I have an L2TP/IPSec VPN set up on my Synology server. When I connect to the VPN using my iPhone everything works as expected. I have internet and am able to access devices on my local network no problem… But when I connect to the VPN using my MacBook I have internet but cannot access any devices on my local network. Any idea why this would happen?? Synology VPN server shows both devices in the VPN connection list.
Are you sending all traffic to the VPN (using the default gateway on the VPN connection)? If not, you’ll need to create a static route on the Mac to the main network when you connect to the VPN. On syno by default the VPN is not on the main network, it’s its own segment. If you’re not sending all traffic to the VPN, then your Mac doesn’t know where to send traffic for the main network.
So if your main network is 192.168.1.0/24, your synology is 192.168.1.10, your synology’s address on the VPN network is 10.2.0.0 (I know, they use the .0 address, I don’t like it either, that usually means the network as a whole) your connected VPN address is 10.2.0.1, you’ll need to create a static route on the Mac that sends traffic to 192.168.1.0/24 to 10.2.0.0.
Either that or send all traffic to the VPN, which means all your internet connections are going over the VPN, not just traffic for the home network. See this image for the setting in Ventura - https://i.imgur.com/PFge3W5.png
Send all traffic over VPN connection fixed the problem. Thanks!
Is there any downside to sending all internet traffic through the VPN in this manner? Would it be better thought to create a static route to the main network as you suggested?
Downside is you are encrypting and sending all your internet traffic over the VPN and out through your home network, as opposed to going directly from your local ISP connection, whatever that is. It adds a performance penalty, if you’re using services that geolocate you to help you find things or improve your connection by connecting you to a nearer server or things like that, they won’t know where you are, they will think you’re at your home. And if your home connection is slower then where you are, you’ll be limited by that. Say for example your home connection is 600x35 Mbps cable, and you’re at an office with a 1000x1000 Mbps fiber connection. You want to download a large ISO file or something. The traffic has to go down to your house and then out to you through that slow upload - you’re limiting your download to the speed of your home upload instead of the 1000 Mbps you have at your actual location! And that’s before the penalty of doubly encrypting all your traffic, your HTTPS traffic is encapsulated inside the VPN encrypted packets so there’s a lot of overhead undoing all of that.
So using a static route instead of send all traffic lets you send what needs to go to your home to your home, and everything else where it belongs at the cost of a little complexity in your setup.
This makes perfect sense. Thank you for such a thorough explanation! Suppose I did want to create a static route to these local network resources instead of routing everything through the VPN, how would I go about doing that?
There’s a good page with info here https://www.analysisman.com/2020/11/macos-staticroutes.html.
You’ll need to decide if you want to set up a persistent route, that crosses reboots, or just temporarily do it each time you VPN. The disadvantage of a persistent route is that it basically takes over that network address, and so if it’s a commonly used one like 192.168.1.0, that could be a problem if you need to talk to a network segment that’s not your home network that uses that addressing. In my case I set up my home network on a less frequently used network number like 192.168.2XX.0 so I can be pretty sure it’s not going to conflict with anything I need to use regularly.