Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split tunneling per program #323

Open
azumukupoe opened this issue Nov 27, 2019 · 9 comments
Open

Split tunneling per program #323

azumukupoe opened this issue Nov 27, 2019 · 9 comments

Comments

@azumukupoe
Copy link

I'd like to bypass VPN connection for certain programs.

@cron2
Copy link
Contributor

cron2 commented Nov 27, 2019 via email

@cron2 cron2 closed this as completed Nov 27, 2019
@chipitsine
Copy link
Contributor

it is possible for some extent in Windows.

for example, Remote Desktop IP Virtualization
http://www.virtualizationblog.com/why-we-need-remote-desktop-services-ip-virtualization/

every RDP user can use his own IP. However, such mode requires some investigation how it will interoperate with TAP (or, nowdays, WinTun) adapters. And how routing table will be constructed

@cron2
Copy link
Contributor

cron2 commented Nov 27, 2019 via email

@Kyogre
Copy link

Kyogre commented Dec 3, 2022

Not possible on Windows

However hide.me and AmanVPN have working applications split tunneling feature on Windows.

@cron2
Copy link
Contributor

cron2 commented Dec 3, 2022 via email

@Kyogre
Copy link

Kyogre commented Dec 10, 2022

I found out that Windscribe can do "per application split tunneling" with user's openvpn configs. I feed him some random ovpn config from vpngate and Windscribe (current is 2.5.17) connected successfully and splitting works.

Also there is Wireguard realization of split tunneling in project https://github.com/TunnlTo/desktop-app

@selvanair
Copy link
Collaborator

selvanair commented Dec 10, 2022

They are probably using a custom callout driver for the Windows Filtering Platform to do bind redirection as described here:
https://learn.microsoft.com/en-us/windows-hardware/drivers/network/using-bind-or-connect-redirection
If anyone is ready to devote the time to implement and maintain the code, we'll welcome patches for such a "per app split-tunneling".

As filtering using WFP would require privileged access, this may have to go in to a service running as SYSTEM (preferably a new service) that the GUI can interact with. Direct hooking to or from OpenVPN core would not be required.

@ahmadfebrianto
Copy link

Proton VPN desktop client for Windows has this feature and it works like a charm. Here is the link to their repo: https://github.com/ProtonVPN/win-app. I hope someday someone could bring this feature to OpenVPN client.

@cron2
Copy link
Contributor

cron2 commented Aug 6, 2023

In the proton VPN repository, there's

Callout driver
The kernel-mode driver "ProtonVPN Callout Driver" is used for redirecting socket bindings when Split Tunnel is enabled and preventing DNS leak by sending SERVFAIL response packet for DNS requests which were made from other interfaces than Proton VPN uses.

The driver is installed as a system service. It is started when connecting to VPN and stopped when disconnecting by Proton VPN Service.

and the whole thing is GPL-3 - so if someone has time and energy, this would certainly be an interesting read.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants