VPN split tunnel by domain name

[Blatancy2409]

I'm wondering how to properly set up a VPN split tunnel that works by the domain name, not by resolved IP address. Let me explain what I mean:

I use mullvad VPN as a gateway for all my traffic. I also created a rule that allows several websites to bypass the VPN and use the default ISP gateway. That's how I can access websites blocking VPNs, like banking apps and chatGPT (haha).

The problem with that setup is the rules are applied by IP address not by the domain name. That results in two unwanted effects:
1. If a domain points to some CDN the whole CDN traffic will bypass the VPN traffic, and I can leak my IP address for the websites that are not on the VPN bypass list
2. If a website uses DNS round-robin, there could be a situation when opnsense and a client resolve the domain to different IPs and the client request is not bypassed and I'm getting blocked. (chatGPT does this all the time)

To overcome this, I created a POC, which works, but it's hard to scale.

1. Started dnsmasq on some random port (not 53)
2. Write a NAT rule to map DNS requests from my machines to this port

Then for each domain I need to add bypass I add the following rules:

3. Add a rule override the  domain name I want to bypass to some random IP address
4. Add a NAT rule to map HTTP and HTTPS ports on this


And this works. There however two problems that I cannot overcome:
1. I have to maintain two DNS services since my local machine need to resolve the overridden domain names, but opnsense itself needs to resolve the public IP address. This is not ideal.
2. I need manually add domain override and a NAT rule for each of the domains manually. (not that a big deal, but annoying)


Am I overthinking this? Is there a simpler way to achieve this? My biggest annoyence that I have to have two DNS servers.