Exclude sites from VPN connection?



  • I'm using PIA VPN service and have the majority of my clients routed through the tunnel. A handful of clients are not for ease of use/speed, these include dedicated media players, video game consoles, location dependent clients.

    However, lately I'm noticing several sites that kick back error messages when attempting to use them via VPN. I know this due to testing with a WAN only client at the time of the error.

    How can I go about adding specific site exceptions that will properly work based on a URL or IP?

    Examples are:
    papajohns.com (sometimes works, sometimes nothing)
    spg.com (403 error)
    craigslist.org (claims banned IP)



  • I assume that your default gateway is the VPN uplink, or you have a "catch-all" rule at (or near) the end of the LAN rules that passes most "default" traffic and specifies the PIA VPN gateway.

    1. Make an alias "special" for the things you want to direct away from the VPN - it can include URLs and IPs.

    2. Add a rule near the top of the LAN rules to pass traffic with destination "special" and specify gateway as the ordinary gateway on WAN.

    I think it is that easy - the rule will push the traffic out the ordinary WAN, the default NAT on the way out will give the traffic a source IP of the ordinary WAN address, so return traffic will come to the ordinary WAN address…



  • yup its that easy - worth also thinking about using pfblockerng to maintain the lists which allows use of AS numbers which can be helpful for larger sites etc.


Log in to reply