articles
Home > Articles > How to route only certain IP Addresses to your VPN in Windows

How to route only certain IP Addresses to your VPN in Windows
Version 0.543

Recently I found out how to create my own VPN by firing up a Digitalocean droplet and simply running this script here.

However, Windows routes my whole PC's Internet through the VPN making GMail to flag my account, Facebook to do extra verification, websites to be inaccessible, captchas, etc.

The main reason I needed the VPN was to route selected games through it as my ISP's (Singtel) peering was very bad for that particular game and the Digitalocean datacentre was a good middleman slashing my ping by as much as 200ms.

Here's how to make it such that only traffic to the IP addresses you choose will be routed through the VPN.

Disclaimer

Proceed at your own risk! The information here is accurate to the best of our knowledge. We will not be held responsible if this document causes your computer to explode or burst into flames.

In real serious terms, if any corruption of data, hardware damage or any other kind of damage/losses/etc. arises from the use of this document, we cannot be held responsible for it. If you don't like this, please don't read any further.

Before Starting

This guide assumes you have installed and setup the VPN script here. There should be a VPN connection setup for you in Network Adapters.

Make a copy of the connection

It is best to work on a copy of the VPN connection in case things do not work out.

  • For IPSec: Simply right-click and make a copy of the connection. The preshared string may not be copied and will need to be manually copied. Edit the connection properties, go to Security and Advanced Settings. "Use preshared key for authentication" should be filled. If not, copy from the original connection properties
  • For Wireguard: Add a empty tunnel and copy the settings from the original tunnel
  • For OpenVPN: Simply make a copy of the OVPN file and add it again.

After creating a copy, you'll want to make sure the connection copy works before proceeding.

Disable "Use default gateway" to prevent all traffic going through the VPN

IPSec VPN

  1. Right-click on your VPN connection in Network Connections
  2. Click Properties
  3. Click Networking tab
  4. Select (click once) on the word Internet Protocal Version 4 (TCP/IPv4). Do not click on the box to untick it
  5. Click Properties
  6. Click Advanced
  7. Uncheck "Use default gateway on remote network"
  8. OK all the way out

Wireguard

Edt the tunnel properties

  1. Uncheck "Block untunneled traffic (kill-switch)" else routed IP addresses will give a "General failure" error when trying to ping.
  2. You will also need to "Edit" the tunnel and add Table = off under [Interface] to disable "Use default gateway on remote network"

OpenVPN

Edit the ovpn file and add these lines to the .ovpn file

pull-filter ignore route-gateway
pull-filter ignore redirect-gateway
route-noexec
route-nopull

Start your VPN before attempting the commands below. You'll notice that your whole system is no longer VPN'ed.

How to route only one IP address through your VPN

This is the easiest to do if you know the server IP address.

IPSec and Wireguard

Follow the steps below in an elevated command prompt (Start > CMD > (right-click "Command Prompt") > "Run as administrator")

route print

Note the interface number of your VPN

Structure the command as follows

route ADD <IP ADDRESS> <VPN SERVER IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example if your game server's IP address is 145.239.131.35 (TruckersMP EU), VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 145.239.131.35 113.42.23.44 METRIC 306 IF 31

OpenVPN

For OpenVPN protocol, it does not seem you can route through using route commands, I got Destination host unreachable in all my attempts. You will need to edit the ovpn file instead

Put all the details in the ovpn file in this format route [IP] [mask].

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0

Example for TruckersMP (1 IP):

route 145.239.131.35 255.255.255.255

How to route a subnet of IP addresses

Some games like Overwatch have lots of IP addresses. You'll need to get all the relevant IP addresses with their subnet mask.

If unsure, use a gaming VPN such as mudfish (new accounts come with free credit) to find the routes and subnet mask. Simply run route print before/after the VPN is active for that game, spot the differences and note the routes.

IPSec and Wireguard

Once you have obtained the IP addresses, follow the steps below in the command prompt (Start > Run > CMD)

route print

To figure out the subnet for a range of IP address, you can use the tool at the bottom of this page. Input the IP address range, click "Calculate". Copy and paste the answer to the "CIDR to IP Range" box above and hit "Calculate". The subnet mask will be under "Netmask".

Note the interface number of your VPN

Structure the command as follows

route ADD <IP ADDRESS> MASK <SUBNET> <VPN IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example for Elder Scrolls Online EU, VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 159.100.224.0 MASK 255.255.240.0 113.42.23.44 METRIC 306 IF 31

Another example for Overwatch 2, a game which uses Amazon servers worldwide so you will need to route a lot of IP addresses. Here is a sample of the routing you'll need to do assuming VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 3.0.0.0 MASK 255.128.0.0 113.42.23.44 METRIC 306 IF 31
route ADD 3.128.0.0 MASK 255.128.0.0 113.42.23.44 METRIC 306 IF 31
route ADD 5.42.160.0 MASK 255.255.224.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.206.0 MASK 255.255.255.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.236.0 MASK 255.255.254.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.240.0 MASK 255.255.248.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.130.192.0 MASK 255.255.192.0 113.42.23.44 METRIC 306 IF 31

You can get the full list of Amazon IP addresses here (JSON). We recommend getting it from Mudfish as it is much easier as the subnet masks are also visible when you do a route print.

OpenVPN

Edit the ovpn file

Put all the details in the ovpn file in this format route [IP] [mask].

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0

Getting two VPNs active at the same time

If you followed the "Disable Use default gateway to prevent all traffic going through the VPN " step in the first VPN's settings, simply use the same commands above and change the INTERFACE ID and VPN IP ADDRESS to point to the second VPN as required. route print will give these details.

You may also want to "Disable Use default gateway to prevent all traffic going through the VPN " for the second VPN if you don't want it to VPN your whole system's Internet connections.

You may need to make sure you don't get the same IP address in both VPNs though. If you are using the VPN script I linked above, the solution to that is here.

IPSec and Wireguard

Example for Elder Scrolls Online EU, 2nd VPN server ip address 114.42.23.44 and Interface ID 32 to use the second VPN

route ADD 159.100.224.0 MASK 255.255.240.0 114.42.23.44 METRIC 306 IF 32

OpenVPN

Windows OpenVPN Connect client does not permit more than one connection by default. More info here. But you can mix it with another VPN protocol like Wireguard and/or IPSec instead.

Tunnelling a VPN through another VPN and so on

Simply start the second VPN after the first VPN is active, making sure that you are routing the second VPN's server IP address through the first VPN.

IPSec and Wireguard

Here are the steps in number form

  1. Start the first VPN
  2. Route the second VPN's ip address through the first VPN. Example assuming second VPN is 123.123.123.2, and first VPN is 113.42.23.44, Interface ID 31

    route ADD 123.123.123.2 113.42.23.44 METRIC 306 IF 31
  3. Now start your second VPN, it should connect through the first VPN
  4. To route a game such as TrumpersMP EU through the second tunneled VPN, get the Interface ID via route print

    route ADD 145.239.131.35 123.123.123.2 METRIC 306 IF 32

And if you are feeling adventurous, and want to tunnel a third VPN through the second VPN, assuming the third uses 111.123.123.3

route ADD 111.123.123.3 123.123.123.2 METRIC 306 IF <INTERFACE ID>

After running the above command, connect to the third VPN and so on. This may take some experimentation to work.

OpenVPN

Windows OpenVPN Connect client does not permit more than one connection by default. More info here. But you can mix it with another VPN protocol like Wireguard and/or IPSec instead.

How to route only selected IP addresses to the home's router and the rest through VPN

Here is how to do the opposite. Sometimes you may prefer to VPN your whole system but route only selected latency-sensitive IP addresses (such as game servers) to your home router.

For this case, you should NOT perform the "Disable Use default gateway to prevent all traffic going through the VPN" step listed above. If you have, simply reverse the changes.

After that, the steps are the same but slightly different.

IPSec and Wireguard

Follow the steps below in the command prompt (Start > Run > CMD)

route print

Note the interface number of your home network. Usually it is the primary network card you use such as Realtek, Intel Wi-fi, D-Link, etc.

Structure the command as follows

For a single IP address:

route ADD <IP ADDRESS> <GATEWAY IP ADDRESS> METRIC 306 IF <INTERFACE ID>

For a subnet range of IP addresses:

route ADD <IP ADDRESS> MASK <SUBNET> <GATEWAY IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example for Elder Scrolls Online EU, home router ip address 192.168.1.1 and Interface ID 3

route ADD 159.100.224.0 MASK 255.255.240.0 192.168.1.1 METRIC 306 IF 3

OpenVPN

Edit the ovpn file

Put all the details in the ovpn file in this format route [IP] [mask] net_gateway (for single IP) route [IP] [mask] net_gateway (for subnet range of IP addresses).

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0 net_gateway

Tips

  • The Metric value is a way for the routing table to decide the best route to take when there are multiple possible routes to the same destination.

How to delete all routes for a VPN

Simply disconnecting the VPN will remove all custom routes.

Best VPN protocol for gaming

I tested 3 VPN protocols -  IPsec/L2TP, Wireguard and OpenVPN

The best was OpenVPN, followed by Wireguard and IPSEC. Overwatch 2 was the game used to test.

  • Wireguard gave the orange "packet loss" and "high latency" status symbols in Overwatch 2 when changing heros and sometimes got lengthy loading screens, sometimes thrown back to the main menu after a long loading screen. Online
  • IPsec/L2TP failed to load Overwatch 2 when using certain Google servers - it kept saying "Lost Connection to Server" after "Entering Game" stage. Elder Scrolls Online did not seem to have any issues.
  • OpenVPN had none of the above issues in Overwatch 2

Do you have more to share? Comment below!

Last Updated 10 Mar 2024.

Errors? Omissions? Need Help? Know something? Post your queries in the comments below.

This document is Copyright(©) 2019 by G.Ganesh. Visit Bootstrike.Com (http://bootstrike.com).

0 comments RSS of last 10 posts

new post


Privacy Policy - Terms of Use - Contact Us - Site Map - Advertise
All original content (©) Copyright 1997-2021 Bootstrike.Com (ACRA Reg. No 53084890B).