The tools
Ping — sends ICMP Echo Request, waits for Echo Reply. Tests reachability and RTL. Only tests ICMP — a host can be serving HTTP fine while blocking ping.
Traceroute — sends probes with incrementing TTL. Each router that drops TTL to 0 sends back an ICMP “Time Exceeded”, revealing its identity. * * * means that router didn’t respond to the probe — not that the connection is broken. Your actual HTTP/gRPC traffic may be flowing through fine.
What the data showed (voltnet-omni investigation)
Context: api-dev.voltnet.io is an AWS ELB in Singapore, only accessible via Tailscale (beepevpn).
Without VPN → api-dev.voltnet.io: Traffic dies after 2 hops. Dev endpoint is not exposed to the public internet by design.
With VPN → api-dev.voltnet.io:
1 beepevpn (192.168.8.1) ~5ms Tailscale virtual gateway
2 10.9.0.1 ~8ms VPN internal router
3 244.5.0.x ~15ms VPN internal routers
4+ * * * AWS infra (silent, but reachable ✅)
With VPN → 8.8.8.8: Also routes through Tailscale — this is a full-tunnel VPN, not split-tunnel.
Mental model
Without VPN:
MacBook → Home router → ISP → (blocked at AWS boundary)
With VPN (full-tunnel):
MacBook → Tailscale (192.168.8.1) → VPN routers → AWS internal network → ELB
└── all traffic goes this way, including 8.8.8.8
VPN adds ~10–15ms overhead. The 244.5.x.x / 240.x.x.x / 242.x.x.x IPs are internal VPN addresses — not publicly routable.