Split tunneling based on domain names/IP addresses

[jorik392]

Split tunneling is currently limited to specific applications.

It will be useful to also have the ability to do this for specific domain names/IP addresses so traffic to them will not go through the VPN.

[faern]

Before starting the split tunneling work we evaluated doing it per IP/IP range or per application. We decided that per application was the most useful of the two for the majority of users. So we went with that.

There are currently no plans for other types of split tunneling. That does not mean it will never exist, just that we are currently not planning for it or have a timeline for it.

[jorik392]

Can this be reopened if you think this has a chance to be implemented in the future? Many other VPN software including the generic OpenVPN client offer the ability to do this and it would be beneficial to users that have no choice but to disable the VPN for certain domain names/IP addresses.

[Hurstwood]

Jorik392, if you are thinking of websites like legitimate streaming services that do not permit access via a VPN/proxy, you could always have a dedicate browser for non-VPN traffic.

Chrome, Firefox, and Edge all have stable and nightly releases. That's 6 available browsers that doesn't include alpha and beta releases. I'm not sure about Safari; and then there are other browsers but that depends on how you feel about them.

For me, i prefer internet traffic to be routed through the VPN by default and specific internet traffic to be routed outside of the VPN by making specific rules - a white list. Looking at Openvpn's documents, it appears to function the opposite way. Internet traffic is routed outside of the VPN by default and you create rules for traffic to be routed through it. Remember, Openvpn is meant to provide a user access to a private network, not obfuscate their activity.

An issue i see with split tunneling via domain name or IP address is that most websites pull resources from several servers, therefore for one website you will have to create several rules. Every server can be accessed via several IP addresses. What happens when a server changes its IP addresses or resolved name - a user will think they're protected when they are not. It sounds like a disaster waiting to happen.

[raphpa]

Split tunneling for IP addresses also has other use cases and is implemented in other VPN clients like PIAs.

Two use cases I have right now:

• My machine is on the 192.168.0.0/24 subnet and I (intentionally) have another local subnet 192.168.100.0/24 which is accessible through my router and its firewall. I cannot reach that subnet right now as the VPN client only seems to whitelist the local subnet of my current machine.

• Tailscale uses the 100.64.0.0/10 subnet, so you need to be able to whitelist this block in order to use Tailscale at the same time as the mullvad VPN to reach your servers.

[faern]

You should be able to reach 192.168.100.0/24 if you enable local network sharing. However, mind that you need to have a route set up for this network. It has to be a route more specific than the default route that absorbs all traffic to the tunnel, then it will work. But that's probably what you should have anyway if you intend to communicate with that network.

Depending on your operating system you can always set up your own custom split tunneling with the firewall/routing table. If you use Linux, see this guide for some tips and tricks to exclude whatever types of packets: https://mullvad.net/en/help/split-tunneling-with-linux-advanced/

[ghost]

Another good purpose of this would be w/ IP locked services, which don't let you connect from a different IP address. Since Mullvad won't let you have dedicated IPs, it's pretty much just constantly requesting to change your IP address or not using a VPN at all, at least that's how it went in my case

[Drakonas]

Is this possible to be implemented? It would be really handy. Some private websites don't allow you to use a VPN to browse them (and ban when you do so), but allow it to be used with connections through other apps.

Having an IP/domain whitelist would be very handy in these use cases, because otherwise you have to exclude the browser entirely instead of only the specific site you need excluded (and whatever connections it uses).

[faern]

@Drakonas The current recommendation is to run multiple browsers. One that is excluded and one that is not. Then you can do your non-VPN stuff in the excluded one.

[relativisticelectron]

It would be great if this nftables based method would be integrated into the Linux version: https://github.com/relativisticelectron/python-mullvad-tailscale

[Ejz85]

Implementing this could solve the voice chat issues people have in games like valorant and overwatch?

[galennare]

Additionally would resolve common issues people might have with work VPN/secure virtual desktops people might use for remote work.

[metal450]

Just trying out Mullvad for the first time, this missing feature is an immediate headache:

1. I have to use Twingate for work, but it can't connect as long as I'm on Mullvad (same issue as Tailscale mentioned above)
2. I use multiple sites that won't let me access them through a VPN. I know I can use an entirely separate browser, but that's a hassle, and means I need to do that on every system - 2 dual-boot PCs and 1 phone = 5 OSs. That's a lot of extra browsers just to circumvent this. I really like Mullvad's privacy, but this adds a lot more friction than expected - figured I could just easily exclude traffic I don't want to run through the VPN...

[faern]

1. I have to use Twingate for work, ...

That's unfortunate :( For compatibility with separate VPN-isch products I mainly recommend contacting our support, since this is a feature request. And/or maybe they (support) know of a workaround or similar.

2. I use multiple sites that won't let me access them through a VPN. I know I can use an entirely separate browser, but ...

Sounds like you run Mullvad on some router or something? Or how is IP split tunneling solving the issue on five devices with just one split? If you run Mullvad separately on all five devices you still need to set up the splitting five times over. I'd argue that this is not that much less work than installing an extra browser on five devices.

The current stance is that for splitting specific websites we recommend a separate browser.

[metal450]

For compatibility with separate VPN-isch products I mainly recommend contacting our support, since this is a feature request. And/or maybe they (support) know of a workaround or similar.

Yeah I already did. They refused to help.

Sounds like you run Mullvad on some router or something?

No...? Just using it on my PC.

Or how is IP split tunneling solving the issue on five devices with just one split?

...?? It's not.

If you run Mullvad separately on all five devices you still need to set up the splitting five times over. I'd argue that this is not that much less work than installing an extra browser on five devices.

The one-time setup is similar, yes. But that's just one-time. Now on an ongoing basis, you need to have twice as many browsers installed everywhere. Twice as many browsers using up storage on each OS, twice as many browsers needing to be kept up to date, needing to quit & launch another separate process rather than simply alt+T a new tab, and so on and so on. Having to remember on an ongoing basis which sites you need to use through a separate browser. It's far, far more user friction & a far worse user experience on an ongoing basis vs just doing the up-front setup & then everything working seamlessly & the same: getting to use one browser for everything like normal.

[faern]

There are multiple problems with splitting the IP for example.com and then just hoping it works well.

1. example.com might change IP. Requiring something to monitor the domain and check for changes. Also larger services have a huge amount of associated IPs and they might return random replies at different times, making it hopeless to enumerate all IPs for a given domain.
2. When you load one website it's not talking strictly to one domain. It will load truckloads of resources from various places, usually. So when you load the excluded-from-tunnel example.com should the dependency cdn.some-host.xyz be loaded in the tunnel or outside the tunnel? If another-example.com that is not excluded also loads from cdn.some-host.xyz should it be different? If the splitting happens on an IP level, it can't really. And this might impact the end result on how example.com behave
3. Many services can share a single IP. A single IP can host both example.com and another-example.com. The server knows what page you want to load from the host header in your request. This means that if you exclude the IP for example.com you will also indirectly exclude any traffic to other services sharing the same IP.

All of the above combined makes it really hard to reason about behavior, security and privacy. Thus we don't really recommend tunnel splitting based on IP, but rather per application.

Our own Firefox browser extension, and our own browser supports per-domain exit servers. Meaning you can custom route some websites to a different VPN server. This is sort of what you want! Except that you can't tell it to route anything outside the tunnel altogether. Having an option to route things outside the tunnel altogether would not be technically impossible. However, it would require some deeper integration between our app and our browser extension. This has currently not been prioritized.

[metal450]

Understood, thanks for that context.

Honestly at this point my real blocker is the Twingate thing anyway, since the website thing at least does have a workaround. For Twingate, I simply have to disconnect from Mullvad entirely - otherwise I'm unable to work. The result has been that...I'm pretty much never able to use Mullvad at all.

[bak1an]

Same as above, I need to allow certain network to go through other vpn for work, mullvad is very aggressive and blocks everything.
Local network sharing is sort of a solution but I need just one small /24 network, not all possible local networks to be open.

[metal450]

For what it's worth, I ultimately gave up on using Mullvad. Since my work VPN is non-optional I couldn't really connect to Mullvad the vast majority of the time. After lots of reading I'm certain there's a way to for them to work together, but both ends basically just said I had to ask the other, and I didn't have further time to dedicate to trying to figure it out myself. So I had to drop Mullvad :(

[bak1an]

Based on #2071 (comment) and https://mullvad.net/en/help/split-tunneling-with-linux-advanced but for macos I did pfctl wrapper to allow my specific network - https://gist.github.com/bak1an/33a920627d70d6d8c08bba362c83369a

Now it works; route was already present from other vpn, only thing blocking it was mullvad's PF rules.

Had to stuff it under apple.com/ anchor so it gets executed before other mullvad's rules.

It would be great if mullvad's default PF ruleset also had an empty table, like mullvad_allow and pass rules for addresses from it.

Then the whole custom routing on mac os would be a simple:

1. Set the route to custom network (or have it set by other vpn for you)
2. Add this network to this PF table

Much better than figuring out all the mess apple did with PF and anchors and whatnot.