[Feature Request] Inverse split tunneling

[nalllen]

The recent beta release that added split tunneling to windows is great, but its sadly not perfect for my use case since trying to add almost everything to the splitt tunneling list basically becomes unsustainable.

so i would really like a inverse split tunneling feature that only routes selected programs or ip's and leave rest unaffected.

a use case for this could be when performance and latency is very important for the majority of programs and games you run.

This might go against mullvads philosophy regarding privacy, but i feel it would be a great option to have!

[pinkisemils]

You should be able to exclude Steam and have all games launched by Steam to be excluded. Same goes for specific shells. But we'll consider this feature too.

[catwithbanana]

I would also like to see this feature added. The Mullvad app doesn't pick up a lot of my app installs, and hunting down every game and professional program I need to exclude is a gargantuan task.

It would be a big boost to usability if I could choose to only tunnel a few crucial programs, like web browsers, while leaving everything else untouched.

[Inverness]

I would also like to voice my support for this if it will help.

I want the best performance and least latency for the majority of programs I use. There are only a handful that I'm concerned with securing with a VPN.

I'd suggest an option for each program in the split tunneling list as to whether or not it will travel through the VPN, and then an option for whether all programs that are not in the list will go through the VPN or not.

This would offer a good level of control for all kinds of users.

[faern]

We will likely not implement this on Windows at least. Because we have looked at what would be needed and it's more work than a simple negation of some firewall rules. All these rules are pretty critical to the security of the apps and any extra logic introduces new risks of having bugs causing leaks that could be critical. We don't feel like the current need for this is large enough to justify such a risk. After all, the app is privacy oriented and the intended use case is that it tunnels all your traffic.

Since we currently can't make DNS on Windows go outside the tunnel for an excluded process it would be strange to exclude most processes and only tunnel a few. Because the DNS requests for all excluded processes would still go in the tunnel. And that's likely not what you would expect/want as a user only tunneling a few applications. All the applications outside the tunnel will get DNS responses as if they were in the tunnel, which could affect their behavior and functionality.

[Johnyknowhow]

That's a shame. Having a whitelist would be most useful as I only really want to use Mullvad for IP masking for my torrent clients. I tried setting up OpenVPN with Mullvad using route-nopull and trying to get only my torrent client to tunnel through, but I just couldn't get it to operate properly, through any combination of port forwarding with MV, running the SOCKS5 proxy or not, and changing my settings, some trackers just wouldn't connect, UDP seemed to be all jacked, I got overwhelmed and gave up. Tunneling through the Mullvad App seemed to work fine though (and was much simpler; i admit to my lack of experience), so I opted to just use it and whitelist every other program I could think of, although I know there's lots still that aren't in the list that I'd have to add and manually browse for their executables.

Even though you can't implement a way for excluded applications to route DNS information outside of the tunnel, I don't really mind if all of my DNS traffic goes through the VPN tunnel anyway, as I only am really using Mullvad servers in my own geographical location, since I only want my IP to be masked, I don't really want to show up as a different country.

It would be a nice-to-have, but if it's far too much trouble to implement, I suppose the wants of a select handful of us users aren't that high on the development docket haha

[jonpolak]

Will inverse split tunneling be implemented for LINUX?

I've tried to implement this with the namespace technique but have not managed to get it to work with Mullvad. If there is a way to do it manually, with the namespace trick, then that would be good enough for me, but would love to have formal validated instructions from Mullvad on how to do it properly ensuring that DNS goes to the right tunnel/gateway and everything stays nicely segregated.

I was able to do this (with openvpn) before systemd-resolved took over DNS in Ubuntu. Now it's quite difficult to figure out what that resolver is doing and I rely on dnsleaktest.com to tell me!

[cooky-cook]

This is a real shame since certain competitors offer much more flexible settings - whitelist/blacklist and separate DNS for direct/VPN connections. The (apparent) superiority and configuration flexibility is one of the reasons why I haven't switched to Mullvad yet.

Their VPN client is open source. Why cannot Mullvad offer such a flexible configuration - is it due to security (if their implementation is inherently insecure, I think this fact should be made known) or not enough resources allocated/not seeing this as an important feature?

[dnet890]

@cooky-cook That PIA tunneling feature seems quite overwhelming and I know Mullvad is good for simplicity and less cluttered. So, I hope they can make it more simple.

[mikamidd]

This is something I'd love to see implemented for Windows too eventually. In addition to PIA, I believe ProtonVPN also has both normal and inverse split tunnel, their apps are open source too.

[Apposite245]

Chiming in for support of this feature. I really only use Mullvad for one or two programs so having to manually split tunnel everything as I install new programs is becoming a headache.

[UnknownProgrammer-ttu]

Adding another comment to the pool of people who want this feature.

[VoidCruzer]

Adding another for someone who would like to see this implemented. This is the biggest feature I miss from ProtonVPN that Mullvad doesn't have. The way it is setup now is quite an annoyance to go through and find every program and is almost impossible for some games and anti-cheat etc.

[trunkensailor]

For a linux implementation, vopono would be a good reference implementation as doing split tunneling this way can be very useful.

I for one would really like to see this on android, though. OpenVPN already supports this (you can switch between a white- and a blacklist for apps that should be connected to the VPN) and I don't think this would be hard to implement.

[dedors]

I like the mullvad app, but this feature missing just made me go back to the horrible openvpn solution.

[unkn4wn]

This feature is absolutely necessary because many origin games don't work while split tunneling even if you exclude the origin launcher + exe files manually. Maybe I am missing an important exe file which I need to exclude too but if we had an "inversed split tunnel" the problem would be solved easily.

[naodesu]

Because official app for Windows and Android lacks this feature I used official WireGuard app and SOCKS proxies. This is possible, but hard to configure, and needs regular maintenance (because mullvad server changes). Also, Mullvad SOCKS proxies are slow compared to pure wireguard protocol. So in the end I switched to app, but need to exclude tons of programs, because I really need Mullvad only for 1-2 apps.

[GrimWreeper]

I would really like this feature. Split tunnelling in it's current implementation is backwards in my opinion. I'd find it more useful and feel more secure with a small list of apps that go through my Wireguard tunnel, knowing everything else is normal ISP traffic. The current implementation is so close to fitting my use case, just needs to be inverted.

[sendarion]

Maybe this can help you guys meanwhile : https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982

[Pohra]

I would like this feature as well, primarily because it seems impossible to actually add Windows Store apps/Xbox games to split tunneling because of the hyper-locked-down file security. I can't seem to modify permissions to allow Mullvad to see those programs without breaking them. Inverse split tunneling would work around that problem by letting me opt-in instead of opt-out.

Many other products allow you choose between opt-in and opt-out, so I know it can be done.

[DAOWAce]

Another voice for support of this feature. Would help UWP apps as well: https://github.com/mullvad/mullvadvpn-app/issues/2822

My usage of a VPN most definitely is the opposite of the default; only want it routing torrent clients.. but instead have to blacklist every single other damn program I use and game I play, which is incredibly annoying. Ontop of that, certain things (some game connections) just don't seem to work properly when added to the tunnel and I can't figure out why.

Also, outside of the scope of this issue, but the default list of programs is.. very strange. It seems like it's only pulling a list from the start menu programs, and there's no way to change it. There's a lot of irrelevant things in there, especially if you have a lot of GOG games installed:

And lastly, when manually choosing an exe, it always defaults to the user folder instead of the last selected location. Minor gripe in comparison.

[EricIsbell]

i also agree. An inverse split tunnelling feature would be an absolute game changer. Being able to choose what applications you want to be in the vpn would be a life saver. It's just too hard and takes way too much time and effort to add every single program i dont want to be connected to the vpn.

[ganeshh123]

I would also like this to be implemented.

Currently I am using wiresocks as a workaround, with wireguard config files downloaded from https://mullvad.net/account . It's a decent solution for applications that support socks5 proxies.

[agent-seed]

Just adding my voice to the pool. I can't seem to get minecraft excluded no matter what exes I select.

[ganeshh123]

Just adding my voice to the pool. I can't seem to get minecraft excluded no matter what exes I select.

You can try using something like NetLimiter to monitor which processes Minecraft uses to send and receive data

[oniongithub]

Hi, I would also love to see this added to the Windows build. When I'm trying to only run my browser through a VPN it's a pain to add every application and then manually remove them all when I want to run everything through a VPN again.

[bredmor]

Commenting to add my voice to this request as well. My primary use-case for the VPN is getting alternative routing for specific applications when there's a problematic node between me and the server I'm connected to. I rarely want more than a single application to use the VPN.

[Sad-theFaceless]

Yes please, that would be super useful !

[crypaus]

FOR ANYONE THAT IS TRYING TO GET INCLUSIVE IS EASY, DOWNLOAD THE OPENVPN AND WIREGAURD CONFIG FROM THE SITE, AND THEN DOWNLOAD Windscribe_2.6.14.exe AND AFTER THAT JUST CREATE A FREE ACCOUNT AND UPLOAD YOUR CONFIG FILE TO THEIR PLATFORM, THEN CONNECT, AFTER THAT GO IN SETTINGS AND THEN TURN ON THE SPLIT. AFTER THAT YOU CAN CHOOSE IF YOU WANT IT INCLUSIVE OR EXCLUSIVE,

GOOD LUCK

[asdffdsazqqq]

hello, thanks, sorry if i lack the technique skills to follow this topic.

for years, this worked great -> mullvad over openvpn and this helpful guide, https://mullvad.net/en/help/split-tunneling-mullvad-vpn. just need access to the socks5 proxy servers, to use with firefox and mullvad browser with mullvad browser extension. basically, all that is needed is route-nopull in the .ovpn config file.

do not want vpn to change the default route, do not want vpn to change the routing table, do not want all traffic to flow over vpn. i spent days, tried Table = off and various attempts at AllowedIPs

just want to use socks5 proxy servers without forcing all traffic thru vpn. as i upload a lot of large files to internet, no reason or want to force that thru slow vpn connections

please, help, thanks so much, david

[asdffdsazqqq]

Maybe this can help you guys meanwhile : https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982

i had already found that, tried that and while it did add/remove rules from routing table, still never worked for me.

the only problem with using mullvad over openvpn , it cannot access multiple proxy servers as compared to mullvad over wireguard.

sorry, a bit frustrating, after all this time, wireguard over mullvad still cannot do what competition can or even what mullvad over openvpn can?

[Qtax]

do not want vpn to change the default route, do not want vpn to change the routing table, do not want all traffic to flow over vpn. i spent days, tried Table = off and various attempts at AllowedIPs

@asdffdsazqqq this worked for me on windows 10: https://superuser.com/a/1658611/89979

In summary:

1. Install WireGuard for Windows
2. Set HKEY_LOCAL_MACHINE\Software\WireGuard\DangerousScriptExecution registry to 1 by for example running this command in an admin shell: reg add HKLM\Software\WireGuard /v DangerousScriptExecution /t REG_DWORD /d 1 /f
3. Use the following WireGuard config:

[Interface]
PrivateKey = <...>
Address = <...>
DNS = <...>
PostUp = powershell -command "$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route add 0.0.0.0 mask 0.0.0.0 0.0.0.0 IF $wgInterface.ifIndex metric 95"
PreDown = powershell -command "$wgInterface = Get-NetAdapter -Name %WIREGUARD_TUNNEL_NAME%; route delete 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 95"
Table = off

[Peer]
PublicKey = <...>
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = <...>

[asdffdsazqqq]

@Qtax, thanks, but that approach never fully worked for me, much as tried. https://superuser.com/questions/1658610/how-do-i-disable-routing-table-changes-in-wireguard-for-windows/1658611#1658611 is basically the same as this, as mentioned earlier in this topic. https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982

just now, after days for experimenting, i have a working setup. seems to do everything i need

• at the same time, access to openvpn socks5 and EVERY wireguard socks5
• works with mullvad browser extension, for easy switching of wireguard proxy servers
• works with firefox with multi-container extension, where each container uses a different proxy server

[Interface]
PrivateKey = redacted
Address = 10.68.138.201/32
PostUp = cmd /c route add 10.124.0.0 mask 255.255.254.0 10.68.138.201 metric 9999
PreDown = cmd /c route delete 10.124.0.0 mask 255.255.254.0
Table = off

[Peer]
PublicKey = redacted
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = 198.44.128.194:51820

curl https://ipv4.am.i.mullvad.net --max-time 2 --silent 
74.102.225.xxx

curl https://ipv4.am.i.mullvad.net --socks5-hostname  10.8.0.1 --max-time 2 --silent 
146.70.166.3

curl https://ipv4.am.i.mullvad.net --socks5-hostname 10.124.1.38 --max-time 2 --silent 
69.4.234.120

curl https://ipv4.am.i.mullvad.net --socks5-hostname us-slc-wg-socks5-103.relays.mullvad.net --max-time 2 --silent 
69.4.234.120

[hianick]

Would be nice to see this sometime.

[tmcelroy2202]

Would also love this.

[chexo3]

Here to say that this would save me a lot of headaches. In fact, I'm cancelling my subscription right now and seeking a refund because this is a real dealbreaker. I can set it up manually with OpenVPN, sure, but like others have said that jacks things up. Like, the SOCKS proxy y'all provide doesn't seem to support IPv6 at all and UDP is jacked up so I can't use it for what I want to use it for

[JW-Rami]

We will likely not implement this on Windows at least. Because we have looked at what would be needed and it's more work than a simple negation of some firewall rules. All these rules are pretty critical to the security of the apps and any extra logic introduces new risks of having bugs causing leaks that could be critical. We don't feel like the current need for this is large enough to justify such a risk. After all, the app is privacy oriented and the intended use case is that it tunnels all your traffic.

Since we currently can't make DNS on Windows go outside the tunnel for an excluded process it would be strange to exclude most processes and only tunnel a few. Because the DNS requests for all excluded processes would still go in the tunnel. And that's likely not what you would expect/want as a user only tunneling a few applications. All the applications outside the tunnel will get DNS responses as if they were in the tunnel, which could affect their behavior and functionality.

---

LISTEN TO YOUR CUSTOMER PLEASE !!!!! WE WANT IT SO MUCH !!! @faern

[GuruOz]

Sad to see this feature is still not available. I would argue that a large portion of the customer base is looking to route only one particular application's traffic (We all know what this is).

I understand that there are difficulties implementing this on Windows, but I do not see any explanation for Linux. If this was available in Linux, I could at least come up with a viable workaround.

Unfortunately, I was not able to figure out an easy way to set this up, so I have to cancel my subscription until this feature gets implemented.

[kaymanov-emitter]

Throwing my hat in as another that would love this feature.

[misurbraford]

Another call for this feature.

Basically, I'm just trying to use my PC without mullvad VPN, and then only have a secure browser use mullvad (for example, mullvad browser).

[colemar]

At least on the Android app it would suffice to have a button that moves all apps at once to Excluded Apps, and another button that removes all apps at once from Excluded Apps. Then I would be able to select the few apps that should connect via VPN without having to tap on about one hundred (+) buttons.

[colemar]

This is a real shame since certain competitors offer much more flexible settings - whitelist/blacklist and separate DNS for direct/VPN connections. The (apparent) superiority and configuration flexibility is one of the reasons why I haven't switched to Mullvad yet.

But not for Android apparently. I just installed PIA app: it defaults on all app "protected" and you have to tap on each single one to leave only the few apps you want "protected".

[candroid-man]

IVPN has this feature, and I'm waiting for Mullvad to have this feature as well before I switch.

[Voleno1]

Add. This.

[GRIFFiin]

PLEASE add this 😭 how is it not in yet

[iamstevedavis]

+1

[OrkoGrayskull]

Please. Add. This. Feature. Mullvad!

[MediocreTwo-7]

Please add this, i cant play minecraft :( already tried everything but only shutting mullvad down seems to help.

[DAOWAce]

Please add this, i cant play minecraft :( already tried everything but only shutting mullvad down seems to help.

Yeah, like I mentioned in Dec 2022, it just seems impossible. I've not found a way to do it either.

Sad this has been left stale for so long.

[voidblack]

+1

[Digitalone1]

For a linux implementation, vopono would be a good reference implementation as doing split tunneling this way can be very useful.

It would be very useful, but vopono is not a good reference implementation. It does not work with IPv6 endpoints (https://github.com/jamesmcm/vopono/issues/181) and even with IPv4 endpoints there are various issues when you have a running firewall (https://github.com/jamesmcm/vopono/issues/273). It never worked to me.

If namespaces are the only way of doing the inverse split tunnelling on Linux, they are too complex and will lead to other troubles that it's not worth to implement them.