How to exclude a specific destination IP from VPN?
Marcee last edited by
I want to route a specific IP address from hotspot (
wlan0) to Mobile Data (
rmnet_data1) interface on Android 11, bypassing VPN.
I use my phone as a hotspot and also with the help of an app called "VPN Hotspot" I share the VPN with my PC. I want to exclude a specific IP address from VPN. I have tried the route option in "OpenVPN for Android" client and it doesn't seem to work properly. I think it might because of "Always On" enabled.
Can I achieve this with
Note: The commands given below require a rooted device.
Whenever you enable or disable VPN on Android device, routing table is recreated by the Android framework. There can be a score of rules added to the routing table when VPN is enabled, since it does filtering based on UIDs and Socket Marks. So you need to manipulate the routing table depending on the existing rules.
ROUTING POLICY AND TABLES
From the info you provided, I'm quoting the relevant parts:
~# ip -4 rule ... 11000: from all iif tun0 lookup local_network ... 17900: from all iif wlan0 lookup tun0 18000: from all iif wlan0 lookup rmnet_data1 ...
~# ip -4 route show table all
192.168.18.0/24 dev wlan0 table local_network...
default via 22.214.171.124 dev rmnet_data1 table rmnet_data1...
126.96.36.199/29 dev rmnet_data1 table rmnet_data1...
~# iptables -t nat -S
-A POSTROUTING -j tetherctrl_nat_POSTROUTING
-A tetherctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
-A tetherctrl_nat_POSTROUTING -o rmnet_data1 -j MASQUERADE
In simple words what the above rules state:
- Everything coming at VPN interface (
tun0) is routed to hotspot interface (
wlan0) if the destination IP is within hotspot subnet (
192.168.18.0/24) i.e. the packets don't belong to the apps running on device (open sockets).
- Everything coming at hotspot interface is routed to VPN interface.
- The packets which don't qualify to be routed through VPN (mainly the VPNed traffic itself, any excluded apps, or the local packets) are routed to Mobile Data interface (
188.8.131.52is your IP assigned by the carrier and
184.108.40.206/29is their gateway.
- All packets going out through VPN and/or Mobile Data interfaces are MASQUERADEd i.e. their source IP address is changed from local IP to a routable IP address (
220.127.116.11in your case).
So this is the simplified flow we are interested in:
Hotspot -> Routing -> FORWARD -> SNAT -> Internet Internet -> Conntrack -> Routing -> FORWARD -> Hotspot
After understanding how it works, lets route it the way we want. Say a host on hotspot network is connecting to
18.104.22.168through internet. But you don't want to send this specific traffic through VPN on Android device.
Define a rule in RPDB and a routing table to route the traffic coming at hotspot interface to Mobile Data interface, if it's destined for
~# ip rule add iif wlan0 lookup 9000 pri 9999 ~# ip route add 22.214.171.124 dev rmnet_data1 table 9000
I used RPDB priority 9999 and table 9000. You might need to change the priority (so that your rule is always on top) and table number. Check
/data/misc/net/rt_tablesfor reserved table numbers which you should not use.
Define another rule to route the packets coming from
126.96.36.199at Mobile Data interface to hotspot interface (if the destination IP is within hotspot subnet):
~# ip rule add from 188.8.131.52 iif rmnet_data1 lookup local_network pri 9999
Note that I used here an already existing routing table
local_network. You can define your own too.
All outgoing packets through Mobile Data interface are already MASQUERADEd as explained above, so we don't need to add another
iptablesrule. If needed, you can also use
SNATtarget in place of
Make sure that IP forwarding is enabled and allowed in firewall. Usually it's not needed because Wi-Fi hotspot already sets this up for you:
~# echo 1 > /proc/sys/net/ipv4/ip_forward ~# iptables -I FORWARD -o rmnet_data1 -d 184.108.40.206 -j ACCEPT ~# iptables -I FORWARD -i rmnet_data1 -s 220.127.116.11 -j ACCEPT
To delete these rules use
ip rule del,
ip route deland
If the above rules don't work, or you need to adapt the rules for a different situation,
iptables -j LOGis a good friend for troubleshooting.
For reference read any Linux documentation or guides about IP routing and Netfilter. It's not specifically about Android.
- When hotspot is enabled, every packet that appears on hotspot (Wi-Fi) interface is being routed to Mobile Data interface. Here's how to do it manually: https://android.stackexchange.com/questions/165389
- In the opposite case i.e. when you want to route everything coming on Mobile Data interface to WiFi interface: https://android.stackexchange.com/questions/195374
- Everything coming at VPN interface (