When you add a default VPN configuration in macOS or iOS, you can also add a proxy. Does traffic get routed through this proxy then through the VPN, or through the VPN and then through this proxy?

I would like to use my favourite torrent client, Transmission, over a VPN service but at the same time I do not want to direct any other traffic therethrough. That is, I want to use my VPN service only for torrenting with the Transmission client. I intend to use NordVPN service and I am coming across 2 problems: 1. NordVPN offers IKEv2 and OpenVPN protocols on Mac and I'm not sure whether and how I can connect to this VPN so that NOT all traffic is directed therethrough. As for the IKEv2 settings in Mac's Network Preferences, there is no "Send all traffic over VPN connection" option to keep unchecked, like it is for L2TP VPN protocol on Mac. As for the OpenVPN protocol, I'm not sure if this is possible with Tunnelblick for example or other client. 2. Let's say I solve the first problem and I'm connected to the VPN service without sending all the traffic therethrough. How can I now make Transmission to use that specific network interface whereon I'm connected to the VPN? I searched Google and I have found some procedures/methods but I am none the wiser thereon. E.g.: 1. Transmission Interface Binder - this one seems outdated 2. docker-transmission-openvpn - could be working but I am totally lost hereon. 3. For Ubuntu , but perhaps could be employed on Mac too but I have no idea on what they talk about there 4. Ditto I should appreciate some advice from the more experienced or knowledgeable hereabout.

When trying to open a tunnel using ssh -w between a local(Macos) and a remote (Linux server), it fails due to the fact that Macos doesn't support the classic tun interfaces that ssh can use which results in the error below:

root@macos ~ $ ssh -w any:any root@linux-server

Tunnel device open failed.
Could not request tunnel forwarding.

but Macos does support "Utun" interfaces and are used in numerous vpn clients like wireguard and fortigate, can these be used with ssh? how can i use the utun APIs in Macos with ssh to make it work? **UPDATE** output of sudo ssh -vvvw any:any root@server:

OpenSSH_9.9p2, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname 1.1.1.1 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/var/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/var/root/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 1.1.1.1 [1.1.1.1] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /var/root/.ssh/id_rsa type -1
debug1: identity file /var/root/.ssh/id_rsa-cert type -1
debug1: identity file /var/root/.ssh/id_ecdsa type -1
debug1: identity file /var/root/.ssh/id_ecdsa-cert type -1
debug1: identity file /var/root/.ssh/id_ecdsa_sk type -1
debug1: identity file /var/root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /var/root/.ssh/id_ed25519 type -1
debug1: identity file /var/root/.ssh/id_ed25519-cert type -1
debug1: identity file /var/root/.ssh/id_ed25519_sk type -1
debug1: identity file /var/root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /var/root/.ssh/id_xmss type -1
debug1: identity file /var/root/.ssh/id_xmss-cert type -1
debug1: identity file /var/root/.ssh/id_dsa type -1
debug1: identity file /var/root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.6p1 Ubuntu-3ubuntu13.12
debug1: compat_banner: match: OpenSSH_9.6p1 Ubuntu-3ubuntu13.12 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 1.1.1.1:22 as 'root'
debug3: record_hostkey: found key type ED25519 in file /var/root/.ssh/known_hosts:1
debug3: record_hostkey: found key type RSA in file /var/root/.ssh/known_hosts:2
debug3: record_hostkey: found key type ECDSA in file /var/root/.ssh/known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from 1.1.1.1
debug1: load_hostkeys: fopen /var/root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-s,kex-strict-s-v00@openssh.com
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:  compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:somekey
debug3: record_hostkey: found key type ED25519 in file /var/root/.ssh/known_hosts:1
debug3: record_hostkey: found key type RSA in file /var/root/.ssh/known_hosts:2
debug3: record_hostkey: found key type ECDSA in file /var/root/.ssh/known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from 1.1.1.1
debug1: load_hostkeys: fopen /var/root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '1.1.1.1' is known and matches the ED25519 host key.
debug1: Found key in /var/root/.ssh/known_hosts:1
debug3: send packet: type 21
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug3: send packet: type 7
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: KEX algorithms: sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=
debug3: kex_input_ext_info: extension publickey-hostbound@openssh.com
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=
debug3: kex_input_ext_info: extension ping@openssh.com
debug1: kex_ext_info_check_ver: ping@openssh.com=
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug3: kex_input_ext_info: extension server-sig-algs
debug1: kex_ext_info_client_parse: server-sig-algs=
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug3: ssh_get_authentication_socket_path: path '/Users/sneaky/.bitwarden-ssh-agent.sock'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 1 keys
debug1: Will attempt key: macos ssh key ED25519 SHA256:somekeyhash agent
debug1: Will attempt key: /var/root/.ssh/id_rsa
debug1: Will attempt key: /var/root/.ssh/id_ecdsa
debug1: Will attempt key: /var/root/.ssh/id_ecdsa_sk
debug1: Will attempt key: /var/root/.ssh/id_ed25519
debug1: Will attempt key: /var/root/.ssh/id_ed25519_sk
debug1: Will attempt key: /var/root/.ssh/id_xmss
debug1: Will attempt key: /var/root/.ssh/id_dsa
debug2: pubkey_prepare: done
debug1: Offering public key: macos ssh key ED25519 SHA256:somekeyhash agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: macos ssh key ED25519 SHA256:somekeyhash agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519 SHA256:somekeyhash
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:somekeyhash
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to 1.1.1.1 ([1.1.1.1]:22) using "publickey".
debug1: Requesting tun unit 2147483647 in mode 1
debug1: sys_tun_open: /dev/tun0 open failed: No such file or directory
Tunnel device open failed.
Could not request tunnel forwarding.
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: filesystem
debug3: client_repledge: enter
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: client_input_hostkeys: received RSA key SHA256:somekeyhash
debug3: client_input_hostkeys: received ECDSA key SHA256:somekeyhash
debug3: client_input_hostkeys: received ED25519 key SHA256:somekeyhash
debug1: client_input_hostkeys: searching /var/root/.ssh/known_hosts for 1.1.1.1 / (none)
debug3: hostkeys_foreach: reading file "/var/root/.ssh/known_hosts"
debug3: hostkeys_find: found ssh-ed25519 key at /var/root/.ssh/known_hosts:1
debug3: hostkeys_find: found ssh-rsa key at /var/root/.ssh/known_hosts:2
debug3: hostkeys_find: found ecdsa-sha2-nistp256 key at /var/root/.ssh/known_hosts:3
debug1: client_input_hostkeys: searching /var/root/.ssh/known_hosts2 for 1.1.1.1 / (none)
debug1: client_input_hostkeys: hostkeys file /var/root/.ssh/known_hosts2 does not exist
debug3: client_input_hostkeys: 3 server keys: 0 new, 3 retained, 0 incomplete match. 0 to remove
debug1: client_input_hostkeys: no new or deprecated keys from server
debug3: client_repledge: enter
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env SSH_AUTH_SOCK
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.5.14"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env COLORFGBG
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env PATH
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env COLORTERM
debug3: Ignored env TERM
debug3: Ignored env HOME
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env LSCOLORS
debug3: Ignored env LS_COLORS
debug3: Ignored env PS1
debug3: Ignored env MAIL
debug3: Ignored env LOGNAME
debug3: Ignored env USER
debug3: Ignored env SHELL
debug3: Ignored env SUDO_COMMAND
debug3: Ignored env SUDO_USER
debug3: Ignored env SUDO_UID
debug3: Ignored env SUDO_GID
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug3: client_repledge: enter
debug1: pledge: fork
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

I connect to a Cisco VPN Server and want to share that connection via wifi. Using the macOS Internet Sharing feature, I can only select one interface to share - either my LAN adapter, or the VPN connection. Clients on the wifi can then only connect to either the iNet, or the VPN. The VPN Server is only creating a split-tunnel connection - and switching to full tunnel is unfortunately not an option. Setting my nat rules directly in /etc/pf.conf/ works fine and solves my problem to a degree. I want to script and dynamically add them using a nat-anchor. Setting the anchor with load for an external config works, however when I define my anchor in pf.conf and try to populate my rules using pfctl like so:

echo "                                                                                                                                      
nat on en8 from bridge100:network to any -> (en8)
nat on utun1 from bridge100:network to any -> (utun1)" | pfctl -a my.anchor -f -

or as a one-liner:

echo -e "nat on en8 from bridge100:network to any -> (en8)\nnat on utun1 from bridge100:network to any -> (utun1)\n" | pfctl -a my.anchor  -f -

(w/ or w/o the trailing \n) I can confirm that the rules are set on my anchor using pfctl -sn -a my.anchor but the actual routing remains unchanged. What am I doing wrong here?

Most of the time I have iCloud Private Relay enabled. Occasionally I use Mullvad VPN. Recently, I do not know exactly when, this combination stopped working. After installation of Mullvad VPN, iCloud Private Relay is not working anymore. I get this pop-up stating > **Private Relay Unavailable** Your system settings are incompatible with Private Relay. Uninstalling Mullvad VPN and rebooting brings Private Relay back to life. But I still want to use Mullvad VPN now and then. So that's not a permanent solution. I tried to manually disable all Mullvad components. To do this, I ranthe first part of the Mullvad uninstall script , see below. After running this script and turning private relay off and on I still get the same error. echo "Stopping GUI process ..." sudo pkill -x "Mullvad VPN" || echo "No GUI process found" echo "Stopping and unloading mullvad-daemon system daemon ..." DAEMON_PLIST_PATH="/Library/LaunchDaemons/net.mullvad.daemon.plist" sudo launchctl unload -w "$DAEMON_PLIST_PATH" sudo rm -f "$DAEMON_PLIST_PATH" sudo dscl . -delete /groups/mullvad-exclusion || echo "Failed to remove 'mullvad-exclusion' group" echo "Resetting firewall" sudo /Applications/Mullvad\ VPN.app/Contents/Resources/mullvad-setup reset-firewall || echo "Failed to reset firewall" sudo /Applications/Mullvad\ VPN.app/Contents/Resources/mullvad-setup remove-device || echo "Failed to remove device from account" On further investigation I found the following issue Mullvad-daemon (without VPN active) on macOS Ventura disrupts iCloud Private Relay #4215 . On the Mullvad GitHub. So it's a common problem. What I am know looking for is a workaround. Is it possible to temporarily disable Mullvad and enable Private Relay again, without uninstall and reboot? This issue exists with Mullvad VPN 2022.05 on both macOS 13.1 and 13.2.1

OS: macOS Mojave 10.14 (18A389) Current network setup: * Local domain: home.rossipedia.com * Subnet: 172.16.10.0/24 * Gateway / DHCP server / DNS server: 172.16.10.1 Output of scutil --dns: DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 domain : local options : mdns timeout : 5 flags : Request A records reach : 0x00000000 (Not Reachable) order : 300000 ... (mdns common stuff)... DNS configuration (for scoped queries) resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Scoped, Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) This works fine. I can find *.home.rossipedia.com hosts without issue. However, the moment I connect to a L2TP VPN, my system gets reconfigured to use the _VPN_ DNS servers to resolve hosts on my _home_ search domain. $ scutil --dns DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : x.x.x.x <- VPN DNS SERVER 1 nameserver : x.x.x.x <- VPN DNS SERVER 2 if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 resolver #2 nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) order : 200000 ... (mdns common stuff)... The scoped queries configuration looks right, though: DNS configuration (for scoped queries) resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Scoped, Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) In my Network System Preferences, I have the VPN connection last in the Service Order dialog. If I move the VPN connection to _before_ my ethernet connection, then my local DNS server doesn't show up in the resolver list _at all_ (while connected to the VPN): $ scutil --dns DNS configuration resolver #1 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 resolver #2 nameserver : x.x.x.x <- these are the same as above nameserver : x.x.x.x if_index : 23 (ppp0) flags : Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 200000 ... (mdns common stuff)... ### What I want: Ideally, what I'd like to see when connection to a VPN is something like: $ scutil --dns DNS configuration resolver #1 search domain : home.rossipedia.com nameserver : 172.16.10.1 if_index : 21 (en8) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain : first.vpn.domain search domain : second.vpn.domain nameserver : x.x.x.x nameserver : x.x.x.x if_index : 23 (ppp0) flags : Supplemental, Request A records reach : 0x00000003 (Reachable,Transient Connection) order : 100000 ... (mdns common stuff)... This way I could resolve all *.home.rossipedia.com hosts via my local DNS server at 172.16.10.1, and any hosts on my VPN domain would be resolved using the VPN DNS servers. I've tried changing the order of services in the Network pref pane, changing the local domain on the DNS/DHCP server, deleting and re-creating the VPN connection, nothing has worked so far. Is this possible? Or am I misunderstanding how this all works?

Has anyone noticed the MS Defender app VPN not working on the iPhone? The iPhone actually shows the VPN is connected, but in WiFiMan the phone shows connected to the cell co. With the VPN server missing? Wondering if this started after the iOS 16 upgrade, I did the other day, did not really pay attention. The Cloudflare and Google VPN working fine

I have a mac that's connected to a VPN, where the VPN's gateway is the system's default gateway for all outgoing traffic. This means that I cannot connect to any services running on my mac from some arbitrary IP outside of my local network, even when port forwarding is set up correctly on my router, because the source IP address of the connection will be a non-local IP and therefore the system will try to route it through the VPN, not through my local gateway. However, I think it might be possible to use pf to route this traffic differently based purely on its port number. What I'd want is to have the default gateway for a connection on a specific port to be my local gateway, rather than the VPN, regardless of what the source IP address is. (If I knew the IP in advance, I could just set up a static route.) Is it possible to do this? If so, how would I configure pf to do so? (Perhaps it's possible to use pf to select a different routing table for the connection based on its port?)

I have recently had to start using Global Protect VPN on my Mac. It has a dark pattern of auto-loading on startup in a very intrusive way (popping up VPN login window). Meanwhile it isn't even listed in "Login items", making it impossible to disable from there. To top it off, Global Protect starts up immediately after I kill the process. I want it to _only_ start when I ask it to, and be able to kill it again after I no longer need it. How can I tame this undesired start and continually running application on macOS?

I forgot my travel router at home. I would like to set up my MacBook as a VPN Travel router with 2 devices connected to it via Ethernet. I have 2 adapters that I can connect to my MacBook Pro but I'm not sure if it will work? Essentially, I wanted to set up my Mac as Wiregaurd Client. I want to attach 2 ethernet adapters to the Mac and connect to my VPN server though the MacBook. I understand hotspot does not work without my Mac connecting directly to a router but this is not an issue for me.

Currently, if I go to sites with a VPN on, it'll route traffic through the VPN. If the VPN is off, then it'll just route the traffic through Wi-Fi/ethernet (whichever one is connected). I want it so that Chrome can only connect to the internet if my VPN is active, otherwise going to a website without my VPN on should show an error that I'm not connected to the internet (even if I actually am). The closest program that I know that allows this behavior is qBittorrent , where it will only connect to peers if the network interface specified is up and running. This leads me to believe that other programs have the capability of binding to a specific network interface I know the following from running ifconfig: - My VPN runs on the utun4 network interface - The ethernet port (I usually keep Wi-Fi disabled) runs on en7 I know that on Linux, you can accomplish this by using firejail with firejail --net=utun4 /path/to/chrome, and maybe on Windows using ForceBindToIP. On macOS, firejail doesn't work because it takes advantage of ip netns, something that macOS doesn't have. Additionally, my VPN connects to a different IP every time I ask it to connect, so this guide I found can't be applied as it relies on you knowing the IP address your VPN connects to. I am using macOS Sequoia 15.1. Chrome is the browser I am using, but I don't mind solutions for Firefox / other Chromium-based browsers as well. I have tried using Squidman as a proxy, but am unsure as to how to accomplish what I want.

I run a VPN on my system, and using my system routing table, I can route traffic to specific outgoing IP addresses either through the VPN's utun network interface or through my ethernet adapter normally. However, I'm wondering if it's possible for me to force certain applications to always bind to a specific network interface / IP address when making network connections, so that it either only uses the VPN or only uses my ethernet adapter, regardless of what's in the system routing table. Put another way, I'm looking for a macOS alternative to [ForceBindIP](https://r1ch.net/projects/forcebindip) . Is that possible?

I have following setup: MacMini connected to internet through wired interface, wifi is set for sharing. E.g. wireless devices connect to MacMini and use it's internet connection. Question How to setup vpn connection via wired interface only so all wireless connections will be forwarded to a new virtual location? PS: tried with Cisco vpn client, it connects, but all traffic over all interfaces go to vpn. E.g. can't act as a bridge.

My company uses Split DNS to resolve internal domains. We configure this Split DNS by installing a mobileconfig with a VPN profile. See also https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf for more information. The profile contains the following section:

SupplementalMatchDomains

  cb.local
  privatelink.azurewebsites.net

Usually this would configure/install the following resolvers, output from scutil --dns where resolver #1 is the one provided by the local network:

DNS configuration

resolver #1
  search domain : cb.local
  search domain : privatelink.azurewebsites.net
  nameserver : 172.16.0.1
  if_index : 14 (en0)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : cb.local
  nameserver : 10.233.3.17
  nameserver : 10.233.3.27
  if_index : 23 (ipsec0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 103000
...

resolver #4
  domain   : privatelink.azurewebsites.net
  nameserver : 10.233.3.17
  nameserver : 10.233.3.27
  if_index : 23 (ipsec0)
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 103001
...

DNS configuration (for scoped queries)

resolver #1
  nameserver : 172.16.0.1
  if_index : 14 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  search domain : cb.local
  nameserver : 10.233.3.17
  nameserver : 10.233.3.27
  if_index : 23 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

However this is no longer the case:

DNS configuration

resolver #1
  nameserver : 172.16.0.1
  if_index : 6 (en0)
  flags    : Request A records
  reach    : 0x00000002 (Reachable)
...

DNS configuration (for scoped queries)

resolver #1
  nameserver : 172.16.0.1
  if_index : 6 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  search domain : cb.local
  nameserver : 10.233.3.17
  nameserver : 10.233.3.27
  if_index : 18 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

I have tried reinstalling the mobileconfig Profile and restarting the machine to no avail:

> ping ad01.cb.local
ping: cannot resolve ad01.cb.local: Unknown host

How can I get Split DNS to work again? I really want to configure it through a profile (.mobileconfig) (and not through various /etc/resolver/domain files or a local dnsmasq instance). macOS Ventura 13.0.1.

How can I change its name from Unknown to a custom name? I found a VPN profile on the internet shows (Perfect Privacy) instead of unknown, but mine, which is Spain-JPrime, shows Unknown and I can't fix it, I tried with CA certificate and many more any help?

I've recently established a VPN server with setup-ipsec-vpn and everything works just fine. The IOS vpn client is installed with a *.mobileconfig autogenerated by the script (Documentation ). The only thing that bothers me is the Unknown under my Server Description. Any methods so I can change this value? ![Screenshot[1] ]

There appears to be a bug in MacOS Ventura (but also any version) whereby an attempt to share a tunnel connection (like WireGuard, OpenVPN, etc.) over WiFi will fail without error (no AP created). I doubt Apple will ever fix this long-standing bug, but I am hopeful a workaround can be implemented. It is possible to share an "AdHoc" network via: sudo networksetup -createnetworkservice AdHoc lo0 sudo networksetup -setmanual AdHoc 192.168.2.1 255.255.255.255 sudo networksetup -setmanual AdHoc 127.0.0.1 255.255.255.255 then selecting this new service in Internet Sharing. An AdHoc AP is created. Of course, this doesn't have access to the internet so something has to be routed such as a NAT router. I haven't used pf since I setup a pfsense router over a decade ago, but I tried something like: nat on utun3 from 192.168.2.0/24 to any -> utun3 but that didn't appear to work. Any suggestions on how to get around this problem?

We have an iPhone app which relies heavily on TCP/IP communication in the local network. Therefore, the application starts a server socket and accepts incoming connections. This worked flawlessly for a long time and we had no problems with this. ## Problem In the last days however, we observed that for some iPhones with the server role other devices cannot connect to the server of our app. The server does not accept incoming connections on the devices IP address and the client times out. ## Environment Both iPhones (the server and the client) are in the same network with 192.168.1.0 address range and 255.255.255.0 subnet mask. The server has the IP 192.168.1.11 and the client has 192.168.1.22. This is a normal home WiFi network with no special firewall rules. Both devices have mobile data disabled and the "[access local network](https://support.apple.com/en-us/102229) " permission is granted. The server socket is bound to all interfaces (0.0.0.0). ## More technical symptoms When the server iPhone is in this faulty state, it seems like it somehow has two ip addresses: 192.168.2.123 and 192.168.1.11 The WiFi preferences report the .1.11 ip address. The Apps however see the .2.123 ip address. I cannot explain where the other ip address comes from and why the device thinks it has this ip address. I've collected interface diagnosis information on a faulty iPhone and it listed the following interfaces and IPs: - en0 -> 192.168.2.123 - lo0 -> 127.0.0.1 - pdp_ip0 (cellular) -> 192.0.0.2 - pdp_ip1 to pdp_ip6 (cellular) -> -/- - ipsec0 to ipsec6 (vpn) -> -/- - llw0 (vpn) -> -/- - awdl0 -> -/- - anpi0 -> -/- - ap1 -> -/- - XHC0 -> -/- - en1 and en2 (wired) -> -/- - utun0 to utun2 (vpn) -> -/- The correct ip of the device is **not** listed anywhere in this list. A reboot helped to temporarily fix this problem. One user reported the same issue again a few hours later after a reboot. Switching off WiFi and reconnecting does not solve the problem. This issue occurred on several iPhones with the following specs: - iOS Version 18.1.1, 18.3.1 - iPhone 13 Pro, iPhone 13 Pro Max, iPhone 15 Pro The problem must be on the server side as the client can successfully connect to any other device in the same network. ## Question(s) - Where does this second IP come from and why does the server not accept connections to either ip even though it is bound to 0.0.0.0? - Are there any iOS system settings which could lead to this problem? (privacy setting, vpn, ...) - What could be done to permanently fix this issue?

My company Mac OS X laptops (Mojave) are managed devices and in order for the user to connect to Internet, the user must first launch and connect the Cisco AnyConnect VPN otherwise the user is not able to connect to the Internet. Just for my knowledge, I am looking for the specific file or configuration profile or settings that show me this specific rule. It must be something on the system that I can see that the Mac system must be connected to Cisco AnyConnect VPN first in order to get Internet access. I just want to see where this rule is located.

I have a home server (MacMini M4) to which i can connect from the outside through an IP address managed by a VPN server. I want my Iphone to be able to play my music, stored on my server, wherever i go, without having to download the music to my iphone. Can Apple Music + Iphone Music do this? If not, what would be the best setup - Mac software + Iphone App, to do this?