• How to bypass VPN for certain web sites or apps

    There are situations where you want to bypass your VPN for certain web sites or apps. For example, you might want to pass all traffic from some devices through VPN, except for when those devices visit streaming web sites such as Netflix, Hulu etc.

    Some VPN clients give you the ability to choose which apps to use the VPN connection. You can leave out apps such as Netflix, if you don’t want Netflix to go through VPN. However, if you want your web browser to always use a VPN connection except for a few web sites, split tunneling by app selection alone is not enough.

    For the latter, you need a VPN client that has the ability to control split tunneling by domain names and IP address ranges. And you need to:

    1. Find out which domains or IP ranges are used by the web site you want to bypass VPN.
    2. Enter the domains and IP ranges in your VPN client configuration to exclude them from the VPN connection.

    Find the needed domain names or IP ranges

    If you are using a browser, the easiest way is to open the “Developer Tools” window (hit the F12 key), switch to the “Network” tab, and check which domains were requested when you visit the web site.

    The following screenshot shows the domains requested by Netflix.

    After watching Netflix for a while and monitoring the network activities, you’ll find that Netflix gets contents from these 5 domains:

    • netflix.com
    • nflxext.com
    • nflximg.net
    • nflxso.net
    • nflxvideo.net

    And these will be the domains you need to exclude from your VPN connection.

    It is a little bit more difficult when you need to find out the domain names or IP address ranges used by an app. Here are several ways you can accomplish the task:

    1. If you have a pi-hole on your network, you can find the domain names from the logs.
    2. If you use the pcWRT router, you can check the Access Control logs.
    3. Use Wireshark.
    4. If you are on Windows, use the Resource Monitor. You won’t be able to get domain names this way, but you’ll be able to get IP addresses used by an app.
    5. Ask other people, or leave a comment here.

    Set up the split-tunneling configuration

    Once you’ve determined the domains and IP address ranges to exclude from your VPN, you can simply enter them in your VPN client configuration. If your VPN client supports this configuration, it is pretty straightforward.

    If your VPN client does not support split tunneling by domain names and IP address ranges, then you have to manually configure the routing rules. The process is tedious and OS dependent. For example, here is a howto guide for Windows 10.

    Set up split-tunneling on an OpenWrt router

    If you have an OpenWrt router and you’re running the OpenVPN client on the router, you can use the VPN Bypass package to set up split tunneling by domains and IP address ranges.

    In summary, these are the steps:

    1. Install iptables, ipset and dnsmasq-full:

      opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full

    2. Install vpnbypass and luci-app-vpnbypass:

      opkg install vpnbypass luci-app-vpnbypass

    3. In the LuCI UI, enter the domains and IP address ranges to bypass.

    For example, to bypass the Netflix domains shown above, you’ll enter

    netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/vpnbypass

    in the Domains to Bypass field.

    Set up split-tunneling on the pcWRT router

    Split-tunneling is supported for all three VPN protocols available on the pcWRT router: OpenVPN, IKEv2 and WireGuard. And it is really easy to set up: just enter the domains or IP ranges in the “Domains and IP Ranges” text area.

    You can use the CIDR notation to enter an IP address range. For example, 52.88.0.0/13.

    If needed, you can enter a regular expression for domain name matching by preceding the line with a tilde.

    As shown in the screenshot below, split tunneling enables you to VPN to Japan while enjoying US Netflix at the same time :).

Leave a Reply