Use VPN only for certain domains/hostnames
You can specify a route to a host name only if you use --allow-pull-fqdn
details can be found in The OpenVPN Manual
You can add this to the .ovpn file:
allow-pull-fqdn
route www.google.com 255.255.255.255 net_gateway
Then on openvpn startup this will lookup www.google.com, get it's IP address, and then add a route for that using the net (not VPN).
The problem is, google uses multiple IP addresses, so when you try to visit google it will still use the VPN unless you happen to hit the same IP address it looked up when it started.
One hack is to get one of the IP addresses that google uses and add it to your /etc/hosts, so then your machine will always use the same IP address for google, and the openvpn route command will accomplish what you want.
Problem is, of course, if google ever stops using that IP address or, for whatever reason, wants to route you to a different IP address. Then it fails.
I know this entry is very late to the game, but I recently spent several hours researching this same topic and figured I'd help others that might be looking for the same thing. While the most common use case to is route everything through your VPN, there are two exception scenarios, when it comes to VPNs:
- You want mostly all traffic to go through the VPN, with a few exceptions
- You only have a couple of sites that you want to route through the VPN
Route most with exceptions For scenario # 1, David's response works just fine. To overcome the multiple IPs issue, do a WHOIS lookup and create the route for an IP address block, not just an IP address. Note that you might have to perform several look ups, to get the entire set of IP address blocks.
# if your build doesn't support "net_gateway," replace it with your own default gateway
# I added extra spacing for legibility, but a single space is fine
route 172.217.0.0 255.255.0.0 net_gateway ; google.com
route 216.239.32.0 255.255.224.0 net_gateway ; google.com
allow-pull-fqdn ; my config works *without* this option, so test on your build
route google-public-dns-a.google.com net_gateway ; 8.8.8.8
route google-public-dns-b.google.com net_gateway ; 8.8.4.4
route ifconfig.co net_gateway ; confirm at least one exception is routing properly
route whatismyip.com net_gateway
Route just a few
David's response also applies to scenario # 2; however, you add the route-nopull
option, to prevent the server from sending a default route for the VPN. I haven't tested it, but I suppose you could add your own default route to point to your net_gateway.
route 1.2.3.0 255.255.255.0 vpn_gateway ; "vpn_gateway" is optional & 1.2.3.0 is fictitious
route 2.3.4.0 255.255.255.0 ; another example - perhaps an IPTV provider
allow-pull-fqdn
route ifconfig.me vpn_gateway
route myexternalip.com vpn_gateway
route-nopull
Testing the configs I like to add routes for ifconfig.co, ifconfig.me, whatismyip.com, and myexternalip.com, because it allows me to quickly test what profile I'm running: either full VPN or split tunneling. When I'm running full VPN, all sites will return my VPN address; otherwise, ifconfig.co and whatismyip.com will return my local address, while ifconfig.me and myexternalip.com will return my VPN address.
C:\utils> for %f in (co me) do curl ifconfig.%f
- or -
PS C:\utils> "whatismyip", "myexternalip" | % { Start-Process ("http://{0}.com" -f $_) }
I know it's nothing special, but I provide some details that would really have helped me, when I was looking around. I hope this helps at least one person.
I'd love to hear about any other VPN tips or tricks out there. Happy secure surfing!