Beacon guide

Monitor VPN bandwidth on Mac

Track traffic flowing through your Mac's VPN interface specifically — to test throughput, debug leaks, or just see what's actually tunneled.

4 min read

When you’re on a VPN, your physical interface (Wi-Fi or Ethernet) and your VPN interface (typically utun0, utun1, etc.) are both active. macOS’s built-in monitoring is usually showing you one or aggregating both, which is exactly the wrong thing when you’re trying to figure out whether your VPN is slow or whether something is leaking outside the tunnel.

Inspect the VPN interface directly

List your interfaces

ifconfig | grep -E ’^[a-z]’

You’ll see a list including en0 (Wi-Fi), en1 (Ethernet, if present), and utun0, utun1, etc. The utun interfaces are tunnel interfaces — your VPN is one of them. Find yours by toggling the VPN off and on and watching which utun number appears.

Live throughput on the VPN interface

netstat -ibn -I utun0

The Ibytes and Obytes columns are cumulative since the interface came up. Run it twice a second apart and subtract for live bytes/sec — or use a wrapper:

while true; do netstat -ibn -I utun0 | awk ‘NR==2{print $7, $10}’; sleep 1; done

That prints bytes in / bytes out every second. Subtract consecutive lines for per-second throughput.

iftop and nettop on the VPN interface

sudo iftop -i utun0 (Homebrew) shows per-flow throughput on a specific interface. nettop -i utun0 works similarly. Both are useful for confirming “yes, this app’s traffic is going through the tunnel.”

A menu bar monitor with interface filtering

For ongoing awareness, a menubar tool that lets you pick an interface is the cleanest. Beacon lets you choose which interface its Network readout tracks, so you can have it show only the VPN interface’s traffic.

  1. Install Beacon.
  2. Enable Network in Settings > Menu Bar.
  3. In Network settings, set the interface to your VPN (utun0 or whatever yours is).
  4. The readout now reflects only VPN traffic. Toggle the VPN off and you'll see it drop to zero — useful confirmation it's actually doing something.

Spotting leaks

If you expect all traffic to go through the VPN, here’s a sanity check:

  1. Start a known transfer (a 1 GB download from a known site).
  2. Watch netstat -ibn -I utun0 and netstat -ibn -I en0 simultaneously in two terminal panes.
  3. The bytes counter on the VPN interface should be climbing roughly in line with the download size.
  4. If the physical interface is also climbing at the same rate, you have a split-tunnel configuration (or a leak), and traffic is bypassing the VPN.

Some VPNs intentionally split-tunnel certain apps or destinations — check your VPN client’s settings before assuming a leak.

← All Beacon tips