When using Defguard on macOS (15.x / Sequoia) with predefined traffic (split tunnel), the VPN connection shows as successfully established, but no internal services (including DNS servers) are reachable if the VPN server's endpoint IP address falls within the ranges defined in AllowedIPs.

On macOS, the client strictly installs routes for all networks in AllowedIPs, including the VPN endpoint IP. As a result, packets to the VPN server itself are routed into the tunnel (utunX) instead of the physical interface. The interface comes up and appears connected, but traffic fails immediately — DNS servers and other internal services are unreachable, and the connection times out.

On Windows, the client handles this case gracefully: it automatically excludes the endpoint IP from being routed through the tunnel, so the VPN connection works even with overlapping AllowedIPs.

This results in identical configurations behaving differently between macOS and Windows.

The issue has been tested with version 1.4.0 and earlier, with the same behavior observed.