How to Properly Remove Default Route on VPN Interface (utun0) in macOS


2 views

When establishing VPN connections on macOS, you might encounter unwanted default routes being added to the utun interface. The routing table shows:

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            utun0              UCS            21        0   utun0
default            192.168.43.1       UGScI          14        0     en1

The conventional approach using route delete with -ifscope modifier fails because:

$ sudo route delete -ifscope utun0 -net 0.0.0.0
route: writing to routing socket: not in table
delete net 0.0.0.0: not in table

This occurs because macOS handles VPN routes differently than regular network routes.

Method 1: Using route -n delete

sudo route -n delete -net 0.0.0.0 -interface utun0

Method 2: Specifying the Gateway

sudo route delete default -ifscope utun0

Method 3: Network Services Approach

For persistent VPN configurations:

sudo networksetup -setvpnoffroutes "VPN Service Name" delete

After removal, verify with:

netstat -rn | grep default

To stop VPN clients from adding default routes:

sudo scutil
> get State:/Network/Service/[VPN-SERVICE-GUID]/PPP
> d.add RouteNetworkUsage false
> set State:/Network/Service/[VPN-SERVICE-GUID]/PPP
  • Check VPN client configuration for "Send all traffic" options
  • Restart network services after changes: sudo ifconfig utun0 down && sudo ifconfig utun0 up
  • For OpenVPN, use route-nopull or redirect-gateway def1 bypass-dhcp in config

When establishing a VPN connection on MacOS, the system often adds a default route through the VPN interface (typically utun0) with higher priority than your local network routes. This creates a common situation where your routing table shows:

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            utun0              UCS            21        0   utun0
default            192.168.43.1       UGScI          14        0     en1

The standard route delete command fails with the "not in table" error because MacOS's routing subsystem handles interface-scoped routes differently than traditional routes.

For MacOS (BSD-derived systems), use this syntax:

sudo route -n delete -net default -interface utun0

Alternatively, you can specify the gateway if needed:

sudo route delete default -ifscope utun0

After executing the command, verify with:

netstat -rn | grep default

You should see only your original default route remains.

For frequent VPN users, create a script to handle route cleanup:

#!/bin/bash
# Remove utun0 default route if exists
if route -n get default | grep -q utun0; then
    sudo route -n delete -net default -interface utun0
    echo "VPN default route removed"
else
    echo "No VPN default route present"
fi

Many VPN clients support configuration to prevent adding default routes. For example, with OpenVPN:

route-nopull
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
  • Ensure you're using -n flag to prevent DNS lookups that might cause delays
  • The order of arguments matters in BSD's route command
  • Some VPN clients may automatically recreate the route - check your VPN settings