VPN service that offers NOT "all traffic through VPN"?

Discussion in 'Apple' started by DaveC, Mar 25, 2012.

  1. DaveC

    DaveC Guest

    Looking for a VPN service that offers an option of routing some -- but not
    all -- network traffic through the VPN.

    I'd like to use VPN for some web sites, but not for general Googling and

    Anyone have *experience* with a service they can *recommend*?

    If there's a better forum in which to ask this question, just say so...

    DaveC, Mar 25, 2012
    1. Advertisements

  2. DaveC

    Wes Groleau Guest

    Do you mean a proxy? A VPN is not normally called a "service."

    Virtual Private Network is a way of encrypting all the traffic between
    to points so that you can use somebody else's network (internet) as
    securely as if you were in the same building behind the same firewall.

    A proxy, on the other hand, is a relay point you are required to send
    some subset of your traffic through instead of sending it direct.

    Wes Groleau

    Always listen to experts. They'll tell you
    what can't be done and why. Then do it.
    — Robert A. Heinlein
    Wes Groleau, Mar 25, 2012
    1. Advertisements

  3. DaveC

    DaveC Guest

    Do you mean a proxy? A VPN is not normally called a "service."

    I tried a service called Witopia which advertises as a VPN service but by
    your definition sounds like it includes a proxy at the destination.


    Regardless what it's called (not that a name isn't important (c: ) I want to
    use it for some of the network traffic, not all.

    Thanks for the clarification...
    DaveC, Mar 25, 2012
  4. DaveC

    JF Mezei Guest

    On my mac, I can setup a VPN to the internet with my ISP's VPN server.
    But the Mac honours the local route to my 10.* LAN subnet wich does not
    go through the VPN.

    I guess you could build static routes to Google's IP addresses via your
    standard interface (en0 or en1) and then let the VPN connection on the
    mac take care of everything else.
    JF Mezei, Mar 25, 2012
  5. DaveC

    Warren Oates Guest

    I dunno, I reckon, if you pay for it, it's a service.

    Anyway, what "service" did you try out at Witopia? I have the "pro"
    thing because I consider myslef in a censored country, and it works real
    good too.

    They use Viscosity for SSL, and it puts a little icon in my menubar with
    drop-down menu of all the servers I can use. It connects quickly when I
    want to look at the BBC (say). Disconnects just as fast.

    I've also got L2TP which offers a "VPN on Demand" option. Did you look
    into that?
    Warren Oates, Mar 25, 2012
  6. DaveC

    Wes Groleau Guest

    I see, said the blind man. I'm not a subscriber, but just from their
    main web page, it looks like it is both. The VPN part prevents your
    local ISP (or anyone using them) from spying on you. The proxy part
    allows any traffic you send through there to have additional processing
    or filtering by them instead of by you (which can include hiding your

    Once the traffic leaves WiTopia, it is still subject to spying, but if
    you are the target, it is much more difficult for the spy to pick you
    out of all the other traffic.

    (And of course, you have no way of knowing whether WiTopia or someone
    who hacked into them is spying on you.)

    I think ipfirewall(4) or ipfw(8) or route(8) could be used to
    selectively route traffic, but configuration would not be as GUI-simple
    as Apple-provided things.

    I haven't used a VPN in seven years, and it wasn't Apple's, but maybe
    WiTopia, if their tech support is as good as they claim, can answer your

    Curious, why do you want to bypass them for some addresses? Do they do
    things you DON'T want?
    Wes Groleau, Mar 25, 2012
  7. I haven't used their service, but I can explain why. I'm here, they're there.
    Bandwidth to/from severs here is cheap and plentiful. I can max out my
    internet connection 24/7 to servers within the country.

    Bandwidth outside the country is expensive and hard to get. Lots of it at
    8am, when no one is doing anything. Come back at 3pm when kids get home from
    school and it starts to slow down. By 8 at night, it's at a crawl.

    So if I need to use a VPN or proxy server to make a foreign site think I am
    a local user, then it's worth the bandwith and the slow performance to get
    something I could not get before.

    If I need to get something locally, it makes no sense to send the data up
    the pipe to the VPN/proxy server in another country and then have it go
    back to the local server and vice versa.

    Geoffrey S. Mendelson, Mar 25, 2012
  8. DaveC

    DaveC Guest

    Curious, why do you want to bypass them for some addresses? Do they do
    Things are slowed down somewhat when using the service. And my bandwidth with
    their service will be less if I'm sending mail and other (non-BBC)
    non-VPN-necessary requests through the tunnel, which leaves less for the
    video stream (the reason for the subscription).

    When I inquire at a web site about some product, I'm always shown prices in
    GBP not USD. I have to turn off the VPN and try again. If I'm streaming a
    video, I will lose some of that show (it's not archived).

    Not crucial stuff, but annoying. If I'm paying for a service, I want to be
    able to customize it to my liking.

    DaveC, Mar 25, 2012
  9. DaveC

    DaveC Guest

    If I need to get something locally, it makes no sense to send the data up
    Said much better than I did...

    DaveC, Mar 25, 2012
  10. DaveC

    Warren Oates Guest

    It's funny, sometimes, if you visit a site using the VPN, it sets
    cookies. I was getting adverts in sterl(ahem) in GBP on my Facebook page
    after I'd switched the VPN off. Then I found I could switch the adverts
    I agree. You should contact Witopia's service people.
    Warren Oates, Mar 25, 2012
  11. DaveC

    Wes Groleau Guest

    But they claim to be fast for any route, plus I would expect your ISP to
    hand you to their server in your country and for that one to be smart
    enough not to send it out of the country unless you asked them to.
    Wes Groleau, Mar 25, 2012
  12. DaveC

    Wes Groleau Guest

    They claim the difference is negligible.
    I suspect your ISP affects that more than they do.
    That's a good reason.
    If you do in a shell,

    ifconfig -a

    how many IP addresses do you see with and without VPN? If an extra
    appears when you enable VPN, then I think you can configure your routing
    tables to make that one the gateway for your BBC IP block,
    and the default be the one that you use when VPN is off.

    On the other hand, A is you, B is the WiTopia server near you, C is the
    WiTopia server that does the decryption, and D is the target of your

    A -> B -> C -> D

    You get to choose where C is. And if you do't choose, it would be
    stupid of them not to automatically put it as close to D as possible.

    On the third hand, if you are _ONLY_ using it for http requests to BBC,
    then a simple proxy in UK would be a better solution.
    Wes Groleau, Mar 25, 2012
  13. DaveC

    Wes Groleau Guest

    oops. I thought they had a server in your country, but they don't.

    Wes Groleau

    “Grant me the serenity to accept those I cannot change;
    the courage to change the one I can;
    and the wisdom to know it's me.â€
    — unknown
    Wes Groleau, Mar 25, 2012
  14. DaveC

    DaveC Guest

    Not crucial stuff, but annoying. If I'm paying for a service, I want to be
    Witopia support says that in future updates "we may allow you to choose
    certain services or websites to not be protected by the VPN if you prefer.
    But for the now you cannot."

    It sounds great, but a long time ago I learned to not make plans on

    I think I'll go back to Safari & configure automatic proxy configuration via
    a .pac file. That works for all beeb archived iPlayer content but not, for
    some reason, the live streams.

    (I wonder why the live stream works with Witopia's product but not when
    viewed via another proxy...)
    DaveC, Mar 26, 2012
  15. DaveC

    Wes Groleau Guest

    The live stream link probably includes a different port that
    your proxy.pac didn't allow for.

    Wes Groleau

    A pessimist says the glass is half empty.
    An optimist says the glass is half full.
    An engineer says somebody made the glass
    twice as big as it needed to be.
    Wes Groleau, Mar 26, 2012
  16. DaveC

    JF Mezei Guest

    I'll repeat my original anwer with few more details.

    netstat -r to list current routes

    the "route" command can be used to manually add a static route. This
    does not survive a reboot so it need sto be done whenever you reboot.

    route add -host <ip address of google>/32 <ip address of your router>

    If you knwo that google has a whole block fo IPs in your country, then
    you can use -net instead of -host and specify a smaller mask such as /24
    or /20 of whatever.

    Remember that when you try to access google, you are directed to one of
    many of their IP addresses. You want to catch as many as possible for
    your route.

    man netstat and man route gets you help, so does Mr Google with "static
    route OS-X"

    There are also examples on how to set i up so the route is added when
    you boot.

    When you setup a VPN, it basically changes you default route to point to
    the VPN interface. If you have routes defived for netwblocks, those
    routes kicks in before the VPN.
    JF Mezei, Mar 26, 2012
  17. DaveC

    DaveC Guest

    Remember that when you try to access google, you are directed to one of
    [JF Mezei]

    I'm confused. Why the references to Google? If you are trying to help me
    access Google, that's just one example I used.

    I want to have *every* web site I want to go to (ie, I want the default
    action to be) to not use the VPN. In other words, of the millions of web
    sites I'll visit in the future, only those with "www.bbc.co.uk" do I want to
    go through the VPN. *All* others I want to access directly.

    Hope that helps clarify my needs.

    DaveC, Mar 26, 2012
  18. Actually you don't. You want all connections to servers used by the BBC
    to go through the VPN, no matter what their DNS names resolve to.

    That's a very different thing.

    Geoffrey S. Mendelson, Mar 26, 2012
  19. DaveC

    Paul Sture Guest

    Yes. For example when I listen to BBC radio over the internet I need to
    enable Javascript for these three:

    Paul Sture, Mar 26, 2012
  20. DaveC

    David Sankey Guest

    Assuming you're using PPTP, if the sites that you want to reach over the
    VPN are all on the same network as the VPN server, then it's trivial -
    you just deselect "Send all traffic over VPN connection" in Options tab
    of the "Advanced..." button from the VPN configuration pane.

    Otherwise you have to think a bit more.

    First question is whether your default route is over the VPN or not
    (this defines your setting of the above flag).

    Then you need to decide which networks you want to route the other way,
    and for these networks specify static routes.

    Where you want to do this is in a script called /etc/ppp/ip-up, which is
    run automatically when you start the VPN.

    Google for /etc/ppp/ip-up to answer all your questions.

    David Sankey, Mar 26, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.