Fight Back! (When VPN Clients Mis-Behave)

I have to use VPNs at work. Specifically, to access my production webservers (etc), I have to use a Cisco VPN client. Sadly, the VPN concentrator overrides my choice of allowing local LAN access. So, when I am on the VPN, I have my DNS options changed so I can’t use any local servers. This is a serious, serious pain. So painful in fact, that many times instead of fight with it, I simply would run a Windows session in VMware (on my Mac) and connect the VPN there. This has drawbacks too, but it’s better than not having local network access.

So I set out to find a solution and I found a post by loudhush which described using the scutil to modify DNS network settings after connecting to a Cisco VPN. This was great, but I needed something a bit handier.

So, I cranked out the following which goes in my /Users/username/.profile:

# .profile or .bash_profile
function myvpn {
vpnclient connect VPNPROFILENAME user MYVPNUSERNAME
myworkdns
}
function myworkdns {
printf "get State:/Network/Service/com.cisco.VPN/DNS\nd.add ServerAddresses * 192.168.1.252, 192.168.1.198\nd.add SearchDomains * example.com, other.example.com\nset State:/Network/Service/com.cisco.VPN/DNS" | sudo scutil
}

These are bash functions which i run from the command line. (I also find the Client GUI Cisco to be a pain, and prefer command line)

So, obviously, you’ll need to substitute in your Cisco VPN profile name ( found in /etc/opt/cisco-vpnclient/Profiles), your VPN username, your DNS server IP addresses, and your DNS search domains to your legitimate values.

To use, run Terminal, then type myvpn. The VPN client will prompt you for your username and password. You’ll then have to hit CTRL+Z to suspend the VPN client so the script can run the DNS updates; this part uses sudo to run the command as root, so you will probably need to type your Mac password immediately after hitting CTRL+Z. If you didn’t want to bother with the command line VPN client, you could just use your GUI Cisco VPN client, then run myworkdns from Terminal, which will still probably prompt you for your Mac password.

Hope others find this useful. If I find a cleaner way, I’ll post that too.