WireGuard on macOS sets default route when it shouldn't

Thomas Keppler winfr34k at gmail.com
Sun May 9 22:37:17 UTC 2021

Hello everyone,

on a remote system I administer, I have setup a WireGuard VPN. All in all, this process has worked swimmingly. However, I have got one big issue on all of my macOS clients and I'm not sure if it's a bug or if it's me just using the software aka holding it wrong.

I am not quite sure if this Mailing List is the right place to bother with questions like this, but I will try my luck anyways :-)

Given a client configuration like so:
------------ 8< ------------
PrivateKey = <privkey>
Address =
MTU = 1420

PublicKey = <pubkey>
PresharedKey = <psk>
AllowedIPs =,
Endpoint = <endpoint>:51820
------------ >8 ------------

When I activate the tunnel connection, I always get several routes pushed, all of which are OK except the default route:
------------ 8< ------------
default via link#19 dev utun6 dev utun6  scope link via dev utun6 dev utun6  scope link dev utun6  scope link dev utun6  scope link
------------ >8 ------------

From what I have read so far on other forums, Reddit, StackOverflow and such, the specific "AllowedIPs" I'm supplying should prevent the default route from being pushed. I have also tried to locate the code responsible for pushing these routes, but so far I could only gather that a "routeSocket" is established and watched in the Go internals that seems to be only read. The macOS app also does not seem to modify this socket (or any part I have read so far).

So given all of this, I have got two (main) questions (and an aside):

1.) Am I using WireGuard just plainly wrong or is it a Bug/Known Issue?
2.) Where is the code responsible for pushing routes?
3.) ...and what are good resources to check to get a better understanding of how this works internally?

Thank you very much for any response to this message in advance. I cannot wait to figure this one out!

Thomas Keppler

More information about the WireGuard mailing list