I have exactly the same problem
Looks like apart from enabling ip forwarding (using the commands $ sudo sysctl net.inet.ip.forwarding=1 and $ sudo sysctl net.inet.ip.fw.enable=1) one also needs to configure NAT on the machine running the tunnel_server.
This I did by creating a temporary pf.conf file (at the location /tmp/pf.conf) and then added the following lines to this new pf.conf file (I didn't mess around with the original pf.conf file at /etc/pf.conf) :-
vpn_net = "10.8.0.0/24"
nat on en0 from $vpn_net to any -> (en0)
After saving this file I ran the following command. (en0 is the external interface)
$ sudo pfctl -evf /tmp/pf.conf
But still not much luck with this so far. (Looks like the outgoing packets from the device does get "NAT'ed" out but "NAT in" may not be happening i.e. packets intended for the device may not be making its way to the device on the utun0 interface). Wondering if I am missing something in my pf.conf file. (P.S :- I did come across other similar issues on this forum and tried the suggestions listed there, but no definitive resolution yet.)
OSX nat pmp port maping don't support utun device，packet can send by pf，but pf don't know process recved packet
Hi yarshure, thanks for your input. So you are sayng that the NAT-Port Mapping Protocol on OSX doesn't support a utun device. If that is the case then how could we get the tunnel_server to work ? Were you able to get the tunnel_server to work on something other than OSX ? Is there a way to configure the NAT-PMP on the OS X to work (like for example by upgrading to OS X server) ? Thanks in advance for any inputs.
The answer was given on another thread:
garyLiuMar 24, 2016 6:59 AM(
It is OK when make the below two changes.
- <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE plist PUBLIC "-/
- <plist version="1.0">
The routes is very important. If have no this, the default routes will be used according to below code. Default routes is (0.0.0.0/0.0.0.0) and it always route to default gateway.
- newSettings.IPv4Settings?.includedRoutes = [NEIPv4Route.defaultRoute()]
2. configure NAT
garyliumac$ sudo vi /etc/pf.confadd
- nat-anchor "simpleTunnel"
- load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"
garyliumac$ sudo vi /etc/pf.anchors/simpleTunnel
- nat on en0 from 10.10.0.0/16 to any -> en0
Run command to make them work
- sudo sysctl net.inet.ip.forwarding=1
- sudo sysctl net.inet.ip.fw.enable=1
- sudo pfctl -evf /etc/pf.conf
Over this, the response data can arrive at en0 correctly.
Thanks a lot. Work for me.
But I found that all traffic not through tunnel. It is not correct way.
I found that the traffic are all go through the origial route. The tunnel_server didn't do anything about NAT. How to solve the problem?
My tunnel_server IP is 192.168.1.20
My client IP is 192.168.3.x which connected to a router(LAN is 192.168.3.1, WAN is 192.168.1.121)
# vi /etc/pf.conf
load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"
# vi /etc/pf.anchors/simpleTunnel
nat on en0 from 192.168.2.0/24 to any -> en0
Run command to make them work
# sysctl net.inet.ip.forwarding=1
# sudo sysctl net.inet.ip.fw.enable=1
# sudo pfctl -evf /etc/pf.conf
When my iPhone connected to the tunnel_server(192.168.2.2 is allocated) and I visited my web server http://192.168.1.12. The web server access log showed that the source IP is 192.168.1.121, not 192.168.1.20 as I expected.
I did all your configuration you mentioned above and I got the following behavior:
1. Client connects tunnel_server (VPN server)
2. We start browsing at the client
3. Client sends TCP data to tunnel_server
4. Tunnel_server sends DNS query to DNS server, source IP allocated by tunnel_server
5. Tunnel_server gets DNS reply
6. Tunnel_server drops the reply and wireshark shows: "Destination unreachable (Port unreachable), ICMP packet
Our configuration :
Client IP: 192.168.1.103
Tunnel_server (VPN server): 192.168.1.100
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
sudo vi /etc/pf.anchors/simpleTunnel
nat on en0 from 192.168.0.0/16 to any -> en0
Please help me!!!
I was wondering if you managed to solve the issue in the end? I am facing the same problem at point 6 where the DNS response doesn't seem to "know" how to route back from the server to the client via the tunnel and it fails with a "Destination Unreachable" ICMP packet.
I know I shouldn't be bumping this thread but was anybody able to solve this?
I have searched for all solutions on the web for this but it just fails with ICMP packet (Port/Destination Unreachable). If I add the Routes key in config.plist as described above, the traffic is not tunneled at all.
Well, seeing as you bumped the thread…
I want to be clear that the server included with the SimpleTunnel sample code is not designed to support routing off the Mac. It may be possible to make this work via deep
pfskullduggery, but it’s not something we officially support.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"