Split tunneling won't work

I have a Pritunl VPN server configured with split tunneling (i.e., no default 0.0.0.0/0 route). I’ve added specific routes to access certain services through the VPN, but I can’t reach those services even when the VPN is active.

Additionally, the VPN uses SSO/MFA authentication via a Google account, which works initially, but the connection automatically drops after a while, even though no manual disconnection is performed.

Verify NAT is enabled for the additional routes. If it isn’t working it’s likely a firewall issue.

Check the logs in the top right of the web console for authentication errors.

Thank you for the reply, could you also help me about a problem I have the MAC devices. When I import a user profile from the same server (with SSO enabled) on both a Mac and a Windows machine, the Mac connects successfully but has no internet access while the Windows is fully functional. What could be the reason for this?

That is most often caused by DNS issues. Ping IP addresses and test DNS lookups to verify if it is only an issue with DNS. macOS only supports one DNS server. Verify the first DNS server in the Pritunl server settings is correct. Enabling VPN client DNS mapping will fix most DNS issues. In some cases the DNS server needs to be added to the server routes.

I have configured a Pritunl server with split-tunneling enabled, and the VPN network is 172.16.10.0/24. When I connect from my Mac, the VPN successfully assigns an IP from this subnet.

I verified the DNS resolvers using: scutil --dns

The output confirms that the first resolver is 172.16.10.1 (VPN), and the second one is 192.168.1.1 (Wi-Fi gateway). So DNS settings seem to be applied in the correct order.

However, DNS queries do not work properly when routed through the VPN:
Tests performed:

  • Traceroute to a VPN-routed IP (40.89.131.210):
    • First hop: 172.16.10.1 (VPN gateway)
    • Then: no response
  • Traceroute to a public IP (8.8.8.8):
    • First hop: 192.168.1.1 (Wi-Fi)
    • Then: 192.168.10.254 (LAN router)
    • This route proceeds as expected, outside the tunnel
  • DNS tests using nslookup (while connected to VPN):
    • nslookup gitlab.devil.ninja172.16.10.1: SERVFAIL
    • nslookup 40.89.131.210172.16.10.1: SERVFAIL
    • nslookup 8.8.8.8172.16.10.1: SERVFAIL

So even public DNS resolution via the VPN DNS (172.16.10.1) fails with SERVFAIL errors. This suggests that the DNS traffic is being routed correctly to the VPN DNS server, but either the server does not respond, or the Mac is blocking/invalidating the replies.

So is there any specific configuration required on macOS to support DNS resolution properly with split-tunneling? For example, do I need to manually adjust resolver order, routes, or override system DNS behavior?

Should I configure anything additional on the server-side to ensure that the DNS server at 172.16.10.1 responds correctly to VPN clients in split mode?

Do you have recommended practices for ensuring DNS resolution works on macOS in split-tunnel mode using Pritunl?

PS: I precise that Restrict Routing is activated on the server.

Run sudo netstat -tulpn on the server and verify the pritunl-dns process is running. If it’s Ubuntu or a distro using systemd-resolved the following needs to be added to sudo nano /etc/systemd/resolved.conf

[Resolve]
DNSStubListener=no

Then run sudo systemctl restart systemd-resolved and restart the Pritunl server.

The Windows system is likely falling back to the secondary DNS, only one DNS server is used on macOS.