I have a Macbook Big Sur 11.5.2 and I’ve spent now quite some on this particular issue but I cannot figure it out. I need some help from people that are more expert than me on the matter.
Background information
Where I’m currently living right now in a apartment complex there is a central internet network that I do not have access to these devices(Ubiquity). Lately I’ve been working a lot from home and sometimes I need to connect through VPN to clients networks to provide support. Most of the client’s VPN work fine from home except one. When I try to connect it basically times out. If I use my phone as a hotspot this VPN works perfect without any single issue at all. I tried at several other locations (outside my home network) and it works as expected.
The current situation
What I’m using to connect to this VPN is the Mac OS built-in VPN client. The VPN Type is Cisco IPSEC. So my work around to this problem was to tunnel this VPN over my wireguard VPN (wg) that I have installed outside this network. This wg tunnel works as expected. In order to check that the traffic is being routed properly I use wireshark to monitor and ofcourse I checked the mac os routing table (with netstat -nr). So when I connect to my wg I can see that the traffic easily tunnels through the wg.
The problem
When I try to connect Mac OS Built-in Cisco IPSEC VPN client instead of passing the traffic through the wg tunnel(utunX) it passes it through the regular WiFi interface(EN0). No matter what I tried it couldn’t get the traffic to pass through the tunnel. I added routes to the routing table (0.0.0.0/1 and 128.0.0.0/1) to pass make sure that all traffic passes there but the vpn client would not route through it. I tried to change the networkservice order and that did not help either.
Something noteworthy I noticed when I run a commercial VPN (that I own) and start the mac os built-in VPN client it does pass through the commercial VPN tunnel. I tried to mimic what I was seeing in the routing table from the commercial VPN but without success. But this shows that it is possible to route the client through a tunnel.
A snippet of routing table without wg:
Internet:
Destination Gateway Flags Netif Expire
default 10.20.30.1 UGScg en0
10.20.30/24 link#5 UCS en0 !
10.20.30.1/32 link#5 UCS en0 !
10.20.30.1 fc:ec:da:43:97:e5 UHLWIir en0 1194
A snippet of the routing table WITH wg ON:
Internet:
Destination Gateway Flags Netif Expire
default link#14 UCSg utun2
default 10.20.30.1 UGScIg en0
1.1.1.1 link#14 UHW3Ig utun2 36
9.9.9.9 link#14 UHWIig utun2
10.6/24 10.6.0.2 UGSc utun2
10.6.0.2 10.6.0.2 UH utun2
10.20.30/24 link#5 UCS en0 !
10.20.30.1/32 link#5 UCS en0 !
A snippet of the routing table with Commercial VPN:
Destination Gateway Flags Netif Expire
0/1 10.158.0.5 UGcg utun2
default 10.20.30.1 UGScg en0
default 10.20.30.1 UGScIg en0
10 10.20.30.1 UGSc en0
10.20.30/24 link#5 UCS en0 !
10.20.30.1/32 link#5 UCS en0 !
I couldn’t figure out on the commercial vpn why there are same default destination (10.20.30.1) with different flags. I could not add a second default like that (or better said I don’t know how).
What else can I do (or what information should I provide here) for you guys to help me solve the problem?
