I have a 2019 MacbookPro (Sonoma 14.1 | Intel) split tunneling for most popular VPN services is not an option on macOS or iOS.
The only site/s I need this for are banking websites/services (because…banks ). If I could split-tunnel, I’d dedicate one browser simply for the purpose of banking and split that browser.
Since split tunneling isn’t an option, I was searching for a way to add specific URLs to an allowlist. I cannot find details on doing such a thing.
I’m a novice at networking, but fairly comfortable with the command line for macOS and Ubuntu (to give you an idea of my technical inclination).
Although our macOS app does not currently offer a Split Tunnelling feature or support excluding specific hosts or IP addresses from the VPN tunnel, below are workarounds that might help achieve your goals.
IVPN app using additional OpenVPN parameters
This method allows adding exceptions using OpenVPN additional parameters that will be applied to all of your OpenVPN connections in the IVPN app.
Launch your Terminal app and open the OpenVPN extra parameters file using e.g., nano text editor:
Replace dnsleaktest.com with an IP address or hostname you wish to exclude from the VPN tunnel and 10.0.0.1 with the IP address of your default gateway. To quickly determine the IP address of your default gateway:
netstat -nr | grep default | grep en0
Control+X -> Yes to save changes and exit the editor.
Now, every time you are connected to any OpenVPN server, all requests to the specified host will bypass the VPN tunnel and use your default gateway instead.
Note, this will not work with IVPN Firewall enabled as it is designed to block all traffic that attempts to bypass the VPN tunnel.
WireGuard ‘Inverse Split Tunnelling’ method
This method involves using a native WireGuard client with our SOCKS5 proxy server configured on the selected ‘VPN-only’ browser (Firefox is used as an example). The traffic of all other browsers and applications will use your ISP connection.
Start the Firefox browser and navigate to Settings - Network Settings. Select Manual proxy configuration - SOCKSv5 and specify the IP address of the selected IVPN SOCKS5 proxy server, e.g. Kyiv 10.1.201.214 and port 1080 (the full list of our SOCKS5 proxy servers is available here - https://www.ivpn.net/status - https://a.cl.ly/bLuyljrq). Have the Proxy DNS when using SOCKSv5 option checked to ensure the hostnames are resolved using the IVPN DNS server.
*Optional. You can specify the hostnames of the websites that you want to bypass the VPN connection in this VPN-only browser in the No proxy for field.
Before importing the generated config file, open it with any text editor, remove the DNS = field, and replace the entries in the AllowedIPs field with the IP address of the SOCKS5 proxy server you have specified in your VPN-only browser (https://a.cl.ly/12uQ7NO4). Save the changes and import the file to the WireGuard client.
Connect with the newly created WireGuard config file and start the SOCKS5 proxy-configured browser. All web pages you visit in this browser will be using the specified IVPN SOCKS5 proxy endpoint. Check the assigned public IP address on the https://dnsleaktest.com
All other browsers will use your ISP connection. You can use them to access websites that restrict the use of VPNs. Check the assigned public IP address on the https://dnsleaktest.com
In addition to the other options, my preferred (more complicated) method would be OPNsense router/firewall with an IVPN tunnel and selective routing. You would just maintain a list of sites that you want to bypass the VPN.
). If I could split-tunnel, I’d dedicate one browser simply for the purpose of banking and split that browser.