Skip to content

Split Tunneling Configuration

R-VPN supports advanced split tunneling to route traffic either through the VPN tunnel or directly (bypass).

Overview

Split tunneling allows you to: - Bypass VPN for specific domains/IPs (direct connection) - Force VPN for specific domains/IPs (always through tunnel) - Block ads/trackers using built-in blocklists - Auto-route China traffic directly (built-in CN IP ranges)

Configuration

Edit your client.toml:

[split_tunnel]
enabled = true
builtin_bypass_countries = ["CN"]  # Auto-bypass China IPs
auto_reload_interval = 300         # Reload rules every 5 minutes
block_ads = true                   # Enable ad blocking

# Optional: Custom domain lists
# bypass_domains_file = "/etc/rvpn/bypass-domains.txt"
# tunnel_domains_file = "/etc/rvpn/tunnel-domains.txt"

# Optional: Custom network lists (CIDR format)
# bypass_networks_file = "/etc/rvpn/bypass-networks.txt"
# tunnel_networks_file = "/etc/rvpn/tunnel-networks.txt"

# Optional: Custom ad block list
# ad_block_file = "/etc/rvpn/custom-ads.txt"

Configuration Options

Option Type Default Description
enabled bool false Enable split tunneling
builtin_bypass_countries array ["CN"] Country codes for built-in IP bypass (e.g., CN, HK, SG)
auto_reload_interval u64 300 Auto-reload interval in seconds (0 to disable)
block_ads bool false Enable built-in ad blocking
bypass_domains_file path - File with domains to bypass VPN
tunnel_domains_file path - File with domains to force through VPN
bypass_networks_file path - File with CIDR networks to bypass VPN
tunnel_networks_file path - File with CIDR networks to force through VPN
ad_block_file path - Custom ad block domain list

Routing Priority

Rules are applied in this order (highest to lowest priority):

  1. Ad/Tracker domains - Blocked entirely (if block_ads enabled)
  2. Force tunnel domains - Always through VPN (built-in list: Google, Meta, etc.)
  3. Custom tunnel domains - User-specified VPN domains
  4. Custom bypass domains - User-specified direct domains
  5. Built-in China domains - Direct if CN in bypass countries
  6. IP-based rules - CIDR range matching (custom networks, then built-in country IPs)

Default: If no match, traffic goes through VPN tunnel.

Built-in Lists

Force Tunnel Domains (Always VPN)

These domains always route through VPN, even if resolved to China IPs:

  • Google services: google.com, googleapis.com, gstatic.com, youtube.com, googlevideo.com, ytimg.com, ggpht.com, appspot.com, cloud.google.com, firebaseio.com
  • Meta services: facebook.com, fbcdn.net, instagram.com, cdninstagram.com, whatsapp.com, messenger.com, fb.com
  • Twitter/X: twitter.com, x.com, twimg.com, t.co
  • Messaging: telegram.org, t.me, signal.org, discord.com, discordapp.com, slack.com
  • AI/Search: openai.com, chatgpt.com, anthropic.com, claude.ai, perplexity.ai, bing.com, duckduckgo.com
  • Social/Media: github.com, reddit.com, linkedin.com, medium.com, quora.com, pinterest.com, tumblr.com, flickr.com
  • Streaming: netflix.com, hulu.com, hbo.com, max.com, disneyplus.com, spotify.com, soundcloud.com, vimeo.com
  • News: bbc.com, nytimes.com, washingtonpost.com, wsj.com, bloomberg.com, reuters.com, cnn.com

China Bypass Domains

200+ China-specific domains that bypass VPN when builtin_bypass_countries = ["CN"]:

  • E-commerce: taobao.com, tmall.com, jd.com, 360buy.com, suning.com, dangdang.com, amazon.cn, vip.com, xiaomiyoupin.com
  • Search/Social: baidu.com, weibo.com, sina.com.cn, zhihu.com, douban.com, jianshu.com, csdn.net, oschina.net
  • Video: bilibili.com, youku.com, iqiyi.com, douyin.com, kuaishou.com, toutiao.com
  • Cloud/CDN: alicdn.com, aliyun.com, aliyuncs.com, qiniu.com, upyun.com, qcloud.com, huaweicloud.com
  • Messaging: qq.com, wechat.com, weixin.com, dingtalk.com, feishu.cn
  • Finance: alipay.com, cmbchina.com, icbc.com.cn, ccb.com, pingan.com
  • Devices: mi.com, xiaomi.com, huawei.com, oppo.com, vivo.com, oneplus.com, meizu.com
  • Logistics: sf-express.com, zto.com, yto.net.cn, jd-express.com
  • Apple China: apple.com.cn, icloud.com.cn, cdn-apple.com (for iMessage/iCloud in China)

Ad Blocking

1000+ ad/tracking domains blocked when block_ads = true:

  • Google Ads: doubleclick.net, googlesyndication.com, googleadservices.com, googletagmanager.com, google-analytics.com
  • Facebook: facebook.com/tr, facebook.net, connect.facebook.net
  • Twitter: analytics.twitter.com, ads-twitter.com
  • Amazon: amazon-adsystem.com, amazon.advertising.com
  • Ad Networks: outbrain.com, taboola.com, scorecardresearch.com, quantserve.com, comscore.com, moatads.com, pubmatic.com, openx.net, rubiconproject.com

Custom Domain Lists

Create text files with one domain per line:

# /etc/rvpn/bypass-domains.txt - Direct connection
custom-cdn.com
internal-company.com
*.local

# /etc/rvpn/tunnel-domains.txt - Through VPN
blocked-service.com
geo-restricted.com

Then reference them in config:

[split_tunnel]
bypass_domains_file = "/etc/rvpn/bypass-domains.txt"
tunnel_domains_file = "/etc/rvpn/tunnel-domains.txt"

Custom Network Lists

Create text files with CIDR notation (one per line):

# /etc/rvpn/bypass-networks.txt - Direct connection
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12

# /etc/rvpn/tunnel-networks.txt - Through VPN
8.8.8.0/24
1.1.1.0/24

How It Works

Domain Matching

Domains are matched using suffix matching: - baidu.com matches www.baidu.com, api.baidu.com, mail.baidu.com, etc. - google.com matches mail.google.com, drive.google.com, maps.google.com, etc. - Matching is case-insensitive

IP Resolution Fallback

If no domain match is found: 1. Resolve domain to IP addresses 2. Check against custom tunnel network lists (CIDR) 3. Check against custom bypass network lists (CIDR) 4. Check against built-in country IP ranges (if enabled) 5. Default to VPN tunnel if no match

Performance

  • Domain lookups use HashSet for O(1) performance
  • IP lookups use IpNetworkTable for efficient CIDR matching
  • Built-in lists are compiled into the binary (no file I/O at runtime)
  • Auto-reload supports hot-updating rules without restart

Verification

Check logs to verify routing:

# Client logs
sudo journalctl -u rvpn-client -f

# Look for:
# - "Host <domain> matches tunnel domain list" - Through VPN
# - "Host <domain> matches bypass domain list" - Direct connection
# - "Host <domain> matches force tunnel domain list" - Forced through VPN
# - "Host <domain> matches built-in China domain list" - China bypass
# - "Host <domain> matches ad/tracker domain list - blocking" - Ad blocked

Use Cases

China Users

[split_tunnel]
enabled = true
builtin_bypass_countries = ["CN"]
block_ads = true

China traffic goes direct, international traffic through VPN, ads blocked.

Privacy Focused

[split_tunnel]
enabled = true
builtin_bypass_countries = []  # Don't bypass anything
block_ads = true

Everything through VPN except ads/trackers are blocked.

Corporate

[split_tunnel]
enabled = true
builtin_bypass_countries = ["CN"]
bypass_domains_file = "/etc/rvpn/corporate-bypass.txt"
tunnel_domains_file = "/etc/rvpn/required-vpn.txt"
block_ads = true

Custom corporate domains + China bypass + ad blocking.

Minimal Configuration

[split_tunnel]
enabled = true

Uses defaults: China bypass enabled, ad blocking disabled, auto-reload every 5 minutes.

Troubleshooting

Domain not bypassing

Check if it's in the force tunnel list (these override bypass): 

grep "domain.com" /path/to/builtin_domains.rs

Ads not blocking

Verify ad blocking is enabled: 

sudo journalctl -u rvpn-client | grep "block_ads"

Performance issues

Disable auto-reload if not needed: 

[split_tunnel]
auto_reload_interval = 0  # Disable auto-reload

Check loaded rules

View statistics at runtime: 

# Check client logs for summary on startup
grep "Split tunnel rules loaded" /var/log/rvpn-client.log