Passer au contenu principal

Split tunneling using OpenVPN

Connectivity Windows Linux OpenVPN Installation macOS Desktop Split tunneling 

Dernière mise à jour:

If you are using the Mullvad VPN app, then please instead see the guide Split tunneling with the Mullvad app (for Android, Linux and Windows).

The term "split tunneling" is used to describe when you want some of your programs to use the VPN while allowing the rest of your traffic to travel via your regular Internet connection. This guide explains how to set up split tunneling so that everything goes outside of the VPN tunnel by default, or so that everything goes inside the VPN tunnel by default.

Prerequisites

First you need to have set up OpenVPN in your operating system. See the corresponding guide here:

OpenVPN installation on Linux

OpenVPN installation on Windows

Tunnelblick on macOS

Option 1: How to route everything outside of the VPN by default

You will use SOCKS5 proxies for the programs that you want to go out  via the VPN connection.

 

DNS configuration

Warning: Firefox may leak DNS requests outside the SOCKS5 proxy even if you have "Proxy DNS when using SOCKS v5" enabled. Make sure that you have set your system to use a DNS that that you are comfortable to leak queries to.

Linux using OpenVPN

Edit /etc/openvpn/mullvad_xx.conf and add

route-nopull
route 10.0.0.0 255.0.0.0

Reconnect.

Follow the SOCKS5 guide guide for how to configure your clients that should go out via the VPN.

Windows using OpenVPN

Copy mullvad_xx.ovpn from C:\Program Files\OpenVPN\config\ or C:\Program Files(x86)\OpenVPN\config\ to the desktop, then edit it to add the following:

route-nopull
route 10.0.0.0 255.0.0.0

Also remove the line block-outside-dns.

Save the file, and then copy it back to C:\Program Files\OpenVPN\config\ or C:\Program Files(x86)\OpenVPN\config\

Click Yes on the permission requester.

Reconnect.

Follow the SOCKS5 guide for how to configure your clients that should go out via the VPN.

Set your system DNS to use a public DNS that you wish to use.

  1. Go to Windows Settings > Network & Internet > Change adapter options.
  2. Right-click on the Ethernet network adapter (or Wi-Fi adapter) that you use to connect to the Internet and select Properties.
  3. Double-click on Internet Protocol Version 4 (TCP/IPv4).
  4. Click on Use the following DNS server addresses and enter the IP as the Preferred DNS server and click on OK and then OK again.

MacOS using Tunnelblick (OpenVPN)

Right click on the Mullvad.tblk file (found inside the downloaded Zip file) and choose "Show Package Contents". Find the file mullvad_xx.conf and open it in TextEdit.

Add the following options to it:

route-nopull
route 10.0.0.0 255.0.0.0

Save the file, and then import this profile into Tunnelblick

Follow the SOCKS5 guide for how to configure your clients that should go out via the VPN.

Option 2: How to route everything via the VPN by default except certain IP addresses

Note: Remove the three lines from the examples above if you have added them.

In this example we will not route www.chalmers.se through the VPN.

First figure out the IP address that you want to go outside the VPN tunnel, in this case it is www.chalmers.se

Open up a terminal / command prompt and run nslookup www.chalmers.se.

It should respond with

Server:        10.137.8.1
Address:    10.137.8.1#53

Non-authoritative answer

Name:    www.chalmers.se
Address: 129.16.71.10

As you can see, it only has one IP address, 129.16.71.10, so we will add this using OpenVPN.

  1. Edit the OpenVPN configuration / Profile
  2. Add route 129.16.71.10 255.255.255.255 net_gateway
  3. Save changes.
  4. Restart OpenVPN connection.

Troubleshooting

  1. Are you able to ping 10.8.0.1?  If you get responses then the connection to the VPN server is working.
  2. Are you not able to get DNS lookups through? In a terminal window, run nslookup sunet.se and check which server it tries to use as well.
  3. If your browser works with SOCKS5 enabled works but fails without, then it is most likely a DNS issue.