both my ps3′s…. I didnt have the gateway changed properly is why it didnt work. I dont know how it works on wii, but for me I had to restore my ps3′s then reinstall the netflix app because I believe the canadian one we have here and the one you get from the american playstation store are different. Also, you need to enable streaming devices in the account settings on the netflix website.. do those 2 things and i’m confident it will work. Cheers.
Patrick;
I re downloaded the app using the shared vpn and no luck. I did retested my speed and it was slow, very slow. :( Quick question are you using a router or a direct connection to the internet?
Hi Jorge.
Apparently there’s an issue when using this method to share OSX’s native VPN connection. If you look at the previous comments, you’ll see other guys complaining about speed when using it. I really don’t know how to help you, but if you find a solution please share it here with us :D
Hey Jorge, I am using a new Mac Mini, wired to an airport extreme with ethernet, then connecting my other devices wirelessly. I think if you aren’t wiring in your main computer that might effect the speed? Just a guess though.
Hi Patrick,
My MacBook is wired to the airport extreme and then all the magic happens. I tried looking for a third party VPN like tunnelblick for PPTP but I guess I did not look hard enough because I did not find a good one. Are you using PPTP or OpenVPN? If OpenVPN what company are you using for the service? I have a seven day PPTP trial from Strong VPN and their annual package for OpenVPN is $30 more than PPTP.
Hey,
you def need to get OpenVPN.. don’t believe PPTP will work sufficiently, I use Strong VPN basic OpenVPN unlimited package.. its only like 29.99 for 3 months.. very affordable.
Hi I left you a comment a day ago, maybe went to spam?
thank you
Sorry JK, it was marked as Spam indeed, and wordpress didn’t warn me. It’s approved now :)
Rodrigo, thanks for writing back, the issue I had was I was tying to create a new network to share the VPN I didn’t realize all you had to do was change the gateway around, did that and now it’s working beautifully. Thanks again!
I just can’t seem to get my PS3 connected. I have everything setup through the time capsule. I’ve modified the hostconfig file to include IPFORWARDING=-YES.
I’m using the Mac OSX VPN to connect to Cisco IPSec so I’ve modified the natvpn.sh file like so:
#!/bin/sh
natd -same_ports -use_sockets -unregistered_only -dynamic -interface utun0
ipfw -f flush
ipfw add divert natd ip from any to any via utun0
ipfw add pass all from any to any
sysctl -w net.inet.ip.forwarding=1
When running the script I get this message:
vpn-internal-10-247-8:~ martin_cousineau$ sudo ./natvpn.sh
Password:
Flushed all rules.
00100 divert 8668 ip from any to any via utun0
00200 allow ip from any to any
net.inet.ip.forwarding: 0 -> 1
Which is good… I think
My computer is set:
IP: 10.0.1.11
Subnet: 255.255.255.0
Router: 10.0.1.1
DNS: 10.0.1.1
My PS3 is set :
IP: 10.0.1.25
Subnet: 255.255.255.0
Gateway: 10.0.1.11
DNS: 8.8.8.8
The PS3 still doesn’t get a connection. I have another IP address listed within the VPN Client do I need to put that anywhere. If someone could let me know what I’m doing wrong it would be great.
Thanks
Martin
When you’re connected to the VPN, do you still have an internet connection in your Mac? Can you somehow confirm that it’s going through the VPN?
Yes it’s connected through the VPN. I’ve simply decided to go with openVPN, and it worked instantly. I don’t know what the difference is but it just works with openVPN and couldn’t get it working on IPsec Cisco. Also everything is working perfectly with Viscosity Client instead of Tunnelblick. Speed is a bit disappointing i there something I can do about that?
Also how do I stop forwarding. I know you already posted run ipfw -f flush, but it doesn’t seem to work.
Thanks
Martin
try sudo ipfw -f flush
Try to kill the natd running process and see if it works.
About the speed, I use OpenVPN myself and never had that issue, but from the comments here I see that people had the same problem when using other clients. Don’t know exactly why.
hi- I really want to get this working! I’m getting
Expected end of line, etc. but found identifier.
highlighting the
tun0
phrase. not getting any further – any ideas here?
Help much apperciated.
thanks man
There’s probably something wrong with your script. Maybe you left a typo there or something.
If you can’t figure where is the error, open Terminal and type “cat natvpn.sh”. Then paste the full result here.
it gives me this when I try and save the file – I pasted your script text into script editor, then tried to save as a script – gives the error then, either running it or trying to saveas. I’m running 10.6 if that makes any difference, and viscosity/witopia.
Are you using Applescript Editor? It’s probably interpreting it as Applescript.
Paste the text inside TextEdit and save it as plain text. That will probably work.
thanks – i used simpletext to make the file then made it executable thus:
chmod +x natvpn.sh
it ran fine – I’ll see if it does the business tomorrow – it’s getting late!
btw should have said – vpn is up and running using tun0
thanks
Is there any solution to set this up for Google TV? I have no option to change the network settings.
I want to share my internet connection from my mac to the Google TV (Logitech Revue).
I live in Belgium and cannot use USA services here ;)
Thanks
I never used Google TV, but if you can’t configure its network settings manually, your only option is to disable the DHCP server in your router and setup your Mac as a DHCP server. That way your Mac will automatically become the default gateway.
hey thanks for your answer. How can I setup my mac as DHCP server?
Hi Wouter!
I never did it myself, but in this thread (http://forums.macrumors.com/showthread.php?t=562590) there’s a guy who did it and explained how.
OK thanks! And with this I can share my VPN connection over wireless (Airport). So the google tv can detect my wireless network?
Man am I getting frustrated. I can’t figure out for the life of me how to make the .sh file executable. I did exactly as you said; created a plain text .sh file, right clicked it, selected get info, but there is no tab that says permissions, just one that says sharing & permissions. Underneath that tab it just shows the name of users and whether or not they can RW or R the file, there is nothing that says execute.
Am I missing something here?
Hey Wes!
Do you know how to use the Terminal? You can run it, go to the folder that file is and type “chmod +x natvpn.sh”. That will make the script executable.
Hey there. Thanks, this is perfect and works well for my snow-leopard/tunnelblick configuration. I do have a quick question though. The sharing, I’d like to be able to turn on and off at will. The natvpn.sh script works great. Do you know any commands that I could possibly put in a natvpnoff.sh file that would return my configuration to what it was prior to me running natvpn.sh?
Thanks again.
Hi Steve!
You could try something like this:
ipfw -f flush
killall natd
(or you can try Yohann’s suggestion right under your comment, it’s more complete than mine)
Perhaps there is something to do with this tool : Wateroof (http://www.hanynet.com/waterroof/).
It allows you to create injectors : it’s some kind of stand alone applications to apply firewall ant natd configurations. You can create an injector with all the rules needed to share you internet connexion, and another one with default rules.
I’ll give it a try perhaps tonight (if I have time to).
But I’m sure a ssh script could be a good solution too. Something like :
#!/bin/sh
killall natd
ipfw -f flush
sysctl -w net.inet.ip.forwarding=0
Hi Rodrigo thanks a lot for the post, When i press Get Info on the natvpn.sh file there is no execute option. I would appreciate your help. Thanks, James.
Hi James! You could try to set this permission manually via Terminal, using the command “chmod +x natvpn.sh”.
Hi,
i run the script and it works just fine, i setup my ps3 but when it tries to connect it gives a dns error, any ideas why?
btw i’m using os x 10.4, and the setup is:
Mac:
IP: 192.168.0.3
Subnet: 255.255.255.0
Router: 192.168.0.1
DNS: 208.67.222.222
My PS3 is set :
IP: 192.168.0.10
Subnet: 255.255.255.0
Gateway: 192.168.0.3
DNS: 208.67.222.222
Well, you could try to test using another device (another computer, an iPhone, or something like that) to see if it works. You can also try to switch to Google’s DNS server: 8.8.8.8.
Is there any problem that it says: net.inet.ip.forwarding: 1 -> 1 instead of: net.inet.ip.forwarding: 0 -> 1.
I can’t get it to work…
The internet on my ipod works when the VPN client is off. Even having the Gateway as the mac. But when I turn the VPN on the internet stops on my ipod. HELP! I’m using Cisco VPN Client
There are a few extra steps you need to do when using Cisco VPN Client. Do a search on this page for “cisco” and you’ll find previous comments explaining what you need.
ok, found it but… how do I change IPFORWARDING=-YES- to /etc/hostconfig? Sorry I’m a newbie for UNIX…
Easiest way:
1. Open Terminal.
2. Type “sudo su”.
3. Type your password.
4. Type (including quotes): echo “IPFORWARDING=-YES-” >> /etc/hostconfig
5. Type “exit” to return to your user.
That’s it. You can type “cat /etc/hostconfig” to confirm the line is there.
Hi!! Rodrigo;
First of all reading all comments and situation have clear my poor knowledge of programming, but I have tried to make executable the natvpn.sh file and for don’t know reason on the get info in the bottom part Sharing & Permissions don’t see were to make it executable. If there is a video showing this or better one showing the whole process. Thanks for your help. Here is what I have been getting in Terminal.
Amaurys-iMac:~ macmini$ sudo ./natvpn.sh
Password:
sudo: ./natvpn.sh: command not found
Hi Amaury!
If you saved the file in your home directory, open Terminal and type “chmod +x natvpn.sh”. This will make your script executable. Then you can run the command you mentioned in your comment.
If the file is not in your home directory, you can either move it there or change the directory in the Terminal before running the commands.
Hi!!
Rodrigo, first, thanks for your prompt response, now, sorry for this question but, What you mean by home directory? I have it under documents. How do I save it there?
Thanks again for your time and knowledge.
Amaury
Your home directory is the directory with your name. For example, if you saved under “Documents”, then it’s probably under “Amaury/Documents”. Just copy the file from “Documents” to “Amaury” and you should be good to go.
Rodrigo,
I did it and this is what it shows.
It is Ok?
Amaurys-iMac:~ macmini$ chmod +x natvpn.sh
Amaurys-iMac:~ macmini$ sudo ./natvpn.sh
Password:
./natvpn.sh: line 2: : command not found
natd: unknown interface name tun0
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 0 -> 1
Amaurys-iMac:~ macmini$
The script didn’t find the “tun0″ interface. This interface is created by Tunnelblick. If you’re using it but it’s not running, connect to your VPN first. If you are using another VPN client, you need to find its interface name and replace “tun0″ in your natvpn script.
Rodrigo,
I’m using UKiVPN. What I’m trying to do is to connect my apple tv to my vpn via wireless with my iMac.
Where do I find my VPN interface name? It is UKiVPN?
As far as I know, this service uses OSX’s native VPN client, so the interface name is “ppp0″. You can try to replace “tun0″ with “ppp0″ inside your script and see if it works.
To make things simpler, you can also modify your script by adding sudo in front of each line :
[code]
#!/bin/sh
sudo natd -interface tun0
sudo ipfw -f flush
sudo ipfw add divert natd ip from any to any via tun0
sudo ipfw add pass all from any to any
sudo sysctl -w net.inet.ip.forwarding=1
[/code]
Then, just name your script natvpn.command instead of natvpn.sh, and you’ll be able to double click on it form the finder to launch it.
(but you’ll still have to chmod +x it).
Rodrigo,
I don’t know why I’m doing wrong but didn’t work. This is what says: 1st with the code and then without it. Then I used the 1st one replacing the tun0 by ppp0 and says (see the last part) ./natvpn.sh: line 2: : command not found
Amaurys-iMac:~ macmini$ sudo ./natvpn.command
Password:
./natvpn.command: line 1: [code]?#!/bin/sh: No such file or directory
natd: cannot open config file flush?sudo ipfw add divert natd ip from any to any via ppp0?sudo ipfw add pass all from any to any?sudo sysctl: No such file or directory
Amaurys-iMac:~ macmini$ chmod +x natvpn.command
Amaurys-iMac:~ macmini$ sudo ./natvpn.command
./natvpn.command: line 1: ?#!/bin/sh: No such file or directory
natd: cannot open config file flush?sudo ipfw add divert natd ip from any to any via ppp0?sudo ipfw add pass all from any to any?sudo sysctl: No such file or directory
Amaurys-iMac:~ macmini$
Amaurys-iMac:~ macmini$ chmod +x natvpn.sh
Amaurys-iMac:~ macmini$ sudo ./natvpn.sh
./natvpn.sh: line 2: : command not found
Flushed all rules.
00100 divert 8668 ip from any to any via ppp0
00200 allow ip from any to any
net.inet.ip.forwarding: 0 -> 1
Amaurys-iMac:~ macmini$
You can ignore the “command not found” error. It’s because of the empty line inside natvpn.sh, if you delete that line the error will be gone.
Apparently the script ran ok the last time. Did you try to use the VPN after that?
Sorry but been so late on your answer.
Yes, I have tried 2 or 3 times but for no reason I can’t get my apple tv connected to netflix through my iMac VPN gateway, it sees the wireless network but not the vpn, I can tell because it says I can not connect to netflix from my location (this because I’m outside us), not happening with other sources connected via vpn. Every single iphone in home, my wife’s macbook even the iPad works perfect with the vpn through my wireless network except my apple tv.
Anyway Thanks a lot for your expertise, knowledge and time trying to give light to an unknown matter for me. I really appreciate what you did for me. Best of luck.
Amaury
I guess you’re configuring the VPN directly on your other devices (macbook, iPhone, iPad) instead of pointing them to your Mac, right?
For this method to work on your AppleTV, you need to manually change the gateway in your AppleTV network settings to point to your Mac IP address after you run the script. Did you change it?
Rodrigo,
First question, Yes
Second question, No. Right after I get your message I tried to do it, but I was a little confused on which Address to use, my ethernet address on my UKiVPN address.
My ethernet address is:
Configure IPv4 “Using DHCP”
IP Address 192.168.0.187
Subnet Mask 255.255.255.0
Router 192.168.0.1
DNS server 192.168.0.1
My UKiVPN is:
Configure IPv4 “Using PPP”
IPv4 address 192.168.0.169
Subnet Mask “Blank”
Router 192.168.0.1
DNS Server 208.67.222.222
208.67.222.220
When I tried my ethernet address didn’t worked, the UKiVPN did not go through after entering the dns server, I hit the “done” button few times and stay there, nothing happened, don’t know if it was because does not have subnet mask numbers to enter or what.
Thanks again for your effort and time. I really appreciate it.
Amaury
If these settings you mentioned are from your Mac, set your AppleTV to manual network settings, using the following:
IP: 192.168.0.193 (any free IP in your network)
Subnet: 255.255.255.0
Router (Gateway): 192.168.0.187 (your Mac’s IP)
DNS: 8.8.8.8 (needs to be external. Try this one, it’s Google’s)
You don’t need to change anything in your Mac. Just connect to the VPN, test if it’s working, then run the natvpn script. Then you go to your AppleTV and try these settings there.
Rodrigo,
I did that and I know something is happening because happens me the first time trying to connect with my computer, that is that I can not connect to any internet page and on Netflix says Netflix is currently unavailable. Try again later.
I’ll try on a no so busy day to see if it’s because to much traffic on VPN server.
thanks a lot
Just AWESOME !!!! Rodrigo Sieiro you Rocks !!!
i’m french living in spain and with this i can download from french MarketPlace Xbox Live content with region restriction !
I also had problems with the file natvpn.sh, but i had to desable the share internet connection in the share panel of Preferences and also had to sudo each line of the script directly in the Terminal… but finaly it’s works !
Before i found this tutorial i past two days with 0 knowledge at all of what i was doing but with your tutorial i made it in less than 1 hour !
So thank you !
hi Rodrigo,
great work really, I am happy to find a solution to a question I have been asking the past year, the problem is I have no idea about scripts and even creating the natvpn file is hard for me because i manually change the extension in get info and I am afraid I am doing the wrong thing, can you please make a video for us beginners on you tube. the tunnelblick part was the easiest, just when we start working with Terminal it becomes realllyyyyy hard
Hope to see your post soon :)
Nadia,
Unfortunately, I just don’t have enough time to do a video tutorial. However, I’ll be glad to help you deal with any issues you might have by following my guide. Just post a comment here, I’m always monitoring for new comments.
I have been working for weeks trying to get this working. Any help would be appreciated.
I am running VPNC on Mac 10.5.8. Using static IP addresses with computer IP as the gateway/router.
I can connect to my work Nortel VPN server using a VPNC hack that I found. It seems to work fine.
In ifconfig I do have tun0 for the VPNC connection. When I try routing using
natd -interface tun0
ipfw -f flush
ipfw add divert natd ip from any to any via tun0
ipfw add pass all from any to any
sysctl -w net.inet.ip.forwarding=1
I get the proper responses as described but still doesn’t work.
I have also added “IPFORWARDING=-YES-” in /etc/hostconfig. still nothing
I went back and tried forwarding via en0 and that works well, but obviously not with VPN. I’ve looked through the comments and nothing seems to be the answer.
I am attaching my ifconfig here. Maybe someone can spot the problem
lo0: flags=8049 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fd36:66de:74fd:a46c:203:93ff:fe7a:26aa prefixlen 128
gif0: flags=8010 mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863 mtu 1500
inet6 fe80::203:93ff:fe7a:26aa%en0 prefixlen 64 scopeid 0×4
inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:03:93:7a:26:aa
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP 10baseT/UTP 10baseT/UTP 100baseTX 100baseTX 100baseTX 100baseTX
fw0: flags=8863 mtu 2030
lladdr 00:03:93:ff:fe:7a:26:aa
media: autoselect status: inactive
supported media: autoselect
tun0: flags=8851 mtu 1412
inet 10.101.61.132 –> 10.101.61.132 netmask 0xffffff00
open (pid 234)
Feel free to ask for any other pertinent information. Thanks
Hello Ismall!
When you connect to your VPN, does it become the default gateway for your Mac? When you open one of these websites that show your IP address, does it show the one from your VPN server?
Also, check if the DNS server in your client device isn’t set to your internal router. When you route the traffic through your VPN, your DNS server needs to be external.
Thanks. I checked the routing table and the default gateway was my router. So this may be the problem. Should the default gateway IP be the Mac running VNC and IPforwarding or should it be the VNC gateway IP that was assigned by the external VNC server?
In your client machine (not the one running the VPN client), the default gateway must be your Mac’s (the one running the VPN client) internal IP address.
Thanks. Yes I had it that way, but it doesn’t work. But on the mac running VPN the default gateway is still my router. Shouldn’t it be the VPN gateway. Does this look correct?
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 35 66 en0
10.96/11 10.101.61.119 UGSc 3 202 tun0
10.101.20.40/32 10.101.61.119 UGSc 1 0 tun0
10.101.20.43/32 10.101.61.119 UGSc 1 0 tun0
10.101.61.119 10.101.61.119 UH 6 0 tun0
67.215.65.132 192.168.1.10 UGHS 0 1 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 0 lo0
169.254 link#4 UCS 0 0 en0
192.168.1 link#4 UCS 9 0 en0
192.168.1.1 X:18:X:X:X:e2 UHLW 38 15865 en0 349
192.168.1.10 127.0.0.1 UHS 1 53568 lo0
192.168.1.12 X:X:X:91:X:3d UHLW 0 1741 en0 270
192.168.1.255 link#4 UHLWb 2 1473 en0
XXX.XXX.XXX.XX 192.168.1.1 UGHS 2 6 en0
XXX.XXX.XXX.XX= my work VPN server
10.101.61.119 = IP assigned by work VPN server
192.168.1.1 = my router
192.168.1.10= Mac running VPN and IP forwarding
192.168.1.12= device that should share the VPN connection (iphone)
67.215.65.132= ?something having to do with openDNS I think
10.101.20.40 and 43=DNS server at my work
Hello Rodrigo! First of all, thank you for the tutorial. I got most of it done up to the “sudo ./natvpn.sh” part. The thing is, when I tried to connect my Xbox 360 via my Mac, it keeps saying that my console can’t obtain the IP address from my laptop. Would you kindly help me out with this? It’s driving me nuts!
You need to configure your XBOX to use a manual IP address. Use one similar to your Mac’s address, just changing the last digit. Use the same network mask, put your Mac’s IP as the gateway and use an external DNS (like Google’s for example: 8.8.8.8 and 8.8.4.4). That should solve your problem.
My IP address is 192.168.1.102, I inputed 192.168.1.103 as my Xbox’s IP Address, 255.255.255.0 as the subnet mask, and 192.168.1.102 as the gateway, and used the Google DNS, and it still doesn’t solve the problem..
I use RaptorVPN by the way
Oh, and do I need to restart my modem and router after making these settings on the terminal?
When you test the connection in your XBOX, what does it say?
Did you test if your VPN is acting as your default gateway? Try going to a site that shows your IP address (using your Mac) and see if it shows your VPN IP, not your default external IP.
Btw, you don’t need to restart your modem after changing these settings.
Hey,
Got this configured nicely on the Mac so it is sharing the VPN – terminal came back with the correct data to prove this…
Now I am trying to connect a second mac computer to that computer which is sharing its VPN… Where do I change this gateway setting ? I am in Network Preferences but cant see this “gateway” setting anywhere ?
Thanks.
In Network Preferences I guess the gateway is called “router”. But you probably need to set up a manual IP address first. Use one similar to your first Mac, but changing the last digit.
Yep. That worked nicely.
Thanks. :-)
@Ismall (reply thread is limited to 5 nodes :P)
Here, when I connect to my VPN (using Tunnelblick), it creates a line in my routing table *before* the “default” one, called “0/1″ and pointing to my VPN IP address. That effectively routes all my traffic to the VPN.
What VPN client do you use? In my case the setting to force all my traffic to go through the VPN is set in my VPN server (OpenVPN), but I guess you can change that in your client.
Okay, I managed to connect my Xbox 360 via the ethernet and go online on Xbox Live, I put the ethernet IP address instead of my Airport’s, and it connected without any problem. The thing is, I’m still unable to download foreign DLC @__@
I came to the conclusion that my Xbox 360 isn’t connected via the VPN server, and it still uses my local IP address. Which explains why I’m unable to access foreign contents.
The VPN works well on my Mac, but it doesn’t do the same for my Xbox. Could you help me with this one, Rod?
The VPN is probably not the default gateway on your Mac. You need to route all your Mac’s traffic through your VPN when connected, but I don’t know how to do that with RaptorVPN. If you manage to do that, then probably your XBOX will use your VPN as expected.
I tested the IP after I connect to VPN and it shows a U.S IP address instead of a local one, so I think my Mac is using VPN as the default gateway
By the way, the error message on my 360 says that it my DNS can’t reach Xbox Live (or something like that) but it only happens when I put my Mac IP address as DNS on my Xbox :/
Say, you own an Xbox right, Rod? Do you need to sign in to a U.S gamertag to access foreign content after you share the VPN? If yes, then maybe the problem is on my Xbox, ’cause I used a local gamertag when I tried to access the foreign DLC
Hi Bambang!
Yes, you need to be logged on a US gamertag to download content from the US Live.
You said you put your Mac IP as DNS in your XBOX? That may be the problem. Your Mac IP must be the gateway, but the DNS must be an external one, like Google’s for example (8.8.8.8).
Tried it, no luck -__-
Here’s my settings so far:
Airport
IP Address 192.168.1.102
Subnet Mask 255.255.255.0
Router 192.168.1.1
DNS
202.73.99.4
61.247.0.4
208.67.222.222
208.67.220.220
Ethernet
IP Address 192.168.3.2
Subnet Mask 255.255.255.0
DNS Server 192.168.1.1
Xbox 360
IP Address 192.168.3.3
Subnet Mask 255.255.255.0
Gateway 192.168.3.2
Primary DNS 8.8.8.8
Secondary DNS 8.8.8.8
Please help :(
same problem. using raptorvpn which i think is tunnelbick also. same interface..same everything. defaults to tun0.
i can get vpn working on the mac fine. but after running the script internet is killed even on my mac when connected through vpn.
i really want that region locked call of duty map pack haha! and yes i have a US gamertag.
another question though… does this tutorial have the devices connected to the mac via snow leopards internet sharing?
router->mac with vpn->internet sharing->xbox?
also does it have to be a wired connection? been trying it via airport. since i just have a short ethernet cable so i just connect my mac to my router via ethernet then try to share the connection via airport.
Hi,
I got this working nicely now, and even got my PS3 connected to it. Using Tunnelblick etc.
Problem is Netflix, it keeps buffering every 5 minutes or so… thats no good for watching a Movie, is it ?
When I use TunnelBlick direct on my Laptop, there is no buffering, Movie plays fine.
Any advice ?
Hi,
I got this working nicely now, and even got my PS3 connected to it. Using Tunnelblick etc.
Problem is Netflix, it keeps buffering every 5 minutes or so… thats no good for watching a Movie, is it ?
When I use TunnelBlick direct on my Laptop, there is no buffering, Movie plays fine.
Any advice ?
Anyone any ideas how to speed this up ? Got my PS3 connected, but Netflix runs soooo slow. When connected to the same OpenVPN connection via my Laptop, Netflix runs fine… Heeeeellllp :-)
I’m using OverplayVPN and I figured following these steps would help me, but once I get this:
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 0 -> 1
I go over to my PS3, and set up:
IP Address 192.168.1.1.
Subnet Mask 255.255.255.0
Router 192.168.1.1.
Primary DNS 8.8.8.8
Secondary DNS 8.8.8.8
I Test Connection and nothing. :( I’m really frustrated that I dont know what I’ve done wrong. Also, my VPN seems to have stopped working on my Mac since I cant use it to browse the web anymore. Any help? Thank You so much in advance.
Hi Yoshimar!
I guess the IP 192.168.1.1 is being used by your router, so by using it in your PS3 you’re creating a IP conflict. Try changing your PS3′s IP address to something like 192.168.1.98 (just use something random under 255 in the last part, but not something already being used) and then change your PS3′s router to point to your Mac’s IP (if your Mac’s IP is 192.168.1.1 then you’re fine and don’t need to change it).
Ok, I tried this again, this time this was the set up:
Mac:
ip: 198.168.1.106
subnet: 255.255.255.0
router: 198.168.1.1
dns: 8.8.8.8
PS3:
ip: 198.168.1.10
subnet: 255.255.255.0
router: 192.168.1.106
1st DNS: 8.8.8.8
2nd DNS: 8.8.8.8
Still no good, gives me: Internet Connection Failed DNS error 80710102
I’m trying this through ethernet connection from my mac to the PS3, I’m using an OpenVPN and have the mac connected through airport which is where i got my mac ip subnet router and DNS info from. I’m trying to test this with my iphone but I dont really know how to get the iphone connected to my mac while its sharing internet. Do you think you could help me out? Once again, thank you very much for this, as soon as I get this working I will be very grateful. :)
If you want to test it using your iPhone, click on the right blue arrow next to your Wi-Fi network name in Preferences, choose “Static” and manually configure your network like you did in your PS3.
Hi Rodrigo! Thanks for your help I seem to be having problems with the following:
Pablo-G-S-MacBook-Pro:~ PabloGS$ sudo ./natvpn.sh
./natvpn.sh: line 2: : command not found
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 1 -> 1
This is what my terminal displays after running the sudo ./natvpn.sh script
I can connect to the VPN on my mac, but my xbox isn’t geting a connection. I used:
Mac:
IP: 192.168.1.15
Subnet: 255.255.255.0
Router: 192.168.1.1
DNS: 8.8.8.8
My Xbox 360 is set :
IP: 192.168.1.42
Subnet: 255.255.255.0
Gateway: 192.168.1.15
DNS: 8.8.8.8
appreciate the help
Okay, forget about it, got it working! I’ve been at this for three days now (different methods) and this was to be my last try before accepting defeat… The other options I tried used mac’s internet sharing utility (via ethernet cable) to use the VPN on other devices, including the xbox, got so excited to see that this option was the real deal, that I kept trying to make it work, WIRED! THAT was my problem! Last night in a moment of clarity and desperation, decided to give it a try with the xbox wireless connection and BOOM I was in business!
Thanks Rodrigo, man you made my day!
And to all, here’s what I have going on, so maybe it’ll help:
- RaptorVPN
-Tunnelblick (Make sure it connects to the internet with a different IP than your own)
-Create Rodrigo’s Script (natvpn.sh), if you’re using TextEdit, go to FORMAT ->Make Plain Text File, and save it in you HOME folder (the one that has your name on it on the Finder)
-You need to make the file executable, go to APPLICATIONS -> UTILITIES -> TERMINAL and type “chmod +x natvpn.sh”
-Then make sure your VPN is online and connected, then run “sudo ./natvpn.sh” on the terminal, and you should be set!
Then on your other device (xbox 360):
-Make sure your connected to your wireless network, and just use Rodrigo’s steps:
You need to configure your XBOX to use a manual IP address. Use one similar to your Mac’s address, just changing the last digit. Use the same network mask, put your Mac’s IP as the gateway and use an external DNS (like Google’s for example: 8.8.8.8 and 8.8.4.4). That should solve your problem.
So yeah, I feel like and idiot with the whole wired thing, but maybe this helps some of you avoid the frustration I went through…
Hope this helps!
Regards,
Pablo
Thanks for sharing your solution! I hope it will help other guys having similar problems you had.
thank you pablo! now downloading the map pack i couldnt get on my xbox. had to disconnect to the VPN though to make it faster. will just reconnect to the VPN if it gets stuck on 98-99% like what other people say. :D hope i can get to 100% without any problems.
Whew!
Here we go. Long time struggler, first time poster!
First, Rodrigo – thanks for writing this. I know I’m not alone in saying that it’s a HUGE help even though I haven’t solved the issue yet. Everyone certainly appreciates it!
I’ve read through everyones suggestions several times, yet I’m still stuck with trying to share an openVPN connection from a wired Powerbook to my Wii via a shared airport connection (Powerbook is wired, sharing VPN via wireless airport). There are many people here who have successfully connected to a ps3 and a few who have implied that it’s possible to connect to a wii with similar setups, so my hopes are high!
Here’s how I have everything set up:
Ethernet (once connected via TunnelBlick):
IP: 10.10.11.204
SUBNET: 255.255.255.0
Router: 10.10.11.45
DNS: 216.131.94.5, 216.131.95.20
Airport:
IP: 169.254.253.228
AP: ‘this’ – no wireless protection
SUBNET: 255.255.0.0
Router: 10.10.11.45
DNS: 216.131.94.5, 216.131.95.20
Wii:
IP: 10.10.11.205
AP: ‘this’
SUBNET: 255.255.255.0
Router: 10.10.11.204
DNS: 216.131.94.5, 216.131.95.20
Process:
- Connect PowerPC via TunnelBlick
- Share Airport/Wireless
- Run natvpn.sh
- Setup w/ based on previously mentioned credentials
Problem:
It’s simply not connecting. I’ve tried a few other devices and they aren’t connecting either. I feel like it’s either a DNS issue or maybe just something simple I’m overlooking. Do I need to do anything to the airport’s IP, subnet, and ‘router’ credentials? I tried to set them all up using the same ip structure and subdomain, but to no avail…
I’m hoping that someone can help me out here – really hoping to get this set up soon.
Cheers!
Brian
Oops.
Airport section should read like this – should not include the Router and DNS credentials since they are not set. My mistake :)
Airport:
IP: 169.254.253.228
AP: ‘this’ – no wireless protection
SUBNET: 255.255.0.0
Hi Brian!
How are you sharing your Airport connection? Is it through the OS X Internet Sharing?
I believe you can’t use Internet Sharing and my script together. Both use natd internally, and using them at the same time will probably result in some kind of conflict.
You can try disabling Internet Sharing, in theory my script will deal with that part. I can’t confirm it will work, though, because I never tried to do that.
Hello
I have my Mac running OpenVpn and I need to route the VPN connection to my Vonage IP phone adapter and media player. Would like to try your approach to make this work, but am quite non-technical, so if things go wrong, is it possible to undo?
Nothing you’re doing here is permanent, so in case something goes wrong, a simple reboot should fix things in your Mac. Just be sure to write down the network settings in your Vonage device before changing anything, so you can revert them when you don’t want to route everything through the VPN anymore.
Hi Rodrigo,
I’m having the same problem that others have mentioned in which my devices can access the Internet via Internet Sharing when the VPN is off but cannot once the VPN is on. The computer that is running the Tunnelblick connection can access the Internet while the VPN is on, however.
- Connected via Tunnelblick
- Executed natvpn.sh
- en0 is the wired connection to my router to the ISP/Internet (192.168.1.129)
- en1 is the wireless (Airport) that is being used to share the Internet access on en0 (10.0.2.1)
- tun0 is the connection created via Tunnelblick (98.143.144.123)
Do you know why this isn’t working? Appreciate your advice in advance. Thanks
-Raymond
Check the reply I gave to Brian, a couple posts before yours. You’re probably having some kind of conflict between Internet Sharing and my script.
It works! Internet sharing was the problem. I turned this off, set up my Mac and Apple TV to be on the same wireless network both with the Mac’s IP address set as the default gateway, and bingo!
Thanks again Rodrigo for writing this article.
Great! I had a feeling Internet Sharing was the problem but had no way to confirm that here. This will surely help several others here!
Ok i was getting confused at the part where we could internet share and use this script to get a wireless connection to my ps3, if I cant use internet share then how do i share the vpn connection wireless?
Sorry, i seem to be very confused.
Hi Yoshimar!
This script will share your VPN (and internet) connection inside your local network. Internet Sharing will also try to share your internet connection. If you run both at the same time, they will conflict.
You don’t need OS X Internet Sharing to share the connection with your PS3. This script should replace it.
I managed to get this working now, I just want to thank you for this awesome guide. 8)
Hello!
Im having a hard time configuring this to work for my setup:
3g internet
Tunnelblick with vpn( I get tap0 interface wich i replace tun0 with in your script).
I want my internal Airport as gateway.(en1)
I dont really get any errors when I follow your steps but I think i need to setup an ssid so
the other machine can connect wirelessly? (Windows Vista)
Any ideas on how to do this in terminal? :)
Thanks for the cool guide btw!
Nevermind!
It works now, i just replaces tun0 with tap0 in the script and it works with my old internet sharing connection, real sweet! Im so happy, thank you!
Hi Rodrigo, I was searching online to find a way to do this, i try with some free vpn programs but it didn’t work, and i quitted.
But every day is a new day, so I tried again, but wit Proxpn, and it works with Tunnelblick, Let me tell you that this was my first time using terminal, so im a noob. but with you help and the comments of everyone here, I made it.
So I wanted to thank you. And im Wondering if you speak spanish..
thank and I’be around here.
Sorry, I don’t speak spanish, although I do understand a little. I also speak portuguese (I live in Brazil) :)
Rodrigo,
I currently have my android phone tethered to my MBP running snow leopard. I had to do some scripting to get DNS setup properly on the MBP via a customer script and creating the tun0 interface vai a script. All that works fine and I now want to share this connection via airport ICS (I am assuming your script takes the place of that) and have other iphones and the like take the place of that. Will this work even thought the VPN is not running off a traditional wired connection?
Thanks,
Nathan
Nathan, I’m not really sure. One thing I’m not sure I understood: your internet connection is in your Android, which you tether to your MBP via USB (so your Android’s connection is used by your Mac). Is that right?
If you already have a tun0 interface in your Mac (even if it’s not a VPN) and your internet connection is coming through it, there shouldn’t be any reason for this method not to work. You can try it anyway, and if something goes wrong a simple reboot should fix everything.
Just a little edit to my last post, it might be helpful for someone (especially if you like me wants to share OpenVPN from the internal airportcard).
The Mac OSX ICS works fine if you create an PPTP connection in network with same vpn server adress as in your VPN configuration file(But you don’t connect this! Just so that Internet sharing will find it).
Share this new connection in Internet sharing like normal with the interface you want+run this fabulous script by Rodrigo(I had to replace tun0 with tap0).
And it should work. I can’t explain why.
When internet connection is established i connect tunnelblick, then i run the script.
With this i can share my internet connection with the luxury of an ssid and wep security from my macbook.
Thanks again Rodrigo! :)
Hi Martin,
It seems you are the only one who has working VPN sharing through the Mac’s internal Airport – can I ask you for a little more info to get this working? I have the original script running successfully, via Tunnelblick in Lion (courtesy of Strong VPN). However, if I am to create the additional PPtP connection to share – what details will I need to enter when creating the PPtP connection? I am not sure how to extract the server address, account name/password, etc from the from my VPN configuration file?
Thanks
Hey Rodrigo……Thanks for your gr8 tutorial….
I`d like to know,How can i remove this script completely from my Mac…
I tried this..
#!/bin/sh
killall natd
ipfw -f flush
sysctl -w net.inet.ip.forwarding=0
But it`s showing not permitted…
Hi Harris!
If you put those lines inside a script, try to run the script with sudo, i.e. “sudo myscript.sh”. If you’re running each line manually, then you’ll have to put “sudo” in front of each one.
Hey, I tried this out in snow leopard using Viscosity and just couldn’t get it to work on my Android. I ran everything in terminal just as you said and no luck so I’m just going to wait on witopia to set up Ispec for Android. The problem I have now is that while my VPN connects on my computer I can’t open any websites at all. Any way I might have screwed it up? I uninstalled and reinstalled and still not working.
If you’re connected to the VPN but can’t open any website, chances are that you’re trying to use an internal IP for DNS. Try using Google or OpenDNS.
Hey, I tried to connect but failed. Can you help me? here’s the detail Log. Thanks
2011-03-20 23:00:01 *RaptorVPN: OS X 10.6.4; RaptorVPN 1.0; OpenVPN 2.1.4
2011-03-20 23:00:04 *RaptorVPN: Attempting connection with 2) RaptorVPN (USA Backup)/RaptorVPN (USA TCP) from Deploy; Set nameserver = 1; monitoring connection
2011-03-20 23:00:04 *RaptorVPN: /Applications/RaptorVPN.app/Contents/Resources/openvpnstart start 2)\ RaptorVPN\ (USA\ Backup)/RaptorVPN\ (USA\ TCP).ovpn 1337 1 0 2 0 49
2011-03-20 23:00:04 OpenVPN 2.1.4 i386-apple-darwin10.6.0 [SSL] [LZO2] [PKCS11] built on Jan 17 2011
2011-03-20 23:00:04 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-03-20 23:00:04 Need hold release from management interface, waiting…
2011-03-20 23:00:04 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-03-20 23:00:04 MANAGEMENT: CMD ‘pid’
2011-03-20 23:00:04 MANAGEMENT: CMD ‘state on’
2011-03-20 23:00:04 MANAGEMENT: CMD ‘state’
2011-03-20 23:00:04 MANAGEMENT: CMD ‘hold release’
2011-03-20 23:00:04 MANAGEMENT: CMD ‘username “Auth” “adriel”‘
2011-03-20 23:00:04 MANAGEMENT: CMD ‘password [...]‘
2011-03-20 23:00:04 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2011-03-20 23:00:04 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
2011-03-20 23:00:04 LZO compression initialized
2011-03-20 23:00:04 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
2011-03-20 23:00:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2011-03-20 23:00:04 MANAGEMENT: >STATE:1300633204,RESOLVE,,,
2011-03-20 23:00:04 *RaptorVPN: openvpnstart: /Applications/RaptorVPN.app/Contents/Resources/openvpn –cd /Applications/RaptorVPN.app/Contents/Resources/Deploy –daemon –management 127.0.0.1 1337 –config /Applications/RaptorVPN.app/Contents/Resources/Deploy/2) RaptorVPN (USA Backup)/RaptorVPN (USA TCP).ovpn –log /tmp/tunnelblick/logs/-SApplications-SRaptorVPN.app-SContents-SResources-SDeploy-S2) RaptorVPN (USA Backup)-SRaptorVPN (USA TCP).ovpn.1_0_2_0_49.1337.openvpn.log –management-query-passwords –management-hold –script-security 2 –up /Applications/RaptorVPN.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d –down /Applications/RaptorVPN.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d –up-restart
2011-03-20 23:00:04 *RaptorVPN: Obtained VPN username and password from the Keychain
2011-03-20 23:00:05 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
2011-03-20 23:00:05 Local Options hash (VER=V4): ‘bc07730e’
2011-03-20 23:00:05 Expected Remote Options hash (VER=V4): ‘b695cb4a’
2011-03-20 23:00:05 Attempting to establish TCP connection with 174.37.190.77:443 [nonblock]
2011-03-20 23:00:05 MANAGEMENT: >STATE:1300633205,TCP_CONNECT,,,
2011-03-20 23:00:06 TCP connection established with 174.37.190.77:443
2011-03-20 23:00:06 TCPv4_CLIENT link local: [undef]
2011-03-20 23:00:06 TCPv4_CLIENT link remote: 174.37.190.77:443
2011-03-20 23:00:06 MANAGEMENT: >STATE:1300633206,WAIT,,,
2011-03-20 23:00:06 MANAGEMENT: >STATE:1300633206,AUTH,,,
2011-03-20 23:00:06 TLS: Initial packet from 174.37.190.77:443, sid=5f6d1480 da854fc4
2011-03-20 23:00:06 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
2011-03-20 23:00:11 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
2011-03-20 23:00:11 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain
2011-03-20 23:00:22 Data Channel Encrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
2011-03-20 23:00:22 Data Channel Encrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2011-03-20 23:00:22 Data Channel Decrypt: Cipher ‘AES-128-CBC’ initialized with 128 bit key
2011-03-20 23:00:22 Data Channel Decrypt: Using 160 bit message hash ‘SHA1′ for HMAC authentication
2011-03-20 23:00:22 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2011-03-20 23:00:22 [server] Peer Connection Initiated with 174.37.190.77:443
2011-03-20 23:00:24 MANAGEMENT: >STATE:1300633224,GET_CONFIG,,,
2011-03-20 23:00:25 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
2011-03-20 23:00:26 AUTH: Received AUTH_FAILED control message
2011-03-20 23:00:26 TCP/UDP: Closing socket
2011-03-20 23:00:26 SIGTERM[soft,auth-failure] received, process exiting
2011-03-20 23:00:26 MANAGEMENT: >STATE:1300633226,EXITING,auth-failure,,
2011-03-20 23:00:26 *RaptorVPN: Flushed the DNS cache
See the line “AUTH: Received AUTH_FAILED control message”? You had a problem with authentication. Try to check your user/password, they may be incorrect.
Hi Rodrigo! Great job on this tutorial and the support you’re giving everyone. I’m the developer of Tunnelblick, and have posted a link to this on a thread in the Tunnelblick Discussion Group that asks how to do this.
I do have one very minor correction: You say
“And if you are connected to the VPN server but your IP address didn’t change, the problem is probably in the server: it needs to be configured to forward all VPN traffic and to be the default gateway on the client”.
which is correct, *but* the client can override this. If you include “redirect-gateway def1″ in the client configuration file, all traffic will be directed over the VPN, even if the server doesn’t specify it.
Hi Jon, thanks for the great work in Tunnelblick! I’m glad you liked the tutorial.
I’ve been willing to update this post with tips to solve the most common problems people have. I’ll make sure to include this info on setting up the default gateway in the client. Thanks!
Hi,Mr.Rodrigo:
I have a problem when i share my macbook vpn(L2TP) to desktop(windows xp or ubuntu10.10),
desktop cannot access through macbook vpn connection.
My configuration:
macbook/windows xp firewall off
macbook internet sharing off
and use you sh script.
In macbook:
–airport connect wireless route
en1 : inet 192.168.16.102
netmask 255.255.255.0
gateway 192.168.16.1
airport connect vpn(l2tp)
ppp0 : inet 192.168.1.218 –> 192.168.1.6 netmask 0xffffff00
ethernet connect desktop
en0 : manually inet 192.168.122.2
netmask 255.255.255.0
gateway 192.168.122.1
DNS xxx.xxx.xxx.xxx (my external DNS),8.8.8.8,192.168.1.6
Desktop:
eth0 : manually inet 192.168.122.6
netmask 255.255.255.0
gateway 192.168.122.2
DNS xxx.xxx.xxx.xxx (my external DNS),8.8.8.8,192.168.1.6
Results: desktop ping 192.168.1.218 ok ping 192.168.122.2 ok but ping 192.168.1.6 failed
so i cannot access 192.168.1.9 (vpn websites).
Besides i tried macbook internet sharing tool
share my connection from airport to computer ethernet (sharing common conection, it’s ok, my desktop can access ie, but cannot share vpn.
share my connection from L2TP to computer ethernet (i try……but cannot share vpn connection)
So…. very much hope for your help~!!
Hi bopogx!
Sorry, but AFAIK this method does not work with L2TP VPNs. I don’t have access to a L2TP VPN so I don’t really know how they work, but I guess the protocol does something different than OpenVPN, making it incompatible with the method I described.
Hi Rod! Thanks so much for this page! My xbox now can view hulu, espn and play last.fm, sites which are blocked in our country. I followed your instructions except i “sudo”ed every line in the text editor to activate . I also entered the edited the DNS in my xbox config and entered the values i found on my MAC apart from entering the IP address on the gateway. Wow this really works! Thanks man!
Hi Rodrigo! I read your article and I guess I’m a little confused because I’m using my internet a little differently. I’m currently stationed overseas and the only way to access internet here is through USB 3G cards. I’m able to connect to xbox live through regular sharing in OS X, but when I try to download DLC content, it says that its not supported for my region. I currently have a VPN and tried setting everything up, but I think I’m doing it differently because of the USB 3G modem. I’m not sure what I should use as the gateway, because currently my MAC’s IP address is obtained through the USB modem, and I’m not going to get a 192.168…. address. Is it even possible to use this setup? Thanks for the help!
Hi Justin!
In theory, this guide should word with your setup. You just need a few adjustments.
First, disable OSX Internet Sharing. Then, since you don’t have a router, you need to setup both your Mac and your XBOX to use fixed IP addresses in the same range, i.e. 192.168.1.X and configure an ad-hoc connection between them if you’re using Airport. Keep in mind that your external IP (the one your 3G service gives you) is in no way related with the internal IP you’re setting for your Airport or Ethernet.
After that, connect to the 3G service, then connect to the VPN and test if it’s working on your Mac first. Then follow the guide normally and use the fixed IP you gave to your Mac as the gateway in your XBOX.
Hello Rodrigo,
Nice guide you have here but I am having a few problems with it and I will outline them below and give details of my setup.
I use my macbook to connect to the internet via wifi, my VPN is setup fine, and I am aiming to connect to my 360 via ethernet.
So I followed all the steps and everything seemed to work fine but when I get to trying to connect to xbox live I fail the MTU test, now I have tried going into the ethernet config and adjusting the value from the standard 1500 MTU but it didn’t help, still got the same failure.
Also Im unsure as to if I have the right setting on my xbox, I basically took the IP address from the ethernet port which is what was given and used that as my default gateway, for the subnet mask used 255.255.0.0 (also tried 255.255.255.0) and for the IP I just added and extra digit to the last number of the ethernet ports IP.
For the DNS, I one was not set under the ethernet port, so I manually added 8.8.8.8 and 8.8.4.4 and put the same DNS setting on my 360.
I am at a loss as to what to do now, any help would be appreciated
Hi Tom!
First of all, if you have another device (another computer, for example) you can test the configuration on it before using in your XBOX, to make sure everything is working since your XBOX is showing you a non-standard error. I’ve never seen this MTU error, but what I recommend you to try is to use a fixed IP for your ethernet and your XBOX (since you said it was given to you). Try 192.168.1.100 (Mac) and 192.168.1.101 (XBOX), with mask 255.255.255.0. Then use 192.168.1.100 as the gateway in your XBOX and keep the DNS you used before.
My DNS for Xbox is not working tried the google DNS’s any help with this? I can connect to network but not to internet, obviously DNS issues, ive tried many different DNS settings, know of them were successful…I really need help please help me, you mind making a video tutorial or sending a more detailed one to my email if you can. This website was the most reliable source out of all that I have seen, I really need your help to get the latest Call of Duty: Black Ops map pack. Thanks again
Hello!
If you can connect to your internal network but not to the internet in your XBOX, it may not be DNS. If the VPN sharing is not working, you will see this error since your XBOX won’t be able to reach any external DNS server.
Did everyting work as expected in your Mac while setting up the VPN sharing? Did you get any error? Can you paste the output for when you run “natvpn.sh” in your Mac here so I can take a look?
I’m sorry, I won’t be able to do a video tutorial. It would take too much time and I don’t think it would actually help troubleshooting, since most of the errors people get are because they have different network settings.
Hi, thank you so much for your reply. Since terminal cannot find the natvpn.sh file I just sudoed each line on terminal and before i did that I put sudo killall natd. Then once everything was successful and looking like it was supposed to, I connected my xbox to the wireless network and added my mac ip but one digit higher on ip section on xbox and subport 255.255.255.0 as usual and gateway to my mac’s ip and both DNS were 8.8.8.8. Im pritty sure I did it right but somehow it does not pass the internet stage. Thanks Rodrigo your help is amazing. Hope you can help me out. Note that I am connected to Raptor VPN mac version tunnelblick before I did any of this.
BTW This is what terminal said after sudo each line while connected to raptor VPN
Last login: Wed May 11 17:07:36 on ttys000
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo killall natd
Alec-Williams-Mac-Book-Pro:~ alec_williams$
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo #!/bin/sh
usage: sudo [-n] -h | -K | -k | -L | -V | -v
usage: sudo -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid]
[-g groupname|#gid] [command]
usage: sudo [-AbEHnPS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []
usage: sudo -e [-AnS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] file …
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo natd -interface tun0
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo ipfw -f flush
Flushed all rules.
Alec-Williams-Mac-Book-Pro:~ alec_williams$
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo ipfw add divert natd ip from any to any via tun0
00100 divert 8668 ip from any to any via tun0
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo ipfw add pass all from any to any
00200 allow ip from any to any
Alec-Williams-Mac-Book-Pro:~ alec_williams$ sudo sysctl -w net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
Alec-Williams-Mac-Book-Pro:~ alec_williams$
Hi Alec (now I can call you by your name hehe)!
If you’re going to run every line manually, you don’t need to run the lines beginning with “#”. Makes no difference, but it’s one less line to manually run :)
Let’s try a few things. First, before running the script (but after connecting to the vpn) run “ifconfig” in the terminal so I can see your network interfaces. Then, after running the lines above, type “ps aux | grep natd” so we can check if natd is indeed running.
Did you test your VPN in the Mac to see if it’s really working and if you’re able to navigate using it? Go to http://www.ip-adress.com/ while connected to check your IP and confirm it’s working.
Thanks Rod, but I actually figured it out, when I kept testing the connection to xbox live it finally connected and I was able to download the fist strike map pack for black ops, now i am downloading escalation map pack, lets just hope that I get the same luck. Thanks rod again.
Sorry again Rod, I had luck the first time but it never worked again. I do have a paid vpn called strong vpn and its a PPTP service and ur instructions about setting up pptp vpn in the trouble shooting section is hard to understand, can you explain to me how to do it. I think more people are wondering this same question. Thanks
Hey Alec!
First of all, I don’t really recommend using a PPTP VPN. Several people said it’s very slow after you share it using my method, and I don’t know exactly how to fix it. That said, you just have to add a line to the file “/etc/hostconfig” with the text “IPFORWARDING=-YES-”, and then modify the first line of my script (the one starting with “natd”) with the line I mentioned in the Troubleshooting section.
Keep in mind that I just got that info from the comments, and I never tried sharing a PPTP VPN myself.
Hey Rod,
Can you help me with my MAC….I was using Normal Lan connection last month and i shred VPN connection from MAC to my android using your help…
Now I changed to an ADSL PPOe connection,now i can`t share the connection to my android. In android it`s showing connected to my MAC but i can`t browse or do anything in my android.
Hi Harris!
Do you want to share your VPN or your PPPoE with your Android?
If you just want to share your PPPoE, I believe you have to run “ifconfig” while connected, get the name of the PPPoE connection and replace “tun0″ with it in the script. That should work.
Now if you want to share your VPN connection, the answer is “I don’t know”. Since the PPP connection is on demand (like the VPN), I don’t really know what kind of routing you need to to in order to direct your ethernet connection to the VPN, while passing through the PPP. Sorry.
Hey rod,
I just entered if config and got this,but i can`t find PPoE in it and could you tell me how to replace PPPoE with tun0…
Harris-MacBook-Pro:~ Harris$ ifconfig
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×1
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010 mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863 mtu 1500
ether d4:9a:20:f2:97:b0
inet6 fe80::d69a:20ff:fef2:97b0%en0 prefixlen 64 scopeid 0×4
inet 169.254.201.105 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect (100baseTX )
status: active
fw0: flags=8863 mtu 4078
lladdr d4:9a:20:ff:fe:f2:97:b0
media: autoselect
status: inactive
en1: flags=8863 mtu 1500
ether f8:1e:df:da:a5:ab
inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255
inet6 fe80::fa1e:dfff:feda:a5ab%en1 prefixlen 64 scopeid 0×6
inet 169.254.201.105 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect
status: active
en2: flags=8863 mtu 1500
ether 60:fb:42:81:86:3a
media: autoselect
status: inactive
vnic0: flags=8843 mtu 1500
ether 00:1c:42:00:00:08
inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255
media: autoselect
status: active
vnic1: flags=8843 mtu 1500
ether 00:1c:42:00:00:09
inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255
media: autoselect
status: active
ppp0: flags=8051 mtu 1492
inet 110.185.7.212 –> 110.185.4.1 netmask 0xff000000
Hi again, Harris!
Just replace “tun0″ (there are two occurrences) with “ppp0″ in my script. Here’s the whole script already modified:
That should work.
Hey Rod,
Thanks for helping me…
after entering natd -interface ppp0
i got this natd: Unable to create divert socket.: Operation not permitted
Hey rod,
Thanks, it`s working now…..but when am using tunnelblick VPN ,i can`t use the internet in android…i mean if i start the tunnelblick vpn and connect to a vpn network then the data connection will be lost in android…but still the wifi in android is connected to the macbook pro internet sharing but can`t browse or do anything…
Hi Harris!
I don’t really know if what you want to do is actually possible, and I don’t have a way to test that scenario here, sorry.
What you can try is to change the natd line back to “tun0″, and see if the script works. But then it would only work while connected to the VPN.
Rodrigo what about sharing with witopia viscosity.
Any Ideas, is it the same process?
Regards Brett
Brett,
I never used Viscosity myself, but as you can see in some previous comments (search for “viscosity” on this page) it seems to work fine without changing anything.
This was a huge help, thanks!
Great post, helped me out a lot. One small comment: in the troubleshooting section where you deal with tunneling through a simple Mac osx native VPN setup, you should add that the divert rule which was before “…… Via tun0″ should now be “via ppp0″
Thanks again :-)
Hi,
Cool! this is what I was looking for. But What a headfull! My head is hurting just from reading it! Anyway will give it a go! Wish me luck!
P.S. I might be asking you for some help in the next few days!
hey Rodrigo, you should do a YouTube tutorial on this!
Thanks in advance!
i didnt get any files from my vpn client. all i got was this info in an email:
server address:
login:
password:
L2TP key (shared secret):
Where do i put this info here:
Copy your configuration and certificates to the configuration folder. Usually you’ll need to copy 4 files: client.conf, ca.crt, .crt and .key. Rename client.conf to the name you want to use to identify your server (i.e. MyServer.conf), open it in your favorite text editor and check if it already has at least the following lines (leave the rest untouched):
remote
ca ca.crt
cert .crt
key .key
please help!!!
Thanks!
Hi Andrew!
If the VPN service you’re using is L2TP, you can’t use Tunnelblick. You need to use OSX’s native VPN client.
Check with your provider for help setting up the VPN client. Then follow the instructions related to the native VPN client in the “Troubleshooting” section of my article.
Hi, it seems this method does not work in Mac OS X 10.7 aka Lion. It worked initially, but on the latest GM release it seems to be broken. My Apple TV does not get any internet connection from Mac. But as I quit or disconnect Open VPN client (Tunnelblick), it works flawlessly. So the problem is natvpn.sh script, which stopped working.
I can use Tunnelblick on my Mac with no problem. Apple TV and other devices is where the problem appears.
Hi Dainius!
Unfortunately, I didn’t have the opportunity to try OS X Lion yet. If you manage to fix it, please post a comment here so I can update the guide.
Any update guys?
I want to upgrade to Lion but currently use the VPN for accessing Netflix from Canada and can’t live without it.
Everything is back to working with latest beta release of Tunnelblick, namely this version – Tunnelblick 3.2beta26 (build 2687).
any update for Lion OSX, also there a new app called applescript editor, could this be usefull……………i already have lion so havent attenmpted to try it, since this code was written for snow leopard.
HAHAHAAHA……….GOT THE BEST NEWS FOR ALL MY MAC FANS OUT THERE, ESPECIALLY RODRIO!!!!!!!!!!!
in lion OSX, no need to create a script, looks like apple changed their sharing settings now the macs VPN client automatically forward ur vpn connection……….so right now my mac is connecting via my ethernet and my vpn is on, so i go to sharing settings and share my vpn connection via my wifi, and i can access blocked sites on my iPad…….in china……………………………..Thank u so much apple, and rodrigo for all the hard work u put in for helping mac users so far…………………….
dude upgrade to LIon, its awsome, it automatically shares ur VPN connection!!!!!!!!!!!!!!!!!!!!! no need for writing a script……
Great news Peter and Dainius, thanks for sharing!
So, to sum it up, in Lion:
For OpenVPN: just update Tunnelblick and it should work.
For PPTP: no need to use this guide anymore, just use OSX’s VPN client and share it using native sharing.
so if you have the tunnelblick version 3.2 beta 28 what do you do if you are running mac lion 10.7? Do u use the natvpn.sh file and run every line on terminal such as this example?
killall natd
#!/bin/sh
natd -interface tun0
ipfw -f flush
ipfw add divert natd ip from any to any via tun0
ipfw add pass all from any to any
sysctl -w net.inet.ip.forwarding=1
I attempted this and did not succeed.
I am trying to share my vpn through wifi so that the wifi connected xbox 360 can download foreign content.
The result was.
1. Xbox 360 unable to download foreign content
2. Terminal commands not working as seen below:
Last login: Mon Aug 8 17:21:44 on ttys001
localhost:~ name_name$
Last login: Mon Aug 8 17:43:24 on ttys000
localhost:~ name_name$ killall natd
No matching processes belonging to you were found
localhost:~ name_name$ #!/bin/sh
localhost:~ name_name$ natd -interface tun0
natd: Unable to create divert socket.: Operation not permitted
localhost:~ name_name$ ipfw -f flush
ipfw: socket: Operation not permitted
localhost:~ name_name$ ipfw add divert natd ip from any to any via tun0
ipfw: socket: Operation not permitted
localhost:~ name_name$ ipfw add pass all from any to any
ipfw: socket: Operation not permitted
localhost:~ name_name$ sysctl -w net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0
sysctl: net.inet.ip.forwarding: Operation not permitted
localhost:~ name_name$
I am not sure what to do. This process worked perfectly on xbox 360
I do not remember if I put / on every line of the command or not.
I did not configure network setting on xbox 360 at all
I am not sure what the problem is. Please help me. Thank you
You need to add “sudo” in front of every line. For example, the first one will become:
“sudo killall natd”
Then it should work.
ok cool thanks I will try that
Ok… I’m using Tunnelblick and nmy VPN connection works fine on my iMAC. But when I share it on lion to my Apple TV2 Netflix does not run.
Do I need to do anything else? All I’m doing is Internet Sharing. from my Ethernet to my Wi-fi
Please Help
Daniel
Sorry Daniel, I’m still on Snow Leopard, so I don’t know much about internet sharing on Lion.
So if I followed the steps(referring to the steps in the Section “Sharing Your VPN”) and attempted to connect my VPN connected MacBook Pro to my Xbox 360, would it even need to be connected via ethernet or would it be wireless because of the gateway use? If its wireless does my MacBook Pro only need to be on near the Xbox 360?
I have OS X Lion btw
As I said to Daniel, I’m not on Lion yet so I don’t know much about it. Maybe if you get a specific error message and post it here I might be able to help…
I am very new to this but i have a simple question for you. How do I copy my configuration and certificates to the configuration folder? Where do i get that information? I am trying to configure the config.ovpn file and im not exactly sure what to edit.
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
;remote my-server-2 1194
What do i type in where it says my server? Also:
# SSL/TLS parms.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
What do i type in where it says ca ca.crt/cert client.crt/key client.key? and where/how do i get this info?
Please help! Thanks so much.
Usually you get this info from your OpenVPN provider. Do you have one?
I have my connection to open vpn working just fine but when i try to config it to share the connection from my IMAC to my XBOX i have no luck. I don’t know where i’m going wrong.
I have my connection to open vpn working just fine but when i try to config it to share the connection from my IMAC to my XBOX i have no luck. I don’t know where i’m going wrong.I upgraded to OS X Lion. It seems simple but it not to me.
I’m sorry Dashon, but I’m not yet on Lion, so I don’t know much about internet sharing on it. Do you see any specific error message?
it worked fine for me
all you have to do is make that natvpn file as a plain text file with no extension. so dont make it natvpn.sh.
after you’ve saved the file as natvpn or whatever else you’d like make sure its in you home directory. This is usually called MacOwner by default (this makes things much easier)
You will have to go to terminal next to make it a UNIX executable (because if you’re on OS X Lion there will not be an option to make the text file you just made an executable in “get info”)
to make sure that the file works type this in terminal:
ls -i natvpn
it will run a confirmation list. Now to make the text file an executable type this in the terminal:
chmod 700 natvpn
if you still have the finder window open you will see the icon change from a text file to a UNIX executable file.
Next and finally you can the sudo command like so:
sudo ./natvpn
It will ask for your password. Enter your system password. Even though you press the keys the cursor will not move for security, so dont panic and make sure you get it right.
You should get the output like the one Rodrigo posted above. Your MacBook should from that point on be a gateway. Simple as that!
You’re a genius! thx a lot from Costa Rica mate!!!
Best Regards!
Man!
Genius!!!
Works very well here. Better than my 2 (bricked by now) routers!!!
Best regards from Brazil
Cheers!
Allan,
Também sou brasileiro :)
Grande abraço!
Hey Rod,
Now am using Lion OS x…in this how can i execute the natvpn.sh.? in lion there`s only read & write is available….
Pls help
You can do it in the Terminal. Run the command “chmod +x natvpn.sh” and it will become executable.
Hi, I’ve been reading through the tutorial, and I got to the point where I installed Tunnelblick but then when I had to edit the config file, I got stuck.
I need to share my L2TP VPN from my mac to my AirPort so I can connect to it with my Xbox 360, PS3 etc.
And I tried doing that with the mac network settings, but failed. Apparently you can’t do it just like that, even though there is an option to share from VPN to AirPort.
So do I really need this Tunnelblick? If so how can I configure it in a way to I can share the VPN connection to my AirPort?
Thanks
Andreas
Andreas, if you’re using a L2TP VPN you shouldn’t use Tunnelblick. Use OS X native VPN client. There are a few tips for that case in the “Troubleshooting” section of the article, but I never tried it myself so I can’t confirm if it will work for you.
Ok, i have now got myself an OpenVPN. I am connected to my VPN and I’m trying the have the .sh file working. Which its not. Im going crazy here!
So i tried entering the commands manually. But even that doesn’t work, i get a “ipfw: socket: Operation not permitted”
FULL TERMINAL OUTPUT:
Andreas-Weizeneggers-iMac:~ Andreas$ natd -interface tun0
natd: Unable to create divert socket.: Operation not permitted
Andreas-Weizeneggers-iMac:~ Andreas$ ipfw flush
Are you sure? [yn] y
ipfw: socket: Operation not permitted
Please help!
Thanks!
Andreas,
That’s easy: add “sudo” before each command. Like “sudo natd -interface tun0″. You’ll need to type your password.
Maybe that’s the reason you couldn’t run the script.
Hi Rodrigo! I successfully hooked up my Macbook’s VPN connection to my Xbox under Lion and while there is connection, it’s rather slow at 150-300k/s or so. (I get 5mbit on my Macbook when VPN is connected). I’m not using PPTP. I’m also using OpenVPN but instead of the free Tunnelblick solution I’m using Viscosity. Not sure if you’re familiar with that one. What could be the cause of this problem ? Could it be setting TUN0 to broadcast to all the adapters on my Mac ? Maybe I should just broadcast it to ETH0 (I’m using ethernet cable as wifi on xbox asks for a SSID which I cant provide) ? How would one go about doing that in the script ?
Hello John!
I’ve already seen people complaining about slow connections while sharing their VPN, but since it never happened to me (I always get pretty much the same speed in all devices) I don’t know exactly how to help you. I remember reading something about changing the MTU/packet size of the connection, but that goes beyond my knowledge, sorry.
No problem! Another annoyance is that the ethernet IP changes everytime I reboot xbox or my macbook, forcing me to reconfigure xbox. Any way to get around that ?
You could write down the IP addresses they both are using at a given time (together with netmask, DNS and gateway) and then manually set both (macbook and xbox) to use the addresses you got. Did you try that?
Ah no. I never tried that but I will try that amongst other things later. I see why it keeps changing now. It’s set to using DHCP. As for your earlier suggestion, I don’t think MTU is the problem as I have the standard 1500 MTU set for all active adapters when I check MTU with ifconfig command.
hello, i’m in uni accommodation and i believe they have certain ports blocked. is it possible to get around this, i can connect to the wireless, have connected my xbox to my mac and have a VPN from proXPN, my xbox is connected to my mac, when i run the connection tests on xbox the network bit is fine but fails at the internet stage. it says the DNS server cant resolve the xbox live servers, i tried using googles as above but to no avail. Is there any other suggestions that may help?
Hi Max!
First, when you connect to the VPN on your Mac, is it working on it? If so, while you’re connected to the VPN, check which DNS servers your Mac is using by running “cat /etc/resolv.conf” in the Terminal. Then try to use them in your XBOX.
Hey Rodrigo, I’m out in China… I am reading through the posts here and just getting a bit confused. Maybe you can give me some direction.
MY CONFIGURATION
- Wireless Router connected to the Internet.
- Macbook Pro – with VPN set to L2TP (or PPTP if I want).
- Macbook Pro can be connected via CAT 5 to the router.
I can wirelessly connect as well to the router, but thought that I could turn on internet sharing by turning the Macbook into an additional WiFi connection point, where I would just connect my iPhone, or some other device to the Macbook via WiFi. Then I thought I could just “piggyback” on the connection already established by the Macbook, but apparently that is not correct.
I believe you note that this will not work.
WHAT I ULTIMATELY WANTED.
1) I want do connect my iPhone/iPad through the same VPN as the Macbook.
2) I purchased a Amazon Fire tablet, that is not in my hands yet, but I believe will only let me configure what WiFi router to wirelessly connect to. No VPN connectivity as of yet (without some hacks I suppose).
PROBLEM
I was hoping that through “internet sharing”, that anything connecting to the Macbook Wifi would just use the VPN. This is apparently not correct. So I am hoping you have some suggestion on what might be my best configuration for getting this done (if it is even possible).
Many Thanks.
Oh.. I got it working. Very cool.
Maybe this is just obvious to everyone, but… If you have a VPN set up for your Macbook already, you can do the following to turn your Macbook into a wireless VPN gateway.
It requires you to connect your Macbook Pro to the internet using CAT 5, freeing up the air card to use as a WiFi Hotspot. Since I always use my MacBook at the same table when at home, this is not a big problem.
Now all my WiFi devices can connect to the Internet using the VPN from my Macbook Pro.
Running Lion.
1) hardwire your Macbook Pro to the Router via CAT 5
2) Go online and connect to the internet using your VPN
3) Go to Preferences > Internet & Wireless > Sharing
4) Select WiFi Options
5) Configure your WiFi – You will basically be creating a new wireless network that others will see. (you can do this because your macbook is hardwired to the router, freeing up your Mac’s Airport to be used as a WiFi hotspot).
6) Under “Share your connection from:”, *** SELECT YOUR VPN that you want to share ***
7) Under “To computers using:” select “WiFi”
8) On the left side, check the box for “Internet Sharing”.
At this point you should be able to open up wireless device, and look for your new HotSpot, connect to it via WiFi (probably have to enter your WEP code). All traffic will route to your new HotSpot… All traffic will also go through your MacBook VPN.
AND – if you disconnect your VPN, and then reconnect it, the Sharing AUTOMATICALLY resumes.
Very Cool.
Ed, thanks for sharing your findings.
What you described is a nice alternative if you’re able to use two interfaces separately: one to connect to the VPN and one to connect to the “client”.
When that’s not possible (you are far from the router and only able to use wi-fi, or if your router doesn’t have wi-fi and you need to connect everything with cables) you can use my guide. It’s a little harder to setup but it allows you to use the same network interface to connect to the VPN and share it with the client.
Rodrigo,
I have my MAC setup with wireless Internet connection sharing (ethernet connection is shared wirelessly), is there a way to edit the script to allow natd to bind to both natvpn script and ICS?
Thanks
Hello Joe!
Unfortunately, I don’t think it’s possible. But why exactly do you want to do that?
I have my mac acting as a router for my wireless lan. I want my wireless clients browsing securely via vpn however, when I have internet connection sharing on the mac enabled, clients can browse but unsecurely. I cant run your script as the error is address is already in use. I added a line of killing natd via killall -9 natd after my mac connects to my vpn service and viola`! it works! thanks
Rodrigo…..you are a star, that worked a treat! Thanks.
Hi,
It’s so good to know that we can share our vpn on mac. I am currently facing some problems. My mac internet is connected to ethernet. I am trying to configure a vpn & share it over wifi. i can’t seem to make it work. vpn works from the mac but not on other connected devices.
Hi Abir!
Since you’re using both interfaces, maybe it’s easier for you to use Mac OS’s native Internet sharing. It will allow you to share your VPN (wired interface) through your wireless interface.
You can find it in the network preferences.
Rodrigo -
I’ve tried various amalgamations of this for days and nothing seems to work right. Some numbers I use I can connect to network but not internet, some gets me nowhere at all.
I’m using StrongVPN (the lite open version so that I can make use of Tunnelblick and static IPs). I’ve sudo’d the first set of commands you suggest. My modem directly connects to my Airport Extreme (that connection is PPoE). The VPN is successfully running on top of that now through Tunnelblick. My iMac connects to the Airport Extreme wirelessly (but I can connect it wired as well), and my Xbox also connects wirelessly to the Airport Extreme (without Tunnelblick on, but once Tunnelblick is on and I reconfigure the Xbox connection settings with the IP numbers, things no longer work.
Not sure which numbers I should be using – I’ve checked on the IPs with Airport connected (instead of being connected from my mac to the airport by ethernet) and I get the standard internal network numbers. With that in mind – here’s my current setup (no internet sharing).
Xbox:
IP address 10.0.1.7 (just gave it a random last number to fit into the network).
Subnet 255.255.255.0
Gateway 10.0.1.5 (which is the IPv4 address the Airport network control panel displays – which also shows me a router number of 10.0.1.1).
DNS 8.8.8.8 and 8.8.4.4. I’ve also tried DNS numbers that appear in the network control panel (presumably I got them at some point from StrongVPN).
Anyway – nothing works – and I’m an utter idiot at network stuff, any and all thoughts would be great appreciated.
Many thanks,
-Jess
Hi Jess!
After you connect your Mac to the VPN through wifi, is the internet working on your Mac? Do you get a different external IP than the one you get while not connected to the VPN? What about the output when you run the script, any error or message worth noting?
Anyway, after you’re connected to the VPN, run “ifconfig” on Terminal and check two things: the local IP of your wireless interface (that should be used as the gateway in your XBOX) and the name of the VPN interface. If the name is not “tun0″, then you need to replace “tun0″ with your interface name in the script.
You can also check if you’re indeed changing the wireless interface info in your XBOX, instead of the ethernet info. My XBOX only has ethernet, so I don’t know how wifi works in it.
Rodrigo
Gotta say you are definitely the most patient dude on the net, hopefully you can help me. I followed every step and everything seemed to go well except when I change the gateway address of my MBP to point to the mini, it doesn’t work.
Here’s my setup:
Wireless Router IP: 192.168.1.1
Mac Mini running Lion Server & Witopia Viscocity VPN or Witopia PPTP (Tried both)
IP Address Mini: 192.168.1.3
Subnet: 255.255.255.0
gateway: 192.168.1.1
Macbook Pro running Lion
IP Address: 192.168.1.100
subnet: 255.255.255.0
gateway: 192.168.1.1 (which changed to 192.168.1.3 to test VPN Sharing)
I have created your script and everything seems to work fine with it as I get the expected results.
Flushed all rules.
00100 divert 8668 ip from any to any via tun0
00200 allow ip from any to any
net.inet.ip.forwarding: 0 -> 1
IFCONFIG:
lo0: flags=8049 mtu 16384
options=3
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fdd8:7d64:238d:f4a8:ca2a:14ff:fe55:d02e prefixlen 128
gif0: flags=8010 mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863 mtu 1500
options=2b
ether c8:2a:14:55:d0:2e
inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect (1000baseT )
status: active
en1: flags=8823 mtu 1500
ether b8:c7:5d:13:89:9b
media: autoselect ()
status: inactive
fw0: flags=8863 mtu 4078
lladdr c8:2a:14:ff:fe:f5:b2:94
media: autoselect
status: inactive
p2p0: flags=8802 mtu 2304
ether 0a:c7:5d:13:89:9b
media: autoselect
status: inactive
tun0: flags=8851 mtu 1500
inet 10.119.4.90 –> 10.119.4.89 netmask 0xffffffff
open (pid 8397)
Hi T33b0n35!
Have you tried to change the DNS servers in your client machine? If they’re not set (to external DNS servers) your machine will try to use the gateway, which will probably not work.
Also, do you get any error/message or the connection simply doesn’t work? In the server machine is everything working correctly after you connect to the VPN?
Hello Rodrigo,
I’ve been trying several combinations in order to get that connection working, but so far no success.
1.I’m connected through a VPN by ethernet cable using mac’s standard vpn UI.
2.Then i run the script, everything’s fine
3.Right after i share by wifi the connection from the vpn
4.Configure my iphone
it appears the wifi symbol as it was connected, unfortunately it does not work, when i try to surf in safari displays “you dont have internet connection”.
My ipconfig after i start to hare my vpn connection trough wifi is:
lo0: flags=8049 mtu 16384
options=3
inet6 fe80::1%lo0 prefixlen 64 scopeid 0×1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010 mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863 mtu 1500
options=2b
ether c8:2a:14:15:9a:1e
inet6 fe80::ca2a:14ff:fe15:9a1e%en0 prefixlen 64 scopeid 0×4
inet 10.17.12.102 netmask 0xffff0000 broadcast 10.17.255.255
media: autoselect (100baseTX )
status: active
en1: flags=8863 mtu 1500
ether e0:f8:47:21:b0:be
inet6 fe80::e2f8:47ff:fe21:b0be%en1 prefixlen 64 scopeid 0×5
inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255
inet 169.254.223.185 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect
status: active
fw0: flags=8863 mtu 4078
lladdr 70:cd:60:ff:fe:de:79:72
media: autoselect
status: inactive
p2p0: flags=8802 mtu 2304
ether 02:f8:47:21:b0:be
media: autoselect
status: inactive
vboxnet0: flags=8842 mtu 1500
ether 0a:00:27:00:00:00
utun0: flags=8051 mtu 1280
inet 193.171.244.30 –> 193.171.244.30 netmask 0xffffffff
thanks for your patience in advance.
Edu,
As you’re using OS X VPN client, your VPN connection should have a different name (Tunnelblick is TUN0). Based on your ifconfig result, I guess it’s “utun0″. Did you change that name in the script?
Also, did you manually set DNS information in your iPhone?
Yes, I changed both attributes tuno int he script and google DNS in the iphone.
Well Edu, I really don’t know how to help you, I’m sorry.
But I noticed you connect to the VPN via ethernet and then share the connection through wifi… You have the perfect scenario to use OS X native internet sharing. Did you try to use it?
Perfect. Solved all my problems! Thanks very much.
Hi Rodrigo,
Thank you for all your work here :D
But I still can’t use VPN share. I followed your instructions : I open a VPN connection with Frozenway. Successfully. I then try to share it. I sudo natvpn.sh. Ok, I still have the Internet.
And eventually, I try to share Internet… and I don’t any access to Internet anymore.
I have to use your natvpnoff script to have the Internet back.
Do you any idea?
Thanks !
Sylvain
Sylvain,
When you run “natvpn.sh”, you are already sharing your connection… So I don’t understand when you say that you try to share your connection after running the script.
Are you trying to use OS X native internet sharing after running the script? If that’s the case, it won’t work. You are already sharing the connection by running the script.
Hello Rodrigo,
Thanks to your explanations, I have succeeded to share my VPN connection with my iPhone. But I don’t understand how to do it with my PS3. I have created a ad-hoc network to share the VPN, but PS3s can’t use them…
I’ve read some comments of people which succeeded to share their connection with their PS3, how do you do?
Thanks!
Gaël
Gaël,
I don’t know how wi-fi works in the PS3, but you shouldn’t need to create a ad-hoc network… Just connect your PS3 to the network using your router, but change the IP/Gateway/DNS manually to point to your Mac.
Same way Gael, you just put the router address as the address of ur Mac…
Hi Rodrigo!
Thank you for you script, it is awesome.
I have a open vpn (Strong VPN) and I’ve successfully connected my xbox, but I am getting nat strict.
What should I do? Can you help me?
TIA!
Gláucio,
I believe you can redirect specific ports by using the option “-redirect_port” in natd. Instead of just running “natd -interface tun0? (first line of the script), you can do something like “natd -interface tun0 -redirect_port :88 88? for port 88.
I never tried that but I’m assuming it would work since I researched it in the past and this is the solution that I found.
You can find more info about natd here: http://freebsd.rogness.net/redirect.cgi?basic/nat.html
Thank you Rodrigo!
This line do the trick:
sudo natd -interface tun0 -redirect_port udp 192.168.1.102:88 88 -redirect_port udp 192.168.1.102:3074 3074 -redirect_port tcp 192.168.1.102:3074 3074
My XBOX IP: 192.168.1.102
It solved my issue! Good job!
Great tutorial Rodrigo!
Thanks a lot…my problem is that on the ps3 I can connect to the Internet perfectly and can even browse on the web browser. Yet I can never seem to connect to the psn network.. It simply times out every time… Any ideas? I am using tunnelbear as a VPN service..
Thanks again Rodrigo.
Hi Maxi,
Unfortunately, I don’t know what could be happening. I don’t have a PS3 so I don’t know how the PSN works (if it has any kind of special port or something).
The only idea that comes to mind is that you can try to set natd to log all traffic on your Mac (there should be a way) and then you can look at the log to see what’s happening in more detail.
It is weird because the internet browser is working just fine on he ps3. It might be a case of NAT ports… I remember when I tested the connection, internet was running but for the NAT, it said something about NAT3 and voice or communiction in play might not work.
Here is the NATd error I am getting:
2/9/12 6:41:38 PM natd[16608] failed to write packet back (Can’t assign requested address)
Does it give you any clues?
Thanks Rodrigo.
Sorry Maxi, no idea. I don’t know much about natd besides how to make it share my connection.
Just got back to China. As I write this, I am watching George Carlin on Netflix on the Kindle Fire sitting in China – Full out Streaming, while browsing Facebook on my iPhone.
To Start, I have a wireless router connected to the local broadband service. I can connect my MacBook Pro direct to the router or connect via Wifi (either way, the procedure is the same and seems to work).
So I want to use my MacBook Pro VPN connection for all my devices, including a Kindle Fire, iPhones, iPad. And the procedure below gets me there.
The only thing remaining is that I believe I do not have a fixed IP address to my internet provider, so my computer might be assigned another IP in the future, which would mean I would need to change my router (gateway) settings on my iOS or Kindle Fire. Maybe there is a post here that will solve this, but I am not aware of it yet. (Any guidance appreciated!).
I would also like to see if I can use the Internet Sharing Functions on the MacBook. This would allow me to just have the MacBook at a hotel or other location, and not have to go through their routing system. Still playing around with this.
Read on.
*****************************************
*** THE GOAL IS TO CONNECT YOUR DEVICES THROUGH THE WIRELESS ROUTER and USE THE MacBook PRO VPN connection ***
Section 1 – Connect your Internet to the wireless network.
Section 2 – Share your VPN connection with other devices on Wireless Network.
Section 3 – Connect Your IOS DEVICES to VPN via Wireless Router.
Section 4 – Connect your Kindle Fire to VPN via Wireless Router.
*** SECTION 1 ***
SET YOUR COMPUTER UP TO USE A WIRELESS ROUTER IN YOUR APARTMENT ***
These steps are just typical stuff to get your wireless router working. If it is working already you can go to the next section
1) Get your internet connection in China at your apartment.
2) Get a wireless router in your apartment hooked up to the China internet service provider.
3) Get your VPN set up on the Macbook. I have had MANY problems with L2TP, PPTP , etc. connection. so just get tunnelblick on the MacBook Pro and get OpenVPN services (like strongvpn.com- 10 box a month). Their Open VPN service is rock solid, no guessing if I will connect.
*** SECTION 2 ***
SHARE YOUR VPN CONNECTION
1) Share Use Rodrigo’s process to Share your VPN as listed in this post (here is the link again http://goo.gl/rHi0n ) (I use Tunnelblick).
2) Find out your computer’s IP address- Go to your MacBook Pro’s System Preferences >> Network and highlight the “Connected” connection. Note the IP Address and write it own. This will serve as the Router Address you will want to point your wireless devices at to use the VPN connection. (I’ll call this “New Router IP Address”)
*** SECTION 3 ***
CONNECT YOUR IOS DEVICES TO VPN VIA THE WIRELESS ROUTER.
1) Do your typical connection to your wireless router (no VPN).
2) Go to Settings >> WiFi >> .. there you see the checkmark next to you wireless connection, go all the way to the right of that line and click the blue arrow.
3) DHCP will likely be selected. WRITE DOWN your IP address, Subnet Mask, Router, and DNS.
4) You now need to change the Router entry and the only way to do that is by making the entry STATIC. To do this, Press “Static” and enter the IP address, Subnet Mask…
– CHANGE the Router to “New Router IP Address”.
– CHANGE the DNS to 8.8.8.8 (this is Google’s DNS server and it seems to work just fine).
5) Back out of the menus.
Now when you connect the iPhone, you should be able to get to the internet but you will be routed through the VPN that was set up on the MacBook Pro.
*** SECTION 4 ***
CONNECT YOUR KINDLE FIRE TO THE VPN VIA THE WIRELESS ROUTER.
On the Kindle Fire… click the cog icon at the top to get to your settings.
You will see the Menu Selections like “Locked / Volume / Brightness / Wi-Fi / Sync / More…
- Select Wifi
- Scroll to the bottom of the listing of WiFi connections until you see Advanced Settings.
- Select Advanced Settings.
- Select IP Settings
- Type in the SAME information as your iOS device (list) but with some exceptions noted as follows:
… IP Address (Make it the same except just increment the number (e.g., if the iOS device IP Address was 192.168.1.101, then make the Kindle Fire 192.168.1.102 – basically you are “FIXING” the IP address for each of the devices. So every device you connect needs its own address.
… Router = the New Router IP Address (basically your computer’s IP address *** If your MacBook’s IP address changes, you will need to change this to the new MacBook IP address).
… Subnet Mask will be 255.255.255.0
… DNS 1 – this can be 8.8.8.8
… DNS 2 – I left this blank for now.
Once these settings are set, you should be able to connect to your wireless router and use the VPN connection.
###