Is My Mac Using a VPN?

[Buadhai]

I have a dynamic IP address that changes at least once a day so I use a DDNS so that I can reliably log in remotely via SSH.

I have a shell script that runs hourly to let me know if the DDNS domain has updated. (Does the DDNS IP match the real external IP?)

I sometimes have the need to use a VPN or proxy (SOCKS). If I inadvertently leave either active, then the DDNS update client will fail and the IPs will not match.

I'm looking for a way to reliably determine if I have inadvertently left the VPN active.

It seems to be easy to find out if a proxy is running:

MrMuscle:bin mnewman$ scutil --proxy |grep netshade
  SOCKSProxy : cz6.netshade.net

(I use Netshade.)

But I can't find a reliable way to determine if a VPN is running.

I had hopes for:

MrMuscle:bin mnewman$ ifconfig | grep utun2
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

but I'm not confident that the VPN will always use that interface (utun2).

Any ideas?

 

[barbu]

Can you not grep for “utun” or something like utun[0-9] ?

 

[mj_]

You could run netstat -r to display your routing table and go from there.

 

[Buadhai]

Can you not grep for “utun” or something like utun[0-9] ?

There's always a utun interface whether or not the vpn is running:

The VPN seems to be utun2 on my machine just now, but I've read elsewhere that this is not always the case.

VPN off:

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380 inet6 fe80::9c6a:64b8:2fdb:ee55%utun0 prefixlen 64 scopeid 0xc utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000 inet6 fe80::860b:a89d:3dab:e973%utun1 prefixlen 64 scopeid 0xd

VPN on:

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380 inet6 fe80::9c6a:64b8:2fdb:ee55%utun0 prefixlen 64 scopeid 0xc utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000 inet6 fe80::860b:a89d:3dab:e973%utun1 prefixlen 64 scopeid 0xd utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet6 fe80::9a10:e8ff:fef1:c765%utun2 prefixlen 64 scopeid 0xf

You could run netstat -r to display your routing table and go from there.

I don't know what to look for. I ran it with the VPN on and off, redirected to files and looked at the differences between the files. I'm not knowledgeable enough to know what the differences mean.

 

[mj_]

Most VPN services modify your routing table and change your default route in order to redirect all traffic through their own servers:

martin@iMac ~ % netstat -f inet -nr|grep default
default            192.168.1.1        UGSc           en0       
martin@iMac ~ %

In theory that IP address should differ based on whether or not you have an active VPN connection.

 

[Ruggy]

Do you know what your IP is supposed to be? You are running a dybnamic IP you change so presumably yes.
But your router should tell you as well.
So, there are any number of sites that will tell you what IP you are displaying to the world. They will also tell you what browser you are using and that you are on a mac probably
Most of the VPN services for example will display it for you and they do this to show you how it changes when you connect to their service.
Along with the IP you are displaying, it should say where you are - to within a couple of miles usually.
For example, a quick search pops up this one

What Is My IP Address? IP Address Tools and More

IP address lookup, location, proxy detection, email tracing, IP hiding tips, blacklist check, speed test, and forums. Find, get, and show my IP address.

whatismyipaddress.com

If you check and it's an IP you don't recognise or it's from a place nowhere near where you live, then it's likely you are on a VPN or possibly your DNS servers have been hijacked.
You can also use an IP look up service to check who the IP belongs to and it should be your ISP company.
If you've left a VPN on you should be able to see this way.
Best

 

[BrianBaughn]

When you say, "I'm looking for a way to reliably determine if I have inadvertently left the VPN active" do you mean determine that when you're away from the computer?

Does Netshade have the option to exclude applications from the VPN? I use PIA and it has that option now.

Also, if you had Teamviewer running on the computer I'd think might able to remote in and turn the VPN off…but I'm not 100% sure of that.

In my case, I have a router running DD-WRT and a VPN server set up there as well as a DDNS updater, although the updater in my version of DD-WRT can't update more than once a day.

 

[Buadhai]

Most VPN services modify your routing table and change your default route in order to redirect all traffic through their own servers:

martin@iMac ~ % netstat -f inet -nr|grep default
default            192.168.1.1        UGSc           en0      
martin@iMac ~ %

In theory that IP address should differ based on whether or not you have an active VPN connection.

Doesn't seem to work on this machine:

MrMuscle:bin mnewman$ netstat -f inet -nr|grep default
default            192.168.0.1        UGSc           en0
default            192.168.0.1        UGScI          en1
MrMuscle:bin mnewman$ netstat -f inet -nr|grep default
default            192.168.0.1        UGSc           en0
default            192.168.0.1        UGScI          en1

Top with VPN, bottom without.

 

[mj_]

Oh well, worth a shot.

 

[Buadhai]

Oh well, worth a shot.

👍

 

[Buadhai]

I had a brainstorm while cycling in the rain this morning. It's ugly and it's a kludge, but it seems to work. It certainly could fail, though:

MrMuscle:bin mnewman$ whois $(dig +short myip.opendns.com @resolver1.opendns.com) | grep -m 1 TOTNET
netname:        TOTNET

TOTNET is the netname that my ISP uses for whois registrations. So, if the IP comes back as belonging to them, then the machine is not on a VPN.

Grep returns nothing if on a VPN:

MrMuscle:bin mnewman$ whois $(dig +short myip.opendns.com @resolver1.opendns.com) | grep -m 1 TOTNET MrMuscle:bin mnewman$

How could it fail?

• If the VPN server goes offline then dig won't return an IP address and whois will fail
• If my ISP has some IP blocks registered with a different netname then grep will return nothing

There are probably others.