[eduVPN-deploy] eduVPN client routing table behaviour on MacOS

Rogier Spoor Rogier.Spoor at SURF.nl
Wed Jul 8 17:51:47 CEST 2020 

hi Louis,

The v1.2.1. macOS app (DMG installer) is an old app version. We strongly
advice user with macOS 10.14 and higher to deinstall this app and
install the Appstore version:
https://www.eduvpn.org/blog/new-macos-app.html

The Appstore app integrates more nicely with macOS because it uses a
NetworkExtensions API. This should be the most solid way to integrate in
the OS.

To be honest I don't really understand the logic of the
"networkextensions" routing table. I notice /32-like routing entries for
the nameservers and other destinations, but I really have no clue why.

Tried to find sometime ago documentation about this new routing table
approach but so far didn't find any explanation.

I did noticed WireGuard, which also is using NetworkExtensions API, has
same kind of strange routing table entries.

Regarding the O365 issue. For windows this is a known issue. Can be
'fixed' by adding a 0.0.0.0 route on the eduVPN server. All details and
background about this issue:
https://github.com/Amebis/eduVPN/issues/136

Hope this helps.

cheers,
Rogier



On 07/07/2020 18:35, Louis Twomey via eduVPN-deploy wrote:
> Hi,
> I am troubleshooting a problem where some of our staff occasionally experience problems when accessing O365 services via our eduVPN servers. They can access Sharepoint, and they can open Sharepoint documents in the browser, but they can’t open the same documents in their local apps - the nature of the error suggests a possible networking issue.
> 
> The problem affected two staff members today, at least one of them is using a MacOS 10.15.5 laptop and a recent version of the eduVPN client, v2.1.7 (837). I have not experienced this problem, I have a MacOS 10.15.5 laptop too, but my eduVPN client is v1.2.1.
> 
> When looking at the routing table on my laptop, and the affected laptop, they are very different and I wonder whether this is because the newer eduVPN client behaves differently?
> 
> My laptop routing table is very short and very “clean", my older eduVPN client adds only 6 routes via the virtual/tunnel interface (for: 0/1,128.0/1, 192.168.0.0/25, 192.168.0.128/25, host route for gateway IP of eduVPN server, eduVPN pool range). By complete contrast, the laptop with the newer eduVPN client has over 30 additional routes and most of them are host routes, here is a snippet of the IPv4 table:
> 
> Internet:
> Destination        Gateway            Flags        Netif Expire
> default            link#18            UCS          utun2       
> default            192.168.0.1        UGScI          en0       
> 1.1.1.1            link#18            UHW3I        utun2      2
> 1.2.3.4            link#18            UHW3I        utun2      1
> 8.8.8.8            link#18            UHW3I        utun2      3
> 13.88.28.53        link#18            UHWIi        utun2       
> 40.126.1.143       link#18            UHWIi        utun2       
> 
> Is it standard behaviour of the newer MacOS eduVPN client to add a “default” route as above, and to add multiple host routes?
> 
> Thanks,
> Louis
> -------
> Louis Twomey
> Technical Architect
> PGP key: C77D9256
> HEAnet CLG, Ireland’s National Education and Research Network
> 1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
> +353 (0)1 6609040   louis.twomey at heanet.ie  www.heanet.ie
> Registered in Ireland, No. 275301.  CRA No. 20036270
> 
> 
> 
> _______________________________________________
> eduVPN-deploy mailing list
> eduVPN-deploy at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
>

More information about the eduVPN-deploy mailing list