How do I implement per-app routing rules using WFP? RRS feed

  • Question

  • Hello,

    I am running a VPN in windows 10 desktop (using OpenVPN) and the VPN is the default gateway, so that all traffic by default goes through the VPN tunnel.

    However, I would like to exempt certain apps from the VPN, so that their traffic goes directly out the physical interface instead, by passing the VPN (so-called "split tunnelling")

    I have this working in Linux currently via "cgroups" and policy-based routing/multiple routing tables.

    But it is my understanding that windows has neither policy based routing or multiple routing tables. But i can still think of a way of achieving this in Windows, but I cannot find the APIs to make it happen

    One way is to hook the socket creation of a specific app and then use the windows equivalent of SO_BINDTO_DEVICE socket option to force the socket to be bound to the physical interface rather than the tap driver.

    But, again, I cannot find the relevant APis to make the above happen. 

    So I have a few questions:

    (1) Is what i want to do possible within the given APIs of WFP (or windows in general)? if so, which APIs do you advise i look at?

    (2) Or, must i write a "WFP call-out driver" ? If so, would you be able to point me towards some resources for this, and possibility a good starting point for my particular problem? :)

    (3) Is there anything else I might be missing? a simpler approach to achieve what i want? I know that it is possible in windows, as i have see the feature in some VPNs, but i would like to replicate it in my own personal VPN  :)

    Thanks! Any help is appreciated so much!

    Monday, June 3, 2019 10:25 AM