netstat -nr returning "0/1" -- what does that mean?

Question

In exploring how my local openVPN virtual interface utun0 works, I came across the following data, and I don't know how to make sense of it. (I'm on a Mac)

$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.8.0.5           UGSc           61        0   utun0
default            192.168.7.254      UGSc            7        0     en0
10.8.0.1/32        10.8.0.5           UGSc            1        0   utun0
10.8.0.5           10.8.0.6           UHr           110       12   utun0
54.242.164.191/32  192.168.7.254      UGSc            2        0     en0
...

It looks like "0/1" is CIDR notation. Is that correct? If so, I have follow up questions. From my understanding, an interface is chosen according to which subnet(s) match the destination ip. With 0/1, only ip addresses whose first bit is 0 would match -- which means only ip address >= 128.0.0.0 would match. Is that true? I could believe that except then I get this

$ ip route get 8.8.8.8
8.8.8.8 via 10.8.0.5 dev utun0  src 10.8.0.6

So now I'm really confused what "0/1" means and why that route trumps the default route.

EDIT

0/1 would actually mean anything < 128.0.0.0, however, I still get this:

$ ip route get 198.41.208.137
198.41.208.137 via 10.8.0.5 dev utun0  src 10.8.0.6

So ip addresses both greater and lesser than 128.0.0.0 go through the router. How? Why?

I do see a 128/1 as well:

$ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.8.0.5           UGSc           63        0   utun0
default            192.168.7.254      UGSc            5        0     en0
...
128.0/1            10.8.0.5           UGSc           42        0   utun0
...

So @Teun Vink seems to be correct.

How did you do "ip route get 198.41.208.137" on a Mac? Or had you switched to a Linux box for that? I happen to be looking for a similar command for the Mac. — Marnix A. van Ammers, Mar 03 '19 at 20:07
It's very possible that I brew installed something to get that cli command. But I don't remember what if I did — Alexander Bird, Mar 04 '19 at 14:44
Or maybe you actually typed "route get 198.41.208.137" which would work on a Mac. — Marnix A. van Ammers, Jul 19 '22 at 00:49

score 15 · Accepted Answer · answered Aug 29 '16 at 19:00

15

Some VPNs push the default gateway (a /0 netmask) as two /1 networks: 0/1 and 128/1. Since a more specific route always wins, this forces traffic to be routed via the VPN instead of over the default gateway.

answered Aug 29 '16 at 19:00

Teun Vink

17,233
6
44
70

What would happen if I have two VPN clients installed? I assume what would happen is that when I turn VPN 1 on, it would be fine, but when I turn VPN 2 on (assuming it also does the 0/1 128/1 trick), it would fail because those subnets are already in use. Does that sound right? – Alexander Bird Aug 29 '16 at 19:19
Assuming both VPNs push the same routes: yes, then you'd have two equal routes, so that wouldn't work as expected. – Teun Vink Aug 30 '16 at 05:07

dominix · Answer 2 · 2020-06-08T03:06:53.030

The first bit is for the netmask not for the address, this route mean all IP starting from 0.0.0.0 with netmask 128.0.0.0 so

Network:   0.0.0.0/1            0 0000000.00000000.00000000.00000000
HostMin:   0.0.0.1              0 0000000.00000000.00000000.00000001
HostMax:   127.255.255.254      0 1111111.11111111.11111111.11111110

Network:   128.0.0.0/1          1 0000000.00000000.00000000.00000000
HostMin:   128.0.0.1            1 0000000.00000000.00000000.00000001
HostMax:   255.255.255.254      1 1111111.11111111.11111111.11111110

the routing daemon take the biggest netmask it knows to select the best route. So whenever you have a default route, you always have another route with biggest netmask using 2 net with /1 netmask

netstat -nr returning "0/1" -- what does that mean?

2 Answers2