OSX VPN Scripts: The built in Mac VPN client doesn't have too many options but you can easily apply custom settings via scripts. Here are some examples of how to customize your VPN connections. Just put these two files in /etc/ppp and customize. Make sure you `chmod 0755 /etc/ppp/ip-up /etc/ppp/ip-down`. For more information, see `man pppd`.

ip-down

#!/bin/bash
#
# /etc/ppp/ip-down
# 
# When the ppp link goes down, this script is called with the following
# parameters
#       $1      the interface name used by pppd (e.g. ppp3)
#       $2      the tty device name
#       $3      the tty device speed
#       $4      the local IP address for the interface
#       $5      the remote IP address
#       $6      the parameter specified by the 'ipparam' option to pppd



# Restore ipfw rules
if [ -e /tmp/vpn-ipfw-$IFNAME.rules ] ; then
  /sbin/ipfw -f flush
  while read rule
  do
    /sbin/ipfw -f add $rule
  done < /tmp/vpn-ipfw-$IFNAME.rules
  rm /tmp/vpn-ipfw-$IFNAME.rules
fi

# Restore ip6fw rules
if [ -e /tmp/vpn-ip6fw-$IFNAME.rules ] ; then
  /sbin/ip6fw -f flush
  while read rule
  do
    /sbin/ip6fw -f add $rule
  done < /tmp/vpn-ip6fw-$IFNAME.rules
  rm /tmp/vpn-ip6fw-$IFNAME.rules
fi

ip-up

#!/bin/bash
#
# /etc/ppp/ip-up
#
# When the ppp link comes up, this script is called with the following
# parameters
#       $1      the interface name used by pppd (e.g. ppp3)
#       $2      the tty device name
#       $3      the tty device speed
#       $4      the local IP address for the interface
#       $5      the remote IP address
#       $6      the parameter specified by the 'ipparam' option to pppd

# Available variables:
# $SERVER - the VPN server address
#
function ip_up_post () {

  case $SERVER in
    # Customize settings for a split-tunnel VPN, removing the VPN
    # DNS and adding static routes
    # "Send all traffic over VPN connection" should be unchecked
    "my-split-tunnel.com" )
      # Don't use the VPN provided DNS servers
      remove_ppp_dns

      # Add static routes
      add_static_route foo1.my-split-tunnel.com
      add_static_route foo2.my-split-tunnel.com
      ;;


    # Block all non-VPN traffic (including local and IPV6 traffic)
    # "Send all traffic over VPN connection" should be checked
    "my-secure-vpn.com" )
      block_non_vpn_traffic
      ;;
  esac
}


#
# ===========================================
# You should not need to edit below this line
# ===========================================
#

function remove_ppp_dns () {
  echo "set $SERVICE/DNS" | /usr/sbin/scutil
}


# Add a static route to the VPN
# @param host -- hostname or IP
function add_static_route () {
  /sbin/route add -host $1 -interface $IFNAME
}

# Block all non-VPN traffic.
# Even when you check "Send all traffic over VPN connection", OSX will still
# allow local traffic on the same subnet and IPV6 traffic
# This uses the built-in firewall to block this traffic, ensuring all
# traffic goes through the VPN.
function block_non_vpn_traffic () {
  # Save previous rules
  /sbin/ipfw list > /tmp/vpn-ipfw-$IFNAME.rules
  /sbin/ip6fw list > /tmp/vpn-ip6fw-$IFNAME.rules

  /sbin/ipfw -f flush
  /sbin/ipfw -f add allow all from any to any via $IFNAME
  /sbin/ipfw -f add allow all from any to $SERVER
  /sbin/ipfw -f add allow all from $SERVER to any
  /sbin/ipfw -f add reject all from any to any

  /sbin/ip6fw -f flush
  /sbin/ip6fw -f add allow all from any to any via $IFNAME
  /sbin/ip6fw -f add reject all from any to any
}


#
# Find the current VPN connection and call ip_up_post
#
SERVICES=$(echo "list State:/Network/Service/[^/]+/PPP" | /usr/sbin/scutil | /usr/bin/cut -c 16- | /usr/bin/cut -d / -f 1-4)
for SERVICE in $SERVICES
do
  if [ "$(echo show $SERVICE/PPP | /usr/sbin/scutil | grep InterfaceName | /usr/bin/cut -c 19-)" == "$IFNAME" ]; then
    SERVER=$(echo show $SERVICE/PPP | /usr/sbin/scutil | grep CommRemoteAddress | /usr/bin/cut -c 23-)
    ip_up_post
  fi
done