What Is a Gateway?

A gateway is the entry and exit point for network traffic. It's the router that sits between your Mac and the internet, forwarding packets to their destinations.

• •

  Default gateway — Where packets go when there's no specific route

• •

  Acts as the door to the internet

• •

  Without a gateway, you can't reach external networks

• •

  Typically your home router (192.168.1.1 or similar)

Your Normal Default Gateway

# Find your default gateway
route get default | grep gateway

# Typical output:
#   gateway: 192.168.1.1

In a typical home or office setup, your router is the default gateway. All internet traffic flows through it to reach the outside world.

How VPN Changes Your Gateway

When you connect to a VPN, it creates a virtual network interface (usually utun0) and often sets the VPN server as your new default gateway.

• •

  Before VPN: Mac → Router → Internet

• •

  After VPN: Mac → Router → VPN Server → Internet

• •

  VPN server becomes the exit point for your traffic

• •

  All packets are encrypted before leaving your Mac

VPN Gateway Takeover

# Before VPN connects
netstat -rn | grep default
# default    192.168.1.1    UGSc    en0

# After VPN connects
netstat -rn | grep default
# default    10.10.10.1     UGSc    utun0

The VPN has taken over as the default gateway. All traffic now flows through utun0 (the VPN tunnel). This is called "full tunnel" mode.

VPN Gateway with SplitTunnel

Some VPN configurations use split tunneling at the network level:

# Split tunnel configuration
default        192.168.1.1     UGSc    en0
10.0.0.0/8     10.10.10.1      UGSc    utun0
172.16.0.0/12  10.10.10.1      UGSc    utun0

• •

  Your router stays the default gateway

• •

  Only corporate networks (10.x.x.x, 172.16.x.x) route through VPN

• •

  Internet traffic goes direct

• •

  This requires VPN administrator configuration

Understanding Traffic Flow

Full Tunnel Flow

1. Application sends a packet

2. Kernel checks the route table

3. Default route points to VPN gateway

4. Packet is encrypted and sent through tunnel

5. VPN server decrypts and forwards to destination

Split Tunnel Flow

1. Application sends a packet

2. Kernel checks the route table

3. If destination matches corporate network → VPN gateway

4. If destination is anything else → Regular gateway

5. Traffic flows through appropriate path

Checking Your Current Gateway

# See active default gateway
netstat -rn | grep default

# Detailed gateway information
route get default

# Check VPN interface
ifconfig utun0

# Watch gateway changes
route monitor

Multiple Gateways

macOS can maintain multiple gateways simultaneously:

• •

  One default (primary) gateway for general traffic

• •

  Additional gateways for specific routes

• •

  VPN may add a secondary gateway for corporate networks

• •

  Most specific route always wins

Common Gateway Issues

All traffic through VPN (unwanted)

Cause: VPN set itself as default gateway. Result: Slow personal apps, streaming issues, no local network access. Fix: Use app-level split tunneling.

No internet when VPN connected

Cause: Gateway misconfigured or VPN server unreachable. Check if you can ping the VPN gateway. Try reconnecting or contact IT.

Local network devices unreachable

Cause: Gateway change removed local network routes. VPN captured all traffic including local. Fix: Add local routes manually or use SplitTunnel.

Gateway Routing vs App-Level Routing

• •

  Gateway routing — Network layer, works by IP address

• •

  App-level routing — Application layer, works by app

• •

  Gateway: "Route 10.0.0.0/8 through utun0"

• •

  App-level: "Route Slack through VPN"

When Gateway Knowledge Helps

• •

  Diagnosing why traffic isn't flowing correctly

• •

  Understanding VPN configuration decisions

• •

  Troubleshooting connectivity issues

• •

  Communicating with IT about network problems