There are situations where you want to bypass your VPN for certain web sites or apps. For example, you might want to pass all traffic from some devices through VPN, except for when those devices visit streaming web sites such as Netflix, Hulu etc.
Some VPN clients give you the ability to choose which apps to use the VPN connection. You can leave out apps such as Netflix, if you don’t want Netflix to go through VPN. However, if you want your web browser to always use a VPN connection except for a few web sites, split tunneling by app selection alone is not enough.
For the latter, you need a VPN client that has the ability to control split tunneling by domain names and IP address ranges. And you need to:
If you are using a browser, the easiest way is to open the “Developer Tools” window (hit the F12 key), switch to the “Network” tab, and check which domains were requested when you visit the web site.
The following screenshot shows the domains requested by Netflix.
After watching Netflix for a while and monitoring the network activities, you’ll find that Netflix gets contents from these 5 domains:
And these will be the domains you need to exclude from your VPN connection.
It is a little bit more difficult when you need to find out the domain names or IP address ranges used by an app. Here are several ways you can accomplish the task:
Once you’ve determined the domains and IP address ranges to exclude from your VPN, you can simply enter them in your VPN client configuration. If your VPN client supports this configuration, it is pretty straightforward.
If your VPN client does not support split tunneling by domain names and IP address ranges, then you have to manually configure the routing rules. The process is tedious and OS dependent. For example, here is a howto guide for Windows 10.
If you have an OpenWrt router and you’re running the OpenVPN client on the router, you can use the VPN Bypass package to set up split tunneling by domains and IP address ranges.
In summary, these are the steps:
opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full
opkg install vpnbypass luci-app-vpnbypass
For example, to bypass the Netflix domains shown above, you’ll enter
netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/vpnbypass
in the Domains to Bypass field.
Split-tunneling is supported for all three VPN protocols available on the pcWRT router: OpenVPN, IKEv2 and WireGuard. And it is really easy to set up: just enter the domains or IP ranges in the “Domains and IP Ranges” text area.
You can use the CIDR notation to enter an IP address range. For example, 52.88.0.0/13
.
If needed, you can enter a regular expression for domain name matching by preceding the line with a tilde.
As shown in the screenshot below, split tunneling enables you to VPN to Japan while enjoying US Netflix at the same time :).