Routing Traffic For Websites & Applications
In most cases VPN connections are setup so all network traffic directed through a VPN connection (such as when connected to a VPN Service Provider), or traffic for a fixed IP address range is directed through the VPN connection (such as when connecting to a workplace network). However in some situations you may prefer only traffic for certain applications travel through the VPN connection, or alternatively traffic for certain applications is excluded from the VPN connection.
We are currently working on adding a feature to Viscosity so applications can be easily routed through a VPN connection or normal network connection. We hope to have such a feature available in a future version of Viscosity, however please be aware that this is not something that will be available soon. In the meantime this article details how you can manually setup Viscosity to route traffic for many applications.
IP Routing Introduction
Modern networks are based on the Internet Protocol, or IP for short. In an IP network each device has an "IP address", which much like a postal address, is used to identify a remote computer on the network. This allows your computer to send and receive network traffic with other computers.
Your computer also has a "routing table". This table helps the computer decide where to send network traffic so it will be delivered for a particular IP address, and can be thought as being similar to a list of postal zip codes. The routing table can instruct your computer to send network traffic for a particular IP or range of IPs to a certain network interface on your computer or a particular router.
Viscosity allows you to add entries to the routing table when you are connected so you can direct traffic for IP addresses while you are connected to your VPN connection. Using this you are able to direct traffic for certain applications and websites if you know the IP range/s they use (more on that below).
Determining What IP Addresses A Website Uses
Normally when you access a website you'll type in a domain name into your web browser (such as sparklabs.com) instead of the IP address of the server. Most websites typically have everything hosted on a single server, and so all you need to do is determine the IP address of the server, and then enter it into Viscosity. While Viscosity also allows you to enter a domain name when specifying a route, it's still recommended you lookup the IP address first to ensure it doesn't resolve to multiple IP addresses.
You can lookup the IP address/es for a domain name like so:
Looking Up An Address On Mac
- Open the Terminal application. This can be found at /Applications/Utilities/Terminal.app
- Enter the following command into the window that appears, replacing "sparklabs.com" with the domain name you wish to look up. Press Return or Enter on your keyboard.
dscacheutil -q host -a name sparklabs.com
- Make a note of the IP address that is returned. It's possible that multiple IP addresses may be returned, indicating that multiple servers are being used. For example, the output in the screenshot above indicates that the server has multiple IP addresses, including both IPv4 and IPv6 addresses.
Looking Up An Address On Windows
- Open the Command Prompt application. This can be done by clicking the Start button and typing "Command Prompt" into the search field.
- At the prompt type "nslookup example.com" (no quotes) where example.com is replaced with the domain name to lookup.
- Make a note of the IP address that is returned. For example a result of "Address: 66.185.22.121" indicates that the IP address is "66.185.22.121". It's possible that multiple IP addresses may be returned, indicating that multiple servers are being used.
Larger websites typically consist of multiple servers, and the above technique may unfortunately not list the addresses of all the servers the website uses. This is because they may use multiple domains for different content, multiple servers for load balancing, and different servers depending on your location. For this reason we recommend seeking the correct IP addresses to use online by searching for the relevant information.
For example, at the time of writing the following pages list IP address ranges for some popular websites (we can't attest to their accuracy): Facebook, Spotify, Pandroa, Hulu, Netflix. Websites such as Robtex can also be used to lookup IP routes for websites if specific information cannot be found elsewhere, for example a lookup for Facebook.
When seeking IP ranges online, you may notice that instead of multiple IP addresses being listed they are listed as an actual route (which consists of an address and a netmask). This usually looks like x.x.x.x/yy (known as CIDR notation), or x.x.x.x/y.y.y.y (known as decimal notation). Both the IP address and netmask can be entered into Viscosity (see instructions below). This allows you to enter a route that may cover hundreds or thousands of IP addresses instead of having to enter each address individually.
Determining What IP Addresses An Application Uses
Determining what IP addresses an application uses is not possible for all application types, however it is generally straightforward for those that are. Several application types are covered below:
- Client Applications: Client applications are applications that are configured to access certain servers. A good example of a client application is an email client. As an email client must be configured with a mail server to receive email from (for example mail.example.com) and a SMTP server used to send email (for example smtp.example.com), the addresses it must access are already known. Simply follow the "Looking Up An Address" instructions further below to find out the relevant IP addresses. Other common client-style applications include VOIP/SIP, FTP, SFTP, and SSH clients.
- Service Applications: Service applications are tied to an online service. IP address ranges can usually be discovered online as detailed above for websites. It may also be possible to monitor the application as described below.
- Dynamic Applications: Dynamic applications, such as web browsers or peer-to-peer applications like BitTorrent, don't access a known range of IP addresses. Unfortunately such applications can not be selectively routed using the techniques listed in this article.
If you are unsure what IP addresses an application uses, and it is not a dynamic application, it may be possible to monitor the application to see what server/s it connects to when running. This can be done using firewall software, or using simple tools such as Private Eye for macOS or NetworkTrafficView for Windows.
Specifying Traffic To Go Through The VPN Connection
Viscosity allows you to create custom routes for your VPN connection that are automatically created when you connect, and automatically removed when you disconnect. Both IPv4 and IPv6 routes can be created, but for this article we'll concentrate on IPv4 routes, which are the most common.
A route consists of a destination IP address and a Netmask (or Mask for short). If you are creating a route for a single IP address you can leave the Mask field blank. If you also have a Mask it can be entered as well. Masks in both Decimal notation (i.e. y.y.y.y) and CIDI notation (i.e. /yy) are supported.
You can then add the route to Viscosity like so:
- From the Viscosity menu select Preferences to open Viscosity's Preferences window.
- Select your connection from the Connections list and click the Edit button.
- Click on the Networking tab. In the Routing area click on the small "+" button to add a new route.
- Enter the IP address you wish to route into the "Destination" field. If you also have a Mask enter it into the "Mask/Bits" field. If you are routing just single IP addresses the Mask field can be left blank.
- Select "VPN Gateway" from the Gateway menu.
- Click the Add button to add the route. Repeat the above steps to add additional routes.
- Click the Save button.
Please note that for Bridged connections where the client IP address is assigned by a DHCP server instead of the OpenVPN server it may be necessary to specify a custom gateway IP address instead of selecting "VPN Gateway". This will be the IP address of the router on the remote network.
Specifying Traffic To Go Through The Normal Network
Viscosity can also create routes allowing you to specify traffic that should go through the computer's normal network connection instead of the VPN. Please be aware of the Netmask comments listed in the above section before adding a route.
- From the Viscosity menu select Preferences to open Viscosity's Preferences window.
- Select your connection from the Connections list and click the Edit button.
- Click on the Networking tab. In the Routing area click on the small "+" button to add a new route.
- Enter the IP address you wish to route into the "Destination" field. If you also have a Mask enter it into the "Mask/Bits" field. If you are routing just single IP addresses the Mask field can be left blank.
- Select "Local Network Gateway" from the Gateway menu.
- Click the Add button to add the route. Repeat the above steps to add additional routes.
- Click the Save button.
Preventing All Traffic Through the VPN Connection
If you have a subscription to a VPN Provider or do not administer your own VPN server, chances are, even with your All Traffic option set to Automatic, all your traffic is being forced through the VPN, this is generally the default option for VPN Providers.
If you want to only route certain traffic through your VPN, you're going to want to prevent this. To do so:
- Edit your connection and go to the Advanced tab
- On a new line, add the following:
pull-filter ignore redirect-gateway
- Save your connection and connect again
This setting means the default route pushed from the VPN server is ignored. By default, no traffic will be sent over your VPN anymore.
Are There Any Third Party Tools For This?
Unfortunately there are limited third party tools that allow for application routing due to the complexity of doing so properly and securely. There are no known tools available for macOS. Under Windows ForceBindIP allows an application to be bound to a network interface, however please be aware that we can't attest to how well it works, whether it is effective at preventing traffic leaks from an application, or offer support for it.