How to route Cisco Anyconnect (work VPN) directly through Wifi instead of non-work VPN?

Question

I have a very specific requirement for my setup.

I have bought a third-party VPN (e.g. ExpressVPN) for personal use. I use Mac's inbuilt client to connect to this. The corresponding network interface is called ppp0.
My workplace requires me to use the Cisco Anyconnect VPN (referred to as "workVPN") with split tunneling. The corresponding network interface is called utun1.

Therefore my current setup is as follows: Irrespective of the checkbox in PersonalVPN to "send all data through this VPN", when I connect to WorkVPN through Cisco Anyconnect, this is the routing:

1. Data to Work -> utun1 -> ppp0 -> en0 -> PersonalVPN Server -> WorkVPN server -> Data sent to work server
2. Other data -> ppp0 -> en0 -> PersonalVPN Server -> Internet.

Instead, I want two separate connections: I would like to send all my internet traffic through ppp0 except the ones that pass through utun1. i.e.

1. Data to Work -> utun1 -> en0 -> WorkVPN server -> Data sent to work server
2. Other data -> ppp0 -> en0 -> PersonalVPN Server -> Internet.

What I understand after going through everything on the Internet is to update the routing tables. But that doesn't solve the issue. Because according to the routing tables, the data is being routed to correct network interfaces. Using traceroute for debugging also doesn't help, because the first entry in the traceroute shows the gateway. And the gateway entry is correct because the packet is actually going to that VPN specific gateways. The question is whether the WorkVPN packet is going through the personal VPN server or not.

Here are specific queries:

1. The difference in speed to download large files from the work servers (with work VPN on) and with/without personal VPN is high. My hypothesis is that the underlying interface of utun1 is ppp0 and not en0. Is there a better way to confirm this? Traceroute has first entry to the gateways, which are correct (because of correct routing tables).
2. Is there a way to somehow tell the Mac OS to send data from utun1 through en0?
3. What is the point of "Send all data through this proxy" in the settings of Mac's inbuilt VPN client? If I don't select it, then what happens?

I can provide more information if anything is unclear.

Thank you.

Edit: My problem is different from other problems like this because I am not asking for proxy requirements through different sources. It is also different from all questions related to splitting the traffic manually because they are being split correctly in my setup.

Answer 1

After going through a lot more answers and many more testing, I finally resolved all these queries.

1. There is a tool called nettop for Mac OS. Using nettop -m route, one can observe live traffic through each route. It can help to debug the underlying route of Cisco Anyconnect. Download a large file and watch the relevant routes of nettop to see which routes and interfaces are being used for that download.

2. It turns out, I had to add a route that connects through en0 interface, and don't have to let the MacOS's native VPN client update it. I used the following command to add the route (which is also mentioned in other relevant forums): sudo route change <IP-address> -iface en0 The IP address is the IP address of the VPN server that Cisco Anyconnect tries to connect to. You can see the IP address in the "Server Address" field in the Anyconnect Statistics window.

3. This checkbox "Send all data through this proxy" acts as a default routing mechanism. Either:

   • not-select the checkbox and add some routes manually to pass through this VPN, or,
   • select the checkbox and add some routes manually to not-pass through this VPN.

I hope this helps someone who is looking to establish a similar setup.

Answer 2

It took me a few reads to understand your question/goal. In summary, you want to use ExpressVPN for general Internet traffic, but not when connecting to the AnyConnect server. Yes, the proper work-around is to add a route to the AnyConnect server's IP address via the en0 interface.

FYI, the general command for verifying active routes on Unix systems is:

netstat -rn

nettop is a cool command though.