This article will address the questions: Why Bypass your VPN and how to solve it automatically? Using VPN can make your life easier and more complicated at the same time. Find out how to bypass, tunnel-split, or make specific exceptions to your current VPN connection.
Why Bypass VPN? I have had troubles with email traffic in the past and my email address was blacklisted in some occasions because I was using a VPN connection. Keep in mind some ports that are used by your email provider might not be supported by your VPN service and thus cause problems when using email whilst you are connected to your VPN. I wanted to bypass the VPN connection for exactly that reason so that the email traffic is routed directly to the email server and does not use the VPN tunnel. Depending on the VPN service you are using, this may be an option already built-in but in my case my VPN service does not offer exclusions, VPN bypass, or alike.
Why you want to use a VPN in the first place might also be a very good question? I think it is useful to use a VPN, e.g. if you use non-secure public wifi’s (e.g. at your favourite coffee place, in an airport, …), to filter and block malware, ads, & trackers, or if you travel to countries that restrict Web-Traffic. Some VPN providers do offer a variety of services that you may find useful when browsing the web.
Bypass your VPN
How to bypass VPN is rather simple. I use a MacBook and thus this example is based on applescript and shell script (bash) as those are tools that are native within OSX — no extra app’s and installations needed!
Open your Terminal.app and add a route to your current routing table and the traffic to this specific address will bypass your VPN connection. Here is how you do this (more comprehensive explanation below):
1. Open spotlight (command + spacebar) type Terminal and hit Enter, or find the Terminal.app in your Application within the Utilities Folder.
2. Within Terminal you can check the current routing table with the command netstat -rn to check if there is already a route, or what routes are currently active.
3. Add a route in Terminal by using the command:
sudo route -nv add YourWebsiteIPforExeption TheGatewayIPofYourRouter
4. Delete the route if you do not wish to bypass any longer or if in case of problems: Use the command: sudo route delete YourIPAddressFromURLHere
Voila, your exception is done! Pretty simple isn’t it, or is it?
If you have to do this every time after you restarted your computer or the route you added was lost for any reason, and also, if you work from different places and different WiFi environments you have to change the route every-time you change your location/network — That Sucks! You might as well not connect to your VPN altogether.
I wanted to automate this!
As I am only concerned about my Email traffic as this is crucial to my business. I am only focussing on the Email.app and the URL/IP-Address for the email that I am using.
Here is what I did
I created a script that automates the process and exported it as an app so that if I open this Script-App, it automatically checks the Router/Gateway and the Mail-Sever IP-Address, checks the current routing table, add’s the route if necessary, and opens my Email-App if all is set-up correctly, or throws an error message if there is a problem. All I did is replace my Bypass-App with my Email-App and I do not need to worry anymore!
You can use and adopt the following code with the native applescript environment your MacBook is equipped with. Open the AppleScript Editor and paste the code in the editor and amend the variables myURL and MyEmailApp to your needs. This code will beep if it adds the route so I that have an audible feedback of what is/was happening. Delete the beep if you do not like this.
(* BYPASS VPN and start Email App
By UweTheSailor on 25. Nov. 2022
This script will add a route to your Mac to bypass the VPN for this URL (email, web, or else) and opens an app after
it added the exception. The script automatically resolves the IP address from a specific URL and the Gateway IP from current
settings and adds automatically a route to the routing table of your machine to bypass the VPN connection for this specific URL and
opens my email client app (Airmail).
*)
-- Put your URL that you want to bypass your VPN connection here:
set myURL to "hotmail-or-else.com"
-- Put the name of your App that you want to open here:
set myEmailApp to "YourEmailAppOrElse"
-- Resolve the URL into IP Adress using a shell script:
set myip3 to do shell script "host " & myURL & " |grep address"
-- no error handling if DNS does not work!
set AppleScript's text item delimiters to " "
set MyURL_IP to (text item 4 of myip3)
-- The Variable "MyURL_IP" is your correct IP of the current URL!
-- return MyURL_IP
-- Get the router / gateway IP address from shell script:
set GatewayAdr to (do shell script "ipconfig getpacket en0 | grep 'router'")
-- Extract Gatway IP Adress from string - use trim with delimiters:
set AppleScript's text item delimiters to "{"
set IP1 to (text item 2 of GatewayAdr)
set AppleScript's text item delimiters to "}"
set IPAdrGatway to (text item 1 of IP1)
-- The Variable "IPAdrGatway" is your correct IP of the current gateway!
-- return IPAdrGatway
set RouteTable to (do shell script "netstat -rn") -- refresh the variable with actual data from current routing table!
if RouteTable does not contain MyURL_IP & " " & IPAdrGatway then
do shell script "sudo route -nv add " & MyURL_IP & " " & IPAdrGatway
beep
delay 1 -- wait one sec to take over the new settings
-- Refresh the routing table entries:
set RouteTable to (do shell script "netstat -rn")
-- Check if route was added and open Airmail App:
if RouteTable contains MyURL_IP & " " & IPAdrGatway then
-- open Arimail App only if not running yet:
tell application myEmailApp
activate
end tell
else
-- Error handling
display dialog "The route could not be verified and was not added!" with icon caution with title "Cannot verify the route!"
end if
else if RouteTable contains MyURL_IP & " " & IPAdrGatway then
tell application myEmailApp
activate
end tell
end ifHowever, that might still be a pain as when you are adding a route to your routing table you will need to enter your admin password every time you run this app, see Ease of use, as follows:
Ease of use — make Terminal accept TouchID built-in MacOS
If you own a Mac with Touch ID built-in, you need to edit the sudo config file that is located in the /etc/pam.d/ folder. How to do that is relatively simple and it is a permanent change. Anytime you will need to enter a password in the Terminal it will ask for your TouchID and offers you still to type your password if you like. Here is a very good step-by-step guide how to do this.
How to check if the URL you have added is bypassing the VPN?
To see if what you have done is actually doing anything you can check with this Terminal command if it worked traceroute put-your-url-here.com and hit Enter. You can do this before you add the route and afterwards. Delete the route or add and try the command in between you’ll see the difference. Upon executing, this command will show the hop’s to your destination and thus visualises the route the IP-Packets are travelling.
Tipps and Tricks
This is how you find your Router/Gateway IP-Address manually: Go to Network Preferences in the System Preferences and click Advance and then the tab TCP/IP. Here is your Router IP address that was provided by the DHCP. Alternatively you can use the Terminal.app and the command ipconfig getpacket en0. There are many ways to figure out the same thing.
To get to know your Mail-Sever IP-Address you can check the Email Accounts in your Email.app and see what mail server URL is used for your email service. Once you found the URL you can go to the Terminal.app and either Ping the URL or use the command host hotmail.com. Make sure instead of hotmail.com you are using the URL that you want to use to bypass the VPN.
Useful Terminal commands:
- Use sudo route delete YourIPAddressFromURLHere to delete the route you have added before.
- Use netstat -rn | grep 35.204. to filter the result (e.g. “35.204.” is the search term that I was using.
- Use dig your-url.com to find the IP-Address for your URL that you want to exclude from your VPN connection.
Share your love, hit the clap or add a comment/suggestion and let me know if you find this useful.
Yours truly,
Uwe
P.S. If you’re passionate about community and seek a distinctive event brimming with enjoyment, collaboration, and a dynamic atmosphere, consider joining us at the Bansko Nomad Fest. https://banskonomadfest.com use the 10% discount code to grab your ticket now: uwebnf24
