SplitTunnel

Understanding VPN Route Tables on macOS

Deep dive into how VPNs control network traffic routing

SplitTunnel Team·7 min read·Updated January 2026

Key Takeaways

  • Route tables determine where network packets go—VPN or direct connection

  • VPNs modify route tables to capture traffic destined for the internet

  • Understanding routes helps you diagnose issues and customize VPN behavior

Simplify Routing

What Is a Route Table?

A route table is a kernel data structure that tells your Mac where to send network packets. Every time an application sends data, the kernel consults the route table to determine which network interface should handle it.

  • Maps destination IP addresses to network interfaces

  • Every packet triggers a route table lookup

  • Determines if traffic goes through VPN, Wi-Fi, or other interfaces

  • Critical for all network communication

Viewing Your Route Table

Use Terminal to inspect your current routing configuration:

bash
# View full routing table
netstat -rn

# Check route for specific destination
route -n get default

# IPv4 routes only
netstat -rn -f inet

# IPv6 routes
netstat -rn -f inet6

Understanding Route Table Output

text
Destination    Gateway         Flags   Netif
default        192.168.1.1     UGSc    en0
127.0.0.1      127.0.0.1       UH      lo0
192.168.1/24   link#4          UCS     en0

  • Destination — Target IP address or network (CIDR notation)

  • Gateway — Next hop where packets are forwarded

  • Flags — Route properties: U=up, G=gateway, S=static, c=cloned

  • Netif — Output interface: en0 (Wi-Fi), utun0 (VPN), lo0 (loopback)

How VPN Changes the Route Table

Before connecting VPN, your default route points to your local router:

text
default        192.168.1.1     UGSc    en0

After VPN connects, it typically becomes the new default gateway:

text
default        10.10.10.1      UGSc    utun0
192.168.1/24   link#4          UCS     en0

Now all traffic routes through utun0 (the VPN tunnel interface), except traffic destined for your local network.

Route Priority and Specificity

When multiple routes could match a destination, the most specific route wins:

  • A /32 route (single IP) beats a /24 route (256 IPs)

  • A /24 route beats the default route (0.0.0.0/0)

  • Metrics can break ties—lower metric = higher priority

  • VPNs often add very specific routes to capture traffic

Common VPN Route Configurations

Full Tunnel (All Traffic)

text
default        vpn.gateway     UGSc    utun0

A single default route through VPN. All internet traffic goes through the tunnel. This is what most corporate VPNs configure.

Split Tunnel (Specific Networks)

text
default        192.168.1.1     UGSc    en0
10.0.0.0/8     vpn.gateway     UGSc    utun0
172.16.0.0/12  vpn.gateway     UGSc    utun0

Default route stays on regular internet. Only corporate network ranges (10.x.x.x, 172.16.x.x) route through VPN.

Diagnosing Route Issues

bash
# Check which route handles a specific IP
route get 8.8.8.8

# Output shows:
#   route to: 8.8.8.8
#   destination: default
#   gateway: 10.10.10.1
#   interface: utun0

# Check route for a hostname
route get google.com

The output tells you exactly which interface and gateway will handle traffic to that destination.

Common Route Table Problems

All traffic through VPN (unwanted)

VPN set a 0.0.0.0/0 default route. Everything goes through the tunnel. Solution: Need split tunneling at the VPN or app level.

Local network unreachable

VPN overwrote or removed local network routes. Printers and NAS devices become inaccessible. Some VPNs preserve local routes, others don't.

Specific site unreachable

Could be VPN blocking the site, firewall rules, or a misconfigured route. Use 'route get' to diagnose.

Manipulating Routes Manually

bash
# Add route for single IP to bypass VPN
sudo route add -host 8.8.8.8 -interface en0

# Add route for subnet
sudo route add -net 192.168.1.0/24 -interface en0

# Delete a route
sudo route delete -host 8.8.8.8

# View route changes in real-time
route monitor

Manual routes are temporary—they reset when VPN reconnects or your Mac restarts. They also require sudo for each change.

Route Table vs App-Level Routing

Route tables work at the IP level. They can't distinguish between applications—only IP addresses.

  • Route tables: IP-based, temporary, requires sudo, can't route by app

  • SplitTunnel: App-based, persistent, no sudo, routes by application

  • SplitTunnel routes traffic by application, not by IP address

  • Think in terms of apps, not IP addresses

For day-to-day VPN control, app-level routing is more practical. Reserve route table manipulation for diagnosing issues.

Monitoring Route Changes

bash
# Watch route table changes in real-time
route monitor

# List network services
networksetup -listallnetworkservices

# Show interface configuration
ifconfig

Use 'route monitor' to see exactly what happens when your VPN connects—helpful for understanding how it modifies routing.

Frequently Asked Questions

Route Without Commands

Skip the Terminal. Control VPN routing per-app with a visual interface.

Start Free Trial

7-day free trial · Cancel anytime

Related Guides

VPN Gateway Routing

How gateways direct traffic

VPN Bandwidth Optimization

Maximize speed on corporate VPN

Mac Route Command

Terminal routing commands