Quite often especially on corporate networks, once connected to company VPN, all your traffic starts going via your company VPN, meaning – they watching what you do.
Most people may not even suspect that but it is quite simple to find out.
So I am gonna show how to do that on Mac with few commands everyone can run.
OK, lets check out routing tables when connected to VPN:
netstat -nr | grep '0/1\' 0/1 10.225.222.129 UGSc 70 0 utun3 default 192.168.0.1 UGSc 12 11 en0 128.0/1 10.225.222.129 UGSc 0 0 utun3
As you can see VPN created these two destinations 0/1 and 128.0/1 to go via utun3 (it could be utun0..N, meaning vpn tunnel), 10.225.222.129 is your VPN server.
Btw if you wondering what those short notation mean try ipcalc:
~ ipcalc 128.0.0.0/1 | grep 'HostMin\|HostMax' HostMin: 128.0.0.1 1 0000000.00000000.00000000.00000001 HostMax: 255.255.255.254 1 1111111.11111111.11111111.11111110 ~ ipcalc 0.0.0.0/1 | grep 'HostMin\|HostMax' HostMin: 0.0.0.1 0 0000000.00000000.00000000.00000001 HostMax: 127.255.255.254 0 1111111.11111111.11111111.11111110
It is basically covering everything from 0.0.0.1 till 255.255.255.254, basically all IP addresses.
Indeed if I trace my traffic it goes right to VPN server:
traceroute google.com traceroute: Warning: google.com has multiple addresses; using 74.125.193.113 traceroute to google.com (74.125.193.113), 64 hops max, 52 byte packets 1 ip-10-225-222-129 (10.225.222.129) 24.244 ms 26.419 ms 34.542 ms ^
Now, lets delete those routes, you will obviously need root access:
sudo route delete -net 0/1 -ifp utun3 sudo route delete -net 128.0/1 -ifp utun3
Now if we trace again:
traceroute google.com traceroute: Warning: google.com has multiple addresses; using 74.125.193.113 traceroute to google.com (74.125.193.113), 64 hops max, 52 byte packets 1 ip-192-168-0-1 (192.168.0.1) 3.709 ms 3.085 ms 3.429 ms
as you can see it changed to 192.168.0.1, which is your home router.