How to exclude a specific destination IP from VPN?



  • I want to route a specific IP address from hotspot (wlan0) to Mobile Data (rmnet_data1) interface on Android 11, bypassing VPN.

    I use my phone as a hotspot and also with the help of an app called "VPN Hotspot" I share the VPN with my PC. I want to exclude a specific IP address from VPN. I have tried the route option in "OpenVPN for Android" client and it doesn't seem to work properly. I think it might because of "Always On" enabled.

    Can I achieve this with ip route command?



  • Note: The commands given below require a rooted device.


    Whenever you enable or disable VPN on Android device, routing table is recreated by the Android framework. There can be a score of rules added to the routing table when VPN is enabled, since it does filtering based on UIDs and Socket Marks. So you need to manipulate the routing table depending on the existing rules.

    ROUTING POLICY AND TABLES

    From the info you provided, I'm quoting the relevant parts:

    ~# ip -4 rule
    ...
    11000:  from all iif tun0 lookup local_network
    ...
    17900:  from all iif wlan0 lookup tun0
    18000:  from all iif wlan0 lookup rmnet_data1
    ...
    

    ~# ip -4 route show table all
    ...
    192.168.18.0/24 dev wlan0 table local_network...
    ...
    default via 21.62.249.109 dev rmnet_data1 table rmnet_data1...
    21.62.249.104/29 dev rmnet_data1 table rmnet_data1...
    ...

    ~# iptables -t nat -S
    ...
    -A POSTROUTING -j tetherctrl_nat_POSTROUTING
    -A tetherctrl_nat_POSTROUTING -o tun0 -j MASQUERADE
    -A tetherctrl_nat_POSTROUTING -o rmnet_data1 -j MASQUERADE
    ...

    In simple words what the above rules state:

    • Everything coming at VPN interface (tun0) is routed to hotspot interface (wlan0) if the destination IP is within hotspot subnet (192.168.18.0/24) i.e. the packets don't belong to the apps running on device (open sockets).
    • Everything coming at hotspot interface is routed to VPN interface.
    • The packets which don't qualify to be routed through VPN (mainly the VPNed traffic itself, any excluded apps, or the local packets) are routed to Mobile Data interface (rmnet_data1).
      21.62.249.109 is your IP assigned by the carrier and 21.62.249.104/29 is their gateway.
    • All packets going out through VPN and/or Mobile Data interfaces are MASQUERADEd i.e. their source IP address is changed from local IP to a routable IP address (21.62.249.109 in your case).

    So this is the simplified flow we are interested in:

    Hotspot -> Routing -> FORWARD -> SNAT -> Internet
    Internet -> Conntrack -> Routing -> FORWARD -> Hotspot
    

    SOLUTION

    After understanding how it works, lets route it the way we want. Say a host on hotspot network is connecting to 1.2.3.4 through internet. But you don't want to send this specific traffic through VPN on Android device.

    • Define a rule in RPDB and a routing table to route the traffic coming at hotspot interface to Mobile Data interface, if it's destined for 1.2.3.4:

      ~# ip rule add iif wlan0 lookup 9000 pri 9999
      ~# ip route add 1.2.3.4 dev rmnet_data1 table 9000
      

      I used RPDB priority 9999 and table 9000. You might need to change the priority (so that your rule is always on top) and table number. Check /data/misc/net/rt_tables for reserved table numbers which you should not use.

    • Define another rule to route the packets coming from 1.2.3.4 at Mobile Data interface to hotspot interface (if the destination IP is within hotspot subnet):

      ~# ip rule add from 1.2.3.4 iif rmnet_data1 lookup local_network pri 9999
      

      Note that I used here an already existing routing table local_network. You can define your own too.

    • All outgoing packets through Mobile Data interface are already MASQUERADEd as explained above, so we don't need to add another iptables rule. If needed, you can also use SNAT target in place of MASQUERADE.

    • Make sure that IP forwarding is enabled and allowed in firewall. Usually it's not needed because Wi-Fi hotspot already sets this up for you:

      ~# echo 1 > /proc/sys/net/ipv4/ip_forward
      ~# iptables -I FORWARD -o rmnet_data1 -d 1.2.3.4 -j ACCEPT
      ~# iptables -I FORWARD -i rmnet_data1 -s 1.2.3.4 -j ACCEPT
      

    To delete these rules use ip rule del, ip route del and iptables -D.


    NOT WORKING?

    If the above rules don't work, or you need to adapt the rules for a different situation, iptables -j LOG is a good friend for troubleshooting.

    For reference read any Linux documentation or guides about IP routing and Netfilter. It's not specifically about Android.


    RELATED:

    • When hotspot is enabled, every packet that appears on hotspot (Wi-Fi) interface is being routed to Mobile Data interface. Here's how to do it manually: https://android.stackexchange.com/questions/165389
    • In the opposite case i.e. when you want to route everything coming on Mobile Data interface to WiFi interface: https://android.stackexchange.com/questions/195374



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2