I don't want to send all my network traffic down to VPN when I'm connected to my company's network (via VPN) from home. For example, when I'm working from home, I would like to be able to backup all my files to the Time Capsule at home and still be able to access the company's internal network.

I'm using Leopard's built-in VPN client. I've tried unchecking "Send all traffic over VPN connection." If I do that I will lose access to my company's internal websites be it via curl or the web browser (though internal IPs are still reachable). It'd be ideal if I can selectively choose a set of IPs or domains to be routed through VPN and keep the rest on my own network. Is this achievable with Leopard's built-in VPN client?

    The first solution will only work on a PPP VPN. The following solution will work on a Cisco VPN (and other types nothing specific to Cisco) superuser.com/questions/91191/…
    – dr jimbob
    Commented Apr 7, 2014 at 4:20

Create the file /etc/ppp/ip-up with following content:

/sbin/route add <SUBNET> -interface $1 

replacing <SUBNET> with subnet, you want to route through VPN (for ex.

execute as root:

chmod 0755 /etc/ppp/ip-up

This file will be executed each time you connect to VPN.

The parameters given to the script:

  • $1: The VPN interface (e.g. ppp0)
  • $2: Unknown, was 0 in my case
  • $3: IP of the VPN server
  • $4: VPN gateway address
  • $5: Regular (non-vpn) gateway for your lan connections
    @Edgar - no. That first line is special. en.wikipedia.org/wiki/Shebang_(Unix)
    On 10.7/Lion, I had better luck with: /sbin/route add -interface $1 The arguments I saw ip-up getting are: $1 = VPN interface, e.g. 'ppp0' $2 = '0' (not sure what this value is) $3 = Your VPN IP $4 = VPN public gateway IP address $5 = Normal default gateway for ethernet/wifi
    What happens if I have two or more VPN connections configured? How do I distinguish among them in /etc/ppp/ip-up so I can add the routes accordingly? Will the friendly VPN name be passed as the 6th argument (ipparam)?
    – Kal
    Commented Sep 16, 2014 at 1:19
    /etc/ppp/ip-up doesn't get called on my system; MacOS 10.13. I did a similar script that logs execution, it has root:staff ownership and 0755 mod. Invoking it manually does execute the script. My VPN connection is an L2TP over IPSec and Configure IPv4 is set to Using PPP. I tail -f the logs and Connecting or Disconnecting the vpn doesn't do anything with /etc/ppp/ip-up.
    – GabLeRoux
    Commented Oct 28, 2017 at 17:56
    On MacOS 10.15 (Catalina), this answer got me most of the way there but the "Send all traffic over VPN connection" option in the advanced VPN settings doesn't seem to work. Running route -n monitor shows the default route getting reset, either way. I added the following to the ip-up script and finally fixed it: #!/bin/sh /sbin/route add <SUBNET> -interface $1 /sbin/route change default -interface <ETHERNET/WIFI IDENTIFIER> In my case, I set this to ` en0 `.
    – Bishop
    Commented May 21, 2020 at 14:25

There is a hidden feature in Network Preferences on MacOS: you can sort interfaces.

Open System Preferences -> Network -> Click the gear bottom left -> Set service Order...

<code>Set service Order...</code> VPN Ordering

It's critical that you have your network interfaces sorted into the order you want them to be used. If you want ALL non-LAN data to go to the VPN, put the VPN interface at the top. Sort like this

  1. VPN
  2. Ethernet
  3. Airport

Not like this:

  1. Airport
  2. Ethernet
  3. VPN

This way, no need to check the following setting in Session Options:

Send all traffic over VPN connection

✅ Tested on L2TP VPN connection

  I don't think this answers the question, unless the OP is backing up to Time Machine via Ethernet and connecting to the company network view Airport (Wireless connection)
    I used the ppp startup trick, but it didn't work until I moved my vpn connection below the wireless connection. This is a valid answer.
    – Arosboro
    Commented Aug 11, 2012 at 14:41
    It really wold be the main answer! Thanks very much, it would be impossible to figure out!
    This does work for L2TP IPSec VPNs, but does NOT work for Cisco IPSec VPNs. Cisco IPSec VPNs are not available in the "Set Service Order" dialog
    – goofology
    Commented Apr 12, 2018 at 0:32
    This doesn't seem to work on macOS 12, even for L2TP VPNs.
    – Noldorin
    Commented Jun 25, 2022 at 14:32

I wanted to do a similar thing. Connect the VPN and then route an additional network via that VPN. I ended up with the following bit of Applescript:

-- Connect Work VPN

tell application "System Events"
    tell network preferences
        tell current location
            tell service "Work"
                tell current configuration
                    repeat until get connected = true
                        delay 1
                    end repeat
                end tell
            end tell
        end tell
    end tell
end tell

set gateway to ""

do shell script "route add " & gateway with administrator privileges

You need to change "Work" to the name of your VPN connection, to your gateway address, and to the address of the network to which you wish to route. Additional networks can be added by repeating the final line with different addresses.

    (Minor addition, for those who wonder about this IP address: just like the questioner talked about, is a private address space just like 10.x.x.x and 192.168.x.x. So, it is in fact part of the VPN, and not some external web site or whatever.)
    – Arjan
    Commented Oct 21, 2009 at 9:48
    So is your router on the VPN, or the router on the LAN? And don't you have to set the default route back to your LAN?
    – Jack M.
    Commented Jun 16, 2010 at 17:14

Only one right solution for MacOS is to use networksetup:

First find name of your VPN network

$ networksetup -listnetworkserviceorder

Next setup additional routes

$ networksetup -setadditionalroutes networkservice [dest1 mask1 gate1] [dest2 mask2 gate2] ... [destN maskN gateN]


$ networksetup -setadditionalroutes "my vpn network name"

Check this settings:

$ networksetup -getadditionalroutes "my vpn network name"

To delete this settings just set it without addresses:

$ networksetup -setadditionalroutes "my vpn network name"
    THIS IS THE WAY. Effortless conditional static routing on macOS. I was bumping my head against a wall for hours today before I found your answer. THANKS.
    – mrzool
    Commented Nov 24, 2023 at 14:12
  NOTE: You must list all routes at once if you have many. It doesn't add them.
    – vaughan
    Commented Jan 7 at 4:49

I have had a look online to see if I can find anything, and as far as I can understand you seem to want to be able to use your computer like normal, while also being able to connect to internal company websites, so, you may need to set up a custom routing table.

This link apparently only applies to 10.4, but the command line stuff may still work.

