I need to connect VPN via FortiClient to do my work and access some resources securely. When I started to work for my company in March 2021, they gave me an M1 MacBookPro. M1 MacBookPro is different than the others because it comes with a new CPU architecture. Previously, Apple was using an Intel-based CPU but now, they decided to run macOS with an ARM-based CPU and Apple called M1 for now.
A lot of software not compatible with ARM. Sometimes I’m having some issues like “This component is not compatible with your CPU”.
When I connected to VPN via FortiClient v6.4.3.1325, it looks like connected but my internet speed is getting too slow. Normally, I have 100MB/sec internet speed. I asked my colleagues about “are you having any issues with VPN and/or VPN speed?” and that they said “NO!” They are using a little bit older MacBookPro than mine with an Intel-based CPU and I thought it’s a normal situation because Intel-based versions are okay and stable.
I started to debugging to find a root cause and I checked the routing table before connect to VPN.
➜ ~ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.31.1 UGScg en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#14 UCS en0 !
192.168.31 link#14 UCS en0 !
192.168.31.1/32 link#14 UCS en0 !
192.168.31.1 ec:41:18:ec:c6:bc UHLWIir en0 1189
192.168.31.147/32 link#14 UCS en0 !
192.168.31.147 a0:78:17:87:b4:88 UHLWI lo0
192.168.31.171 b8:bc:5b:6:28:18 UHLWI en0 1165
192.168.31.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#14 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
255.255.255.255/32 link#14 UCS en0 !My route table is looking okay. 192.168.31.1 is my wireless router and default root it to my wireless router. It’s okay.
After this, I connected to VPN via FortiClient and I re-checked my route table. 10.212.134.152 is my local IP address which one is assigned by FortiClient.
➜ ~ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default link#19 UCSg ppp0
default 192.168.31.1 UGScIg en0
8.8.8.8 link#19 UHWIig ppp0
13.224.58.179 link#19 UHWIig ppp0
31.XXX.XX.XX/32 192.168.31.1 UGSc en0
34.XXX.XX.XXX link#19 UHWIig ppp0
34.XXX.XXX.xxx link#19 UHWIig ppp0
35.XXX.XXX.XX link#19 UHWIig ppp0
35.XXX.XXX.XXX link#19 UHWIig ppp0
80.80.80.80 link#19 UHW3Ig ppp0 3597
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#14 UCS en0 !
169.254.38.179 10.212.134.152 UH ppp0
192.168.31 link#14 UCS en0 !
192.168.31.1/32 link#14 UCS en0 !
192.168.31.1 ec:41:18:ec:c6:bc UHLWIir en0 1181
192.168.31.147/32 link#14 UCS en0 !
192.168.31.147 a0:78:17:87:b4:88 UHLWI lo0
192.168.31.171 b8:bc:5b:6:28:18 UHLWIi en0 1139
192.168.31.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#19 UmCS ppp0
224.0.0/4 link#14 UmCSI en0 !
224.0.0.251 link#19 UHmW3I ppp0 3599
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
239.255.255.250 link#19 UHmW3I ppp0 3599
255.255.255.255/32 link#19 UCS ppp0
255.255.255.255/32 link#14 UCSI en0 !Our VPN service is not using split-tunneling and link#19 OR 10.212.134.152 is should be the next hop for the default route with my wireless router at the same time.
I delete my default route!
Yes, I decided to manipulate my routing table manually.
➜ ~ sudo route delete default
Password:
delete net defaultNow, the next hop should be my FortiClient local ip address. It’s 10.212.134.152 for my case. This local ip address is dynamic and it changes on every connection because DHCP is assigning this ip address.
Now, how my route table looks like? The default route shouldn’t be there…
➜ ~ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.31.1 UGScIg en0
31.XXX.XX.XX/32 192.168.31.1 UGSc en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#14 UCS en0 !
169.254.38.179 10.212.134.152 UH ppp0
192.168.31 link#14 UCS en0 !
192.168.31.1/32 link#14 UCS en0 !
192.168.31.1 ec:41:18:ec:c6:bc UHLWIir en0 1178
192.168.31.147/32 link#14 UCS en0 !
192.168.31.147 a0:78:17:87:b4:88 UHLWI lo0
192.168.31.171 b8:bc:5b:6:28:18 UHLWIi en0 586
192.168.31.222 c:2c:54:e4:67:81 UHLWI en0 1156
192.168.31.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#19 UmCS ppp0
224.0.0/4 link#14 UmCSI en0 !
224.0.0.251 link#19 UHmW3I ppp0 3589
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
239.255.255.250 link#19 UHmW3I ppp0 3588
255.255.255.255/32 link#19 UCS ppp0
255.255.255.255/32 link#14 UCSI en0 !link#19 is disappeared from default route. Nice! And now, I can’t access to the internet. As a default route, my wireless router is still on the route table but FortiClient is using it to keep connected to the VPN. Yeah, I’m still connected to the internet but I don’t have a next hop.
➜ ~ ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet lossLet’s add a new default route…
➜ ~ sudo route add default 10.212.134.152
add net default: gateway 10.212.134.152Now, I can able to ping 8.8.8.8 after add a new default route.
➜ ~ ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=99.007 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=98.277 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=103.634 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=104.365 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 98.277/101.321/104.365/2.704 msCross check
I’ve checked the route table for last time to see what is difference after delete and add default route.
➜ ~ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.212.134.152 UGScg ppp0
default 192.168.31.1 UGScIg en0
31.145.77.18/32 192.168.31.1 UGSc en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#14 UCS en0 !
169.254.38.179 10.212.134.152 UH ppp0
192.168.31 link#14 UCS en0 !
192.168.31.1/32 link#14 UCS en0 !
192.168.31.1 ec:41:18:ec:c6:bc UHLWIir en0 1179
192.168.31.147/32 link#14 UCS en0 !
192.168.31.147 a0:78:17:87:b4:88 UHLWI lo0
192.168.31.171 b8:bc:5b:6:28:18 UHLWI en0 1146
192.168.31.222 c:2c:54:e4:67:81 UHLWI en0 1163
192.168.31.255 ff:ff:ff:ff:ff:ff UHLWbI en0 !
224.0.0/4 link#19 UmCS ppp0
224.0.0/4 link#14 UmCSI en0 !
224.0.0.251 link#19 UHmW3I ppp0 3582
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0
239.255.255.250 link#19 UHmW3I ppp0 3557
255.255.255.255/32 link#19 UCS ppp0
255.255.255.255/32 link#14 UCSI en0 !Now, everything is running perfect. My VPN connection is stable and fast!
Bonus
I need to delete and add a new default route when I need to connect VPN and every day I need to connect. I don’t want to delete and add a new route manually and I wrote a little bash script for this routine.
You can save the script into your /usr/local/bin/ path with sudo vim. After that, don’t forget to add chmod permissions for the script.
#!/bin/bash
FortiIP=$(netstat -rn | grep "10.212.134" | awk '{print $2}')
sudo route delete default
sudo route add default $FortiIPIf you read from begging, I should say thank you! : )