Many remote developers need to access company-internal services behind a VPN. The standard VPN setup? Connect using L2TP over IPsec.
But that usually routes all your traffic through the VPN β from websites to updates and personal apps.
π¬ Not ideal when you only need access to a specific internal subnet.
Letβs fix that with this split tunneling guide.
π§ What Is Split Tunneling?
Split tunneling means routing only specific IP ranges (like your company subnet) through the VPN, while everything else uses your normal internet connection.
Example:
Internet traffic ββββββββββΊ stays local
Internal subnet ββββββββββΊ goes through VPN
This results in:
- β‘ Better internet performance
- π Better privacy
- π― More precise access to internal resources
β Default VPN Behavior on macOS
If you're using System Settings > Network to connect via L2TP over IPsec:
- macOS routes all traffic through the VPN once connected
- Thereβs no tun/ppp interface visible in
ifconfig - No native UI option for split tunneling
π§ How To Manually Add a Route
Letβs say:
- Your internal company subnet is
<YOUR_SUBNET>(e.g.,192.168.50.0/24) - Your VPN gateway IP is
<VPN_GATEWAY_IP>(e.g.,10.8.0.1)
After connecting to VPN:
sudo route -n add <YOUR_SUBNET> <VPN_GATEWAY_IP>
π Example:
sudo route -n add 192.168.50.0/24 10.8.0.1
# β
Expected output:
# add net 192.168.50.0: gateway 10.8.0.1
βοΈ Automating with /etc/ppp/ip-up
Letβs automate route setup when PPP-based VPN connects.
Create a new script:
sudo nano /etc/ppp/ip-up
Paste this:
#!/bin/sh
# /etc/ppp/ip-up is triggered after a successful VPN connection
# $5 is the VPN gateway IP passed by macOS
VPN_GATEWAY="<VPN_GATEWAY_IP>" # e.g., 10.8.0.1
TARGET_SUBNET="<YOUR_SUBNET>" # e.g., 192.168.50.0/24
if [ "${5:-}" = "${VPN_GATEWAY}" ]; then
/sbin/route -n add -net $TARGET_SUBNET $5 > /tmp/ppp.log 2>&1
fi
Make it executable:
sudo chmod +x /etc/ppp/ip-up
π The script logs output to:
sudo cat /tmp/ppp.log
π§Ό Optional: Cleaning Up with /etc/ppp/ip-down
To remove the route automatically when VPN disconnects:
sudo nano /etc/ppp/ip-down
#!/bin/sh
VPN_GATEWAY="<VPN_GATEWAY_IP>" # e.g., 10.8.0.1
TARGET_SUBNET="<YOUR_SUBNET>" # e.g., 192.168.50.0/24
if [ "${5:-}" = "${VPN_GATEWAY}" ]; then
/sbin/route -n delete -net $TARGET_SUBNET $5
fi
Make it executable:
sudo chmod +x /etc/ppp/ip-down
π‘ How to Test If the Route Works
1. Check the Routing Table
netstat -nr | grep <YOUR_SUBNET_PREFIX>
π§ͺ Example:
netstat -nr | grep 192.168.50
# Expected output:
# 192.168.50.0/24 10.8.0.1 UGSc 25 0 en0
2. Try a Ping
ping <INTERNAL_SERVER_IP>
# Example:
# ping 192.168.50.10
# Expected output:
# 64 bytes from 192.168.50.10: icmp_seq=0 ttl=64 time=30.1 ms
3. Read the Log File
cat /tmp/ppp.log
# Example log:
# add net 192.168.50.0: gateway 10.8.0.1
π If there's an error (e.g., gateway not reachable), it will show up here.
𧱠Visual: Full Tunnel vs. Split Tunnel
π Full Tunnel (Default Behavior)
All traffic
β
βΌ
[ VPN Gateway ] ββββββΊ [ Company Resources ]
β²
β
[ Your System ]βββββββΊ Internet (via VPN)
β‘ Split Tunnel (Your Configuration)
[ Your System ]
β β
β βββββββββΊ Internet (direct)
β
βββββββββΊ VPN Gateway ββββΊ <YOUR_SUBNET>
β²
β
[ Company Resources ]
β What If VPN Pushes a Default Route?
Some VPN servers force your system to route all traffic through them.
To override:
1. Find Your Default Gateway
Before connecting:
netstat -nr | grep default
# Example output:
# default 192.168.1.1 UGSc 86 0 en0
Save this value.
2. After Connecting to VPN
sudo route delete default
sudo route add default <YOUR_LOCAL_GATEWAY>
# Example
# sudo route delete default
# sudo route add default 192.168.1.1
β οΈ Do this with caution β if you get it wrong, you may temporarily lose internet.
β Summary
- π L2TP/IPsec VPN on macOS routes all traffic by default
- π Split tunneling lets you access only what's needed
- π οΈ Automate routes with
/etc/ppp/ip-up - π§Ή Clean up with
/etc/ppp/ip-down - π§Ύ Logs are saved to
/tmp/ppp.log - π§ͺ Testing ensures everythingβs working as expected
- π§ Optionally override VPN-pushed routes
π Further Reading
man routeman pppd- Apple VPN Developer Docs
Top comments (0)