Configure VPN Route Table on Mac

Shimo is a tool on Mac to create a VPN tunnel. Once the connection is created, it changes the default gateway and set all destinations to the VPN tunnel. If the VPN is to the intranet of office, for security consideration, it is fine. The local machine becomes a part of the intranet. However, if the VPN is slow, or it is charged, the connection to the hosts of the Internet will be slow or expensive. A possible way is to configure the route table such that only the destinations in the intranet is through the tunnel, but all other hosts in the world is directly from the local machine.

First verify the default route table with command route:

~$ route get www.somehost.com
   route to: 14.215.177.38
destination: default
       mask: default
    gateway: 192.168.1.1
  interface: en1
      flags:
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1500         0 
~$ 

It shows that by default, the host is reached via the default gateway 192.168.1.1 of interface en1.

Dial the VPN, and try again:

~$ route get www.somehost.com
   route to: 14.215.177.38
destination: default
       mask: default
  interface: ppp0
      flags:
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1396         0 
~$ 

It is routed to the new default gateway of interface ppp0.

Now we use route command to change the route table:

route delete default
route -n add default 192.168.1.1
route -n add -net 20.201.0.0 -netmask 255.255.0.0 20.201.0.124

First line, delete the default gateway. Then add the original default gateway 192.168.1.1. Finnally add a new item, where 10.101.0.0 is the network of the intranet, and 255.255.0.0 is the network mask. 20.201.0.124 is the gateway of the tunnel. If the gateway of the tunnel is unknown, try this command after the tunnel is created:

netstat -rn

It can be found it in the output.

These three commands need root privilege. Use sudo to execute them.

Now let's verify the result. The host www.somehost.com is routed to 192.168.1.1. And a host in the intranet is routed to 20.201.0.124:

~$ route get 20.201.10.101
   route to: 20.201.10.101
destination: 20.201.0.0
       mask: 255.255.0.0
    gateway: 20.201.0.124
  interface: ppp0
      flags:
 recvpipe  sendpipe  ssthresh  rtt,msec    rttvar  hopcount      mtu     expire
       0         0         0         0         0         0      1396         0 
~$ 

Keep in mind that this route table is not safe because the local machine is not protected by the firewall of the intranet.