articles
Home > Articles > How to route only certain IP Addresses to your VPN in Windows

How to route only certain IP Addresses to your VPN in Windows
Version 0.546

Recently I found out how to create my own VPN by firing up a Digitalocean droplet and simply running this script here.

However, Windows routes my whole PC's Internet through the VPN making GMail flag my account, Facebook asking extra verification, websites asking for captchas and other inconveniences.

The main reason I needed the VPN was to route selected games through it as my ISP's (Singtel) peering was very bad for games with Europe servers and the Digitalocean datacentre was a good middleman slashing my ping by as much as 200ms. Secondary reason was that Overwatch 2 queue times were very long in my region (Southeast Asia) during the times I play.

Here's how to make it such that only traffic to the IP addresses you choose will be routed through the VPN. Also known as split tunneling. Currently the guide only covers splitting the connection by IP address, not by app process. I am still trying to figure out a reliable way to assign a VPN tunnel to a process rather than by IP address which is more effective for games with numerous servers such as Overwatch 2.

Table of Contents

  1. Disclaimer
  2. Before Starting
  3. Disable "Use default gateway" to prevent all traffic going through the VPN
  4. How to route only one IP address through your VPN
  5. How to route a subnet of IP addresses
  6. Getting two VPNs active at the same time
  7. Tunnelling a VPN through another VPN and so on
  8. How to route only selected IP addresses to the home's router and the rest through VPN
  9. How to delete all routes for a VPN
  10. Best VPN protocol for gaming
  11. Best cloud computing platform to host your VPN server for gaming
  12. Why not just use Mudfish

Disclaimer

Proceed at your own risk! The information here is accurate to the best of our knowledge. We will not be held responsible if this document causes your computer to explode or burst into flames.

In real serious terms, if any corruption of data, hardware damage or any other kind of damage/losses/etc. arises from the use of this document, we cannot be held responsible for it. If you don't like this, please don't read any further.

Before Starting

This guide assumes you have installed and setup the VPN script here. There should be a VPN connection setup for you in Network Adapters.

Make a copy of the connection

It is best to work on a copy of the VPN connection in case things do not work out.

  • For IPSec: Simply right-click and make a copy of the connection. The preshared string may not be copied and will need to be manually copied. Edit the connection properties, go to Security and Advanced Settings. "Use preshared key for authentication" should be filled. If not, copy from the original connection properties
  • For Wireguard: Add a empty tunnel and copy the settings from the original tunnel
  • For OpenVPN: Simply make a copy of the OVPN file and add it again.

After creating a copy, you'll want to make sure the connection copy works before proceeding.

Disable "Use default gateway" to prevent all traffic going through the VPN

IPSec VPN

  1. Right-click on your VPN connection in Network Connections
  2. Click Properties
  3. Click Networking tab
  4. Select (click once) on the word Internet Protocol Version 4 (TCP/IPv4). Do not click on the box to untick it
  5. Click Properties
  6. Click Advanced
  7. Uncheck "Use default gateway on remote network"
  8. OK all the way out

Wireguard

Edit the tunnel properties

  1. Uncheck "Block untunneled traffic (kill-switch)" else routed IP addresses will give a "General failure" error when trying to ping.
  2. You will also need to "Edit" the tunnel and add Table = off under [Interface] to disable "Use default gateway on remote network"

OpenVPN

Edit the ovpn file and add these lines to the .ovpn file

route-noexec
route-nopull

Update Apr 2024: "pull-filter ignore route-gateway" and "pull-filter ignore route-gateway" has been removed as it caused "ovpnagent request error" error in the latest version of OpenVPN Connect

Start your VPN before attempting the commands below. You'll notice that your whole system is no longer VPN'ed.

How to route only one IP address through your VPN

This is the easiest to do if you know the server IP address.

IPSec and Wireguard

Follow the steps below in an elevated command prompt (Start > CMD > (right-click "Command Prompt") > "Run as administrator")

route print

Note the interface number of your VPN

Structure the command as follows

route ADD <IP ADDRESS> <VPN SERVER IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example if your game server's IP address is 145.239.131.35 (TruckersMP EU), VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 145.239.131.35 113.42.23.44 METRIC 306 IF 31

OpenVPN

For OpenVPN protocol, it does not seem you can route through using route commands, I got Destination host unreachable in all my attempts. You will need to edit the ovpn file instead

Put all the details in the ovpn file in this format route [IP] [mask].

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0

Example for TruckersMP (1 IP):

route 145.239.131.35 255.255.255.255

How to route a subnet of IP addresses

Some games like Overwatch have lots of IP addresses. You'll need to get all the relevant IP addresses with their subnet mask.

If unsure, use a gaming VPN such as mudfish (new accounts come with free credit) to find the routes and subnet mask. Simply run route print before/after the VPN is active for that game, spot the differences and note the routes.

IPSec and Wireguard

Once you have obtained the IP addresses, follow the steps below in the command prompt (Start > Run > CMD)

route print

To figure out the subnet for a range of IP address, you can use the tool at the bottom of this page. Input the IP address range, click "Calculate". Copy and paste the answer to the "CIDR to IP Range" box above and hit "Calculate". The subnet mask will be under "Netmask".

Note the interface number of your VPN

Structure the command as follows

route ADD <IP ADDRESS> MASK <SUBNET> <VPN IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example for Elder Scrolls Online EU, VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 159.100.224.0 MASK 255.255.240.0 113.42.23.44 METRIC 306 IF 31

Another example for Overwatch 2, a game which uses Amazon servers worldwide so you will need to route a lot of IP addresses. Here is a sample of the routing you'll need to do assuming VPN server ip address 113.42.23.44 and Interface ID 31

route ADD 3.0.0.0 MASK 255.128.0.0 113.42.23.44 METRIC 306 IF 31
route ADD 3.128.0.0 MASK 255.128.0.0 113.42.23.44 METRIC 306 IF 31
route ADD 5.42.160.0 MASK 255.255.224.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.206.0 MASK 255.255.255.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.236.0 MASK 255.255.254.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.129.240.0 MASK 255.255.248.0 113.42.23.44 METRIC 306 IF 31
route ADD 12.130.192.0 MASK 255.255.192.0 113.42.23.44 METRIC 306 IF 31

You can get the full list of Amazon IP addresses here (JSON). We recommend getting it from Mudfish as it is much easier as the subnet masks are also visible when you do a route print.

OpenVPN

Edit the ovpn file

Put all the details in the ovpn file in this format route [IP] [mask].

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0

Getting two VPNs active at the same time

If you followed the "Disable Use default gateway to prevent all traffic going through the VPN " step in the first VPN's settings, simply use the same commands above and change the INTERFACE ID and VPN IP ADDRESS to point to the second VPN as required. route print will give these details.

You may also want to "Disable Use default gateway to prevent all traffic going through the VPN " for the second VPN if you don't want it to VPN your whole system's Internet connections.

You may need to make sure you don't get the same IP address in both VPNs though. If you are using the VPN script I linked above, the solution to that is here.

IPSec and Wireguard

Example for Elder Scrolls Online EU, 2nd VPN server ip address 114.42.23.44 and Interface ID 32 to use the second VPN

route ADD 159.100.224.0 MASK 255.255.240.0 114.42.23.44 METRIC 306 IF 32

OpenVPN

Windows OpenVPN Connect client does not permit more than one connection by default. More info here. But you can mix it with another VPN protocol like Wireguard and/or IPSec instead.

Tunnelling a VPN through another VPN and so on

Sometimes the peering of your ISP with your VPN server results in higher than normal latency. The solution to this is to launch another VPN server where the peering latency is good between you and the original VPN server and use it as an additional intermediary to your VPN server.

Simply start the second VPN after the first VPN is active, making sure that you are routing the second VPN's server IP address through the first VPN. For my testing, I disabled default gateway for the first VPN.

IPSec and Wireguard

Here are the steps in number form

  1. Start the first VPN
  2. Route the second VPN's ip address through the first VPN. Example assuming second VPN is 123.123.123.2, and first VPN is 113.42.23.44, Interface ID 31

    route ADD 123.123.123.2 113.42.23.44 METRIC 306 IF 31
  3. Now start your second VPN, it should connect through the first VPN
  4. To route a game such as TrumpersMP EU through the second tunneled VPN, get the Interface ID via route print

    route ADD 145.239.131.35 123.123.123.2 METRIC 306 IF 32

And if you are feeling adventurous, and want to tunnel a third VPN through the second VPN, assuming the third uses 111.123.123.3

route ADD 111.123.123.3 123.123.123.2 METRIC 306 IF <INTERFACE ID>

After running the above command, connect to the third VPN and so on. This may take some experimentation to work.

OpenVPN

Windows OpenVPN Connect client does not permit more than one connection by default. More info here. But you can mix it with another VPN protocol like Wireguard and/or IPSec instead.

If it does not seem to work or latency is higher than normal, the most likely cause is a firewall. Check your VPN server firewall configuration settings to ensure all UDP connections from your IP address is permitted

Our recommendation is the first VPN server to be OpenVPN and the second VPN server to be Wireguard. This saves time as the OpenVPN config file already includes gateway disabling and routing only one IP address. Mobile hotspot in Windows 10 also works with this configuration, although the IP address assigned to hotspot devices may be the original IP address and not a VPN IP address.

We tried it with a OVH firewall'ed VPN server (with the appropriate ports open) but tunneling did not work properly. Either there's no Internet or the latency is higher than normal. We swapped the OVH server for a digitalocean one and it works as expected.

How to route only selected IP addresses to the home's router and the rest through VPN

Here is how to do the opposite. Sometimes you may prefer to VPN your whole system but route only selected latency-sensitive IP addresses (such as game servers) to your home router.

For this case, you should NOT perform the "Disable Use default gateway to prevent all traffic going through the VPN" step listed above. If you have, simply reverse the changes.

After that, the steps are the same but slightly different.

IPSec and Wireguard

Follow the steps below in the command prompt (Start > Run > CMD)

route print

Note the interface number of your home network. Usually it is the primary network card you use such as Realtek, Intel Wi-fi, D-Link, etc.

Structure the command as follows

For a single IP address:

route ADD <IP ADDRESS> <GATEWAY IP ADDRESS> METRIC 306 IF <INTERFACE ID>

For a subnet range of IP addresses:

route ADD <IP ADDRESS> MASK <SUBNET> <GATEWAY IP ADDRESS> METRIC 306 IF <INTERFACE ID>

Example for Elder Scrolls Online EU, home router ip address 192.168.1.1 and Interface ID 3

route ADD 159.100.224.0 MASK 255.255.240.0 192.168.1.1 METRIC 306 IF 3

OpenVPN

Edit the ovpn file

Put all the details in the ovpn file in this format route [IP] [mask] net_gateway (for single IP) route [IP] [mask] net_gateway (for subnet range of IP addresses).

Example for Elder Scrolls Online EU (subnet):

route 159.100.224.0 255.255.240.0 net_gateway

How to delete all routes for a VPN

Simply disconnecting the VPN will remove all custom routes.

Best VPN protocol for gaming

I tested 3 VPN protocols -  IPsec/L2TP, Wireguard and OpenVPN

The best was OpenVPN, followed by Wireguard and IPSEC. Overwatch 2 was the game used to test.

  • Wireguard gave the orange "packet loss" and "high latency" status symbols in Overwatch 2 when changing heros and sometimes caused lengthy loading screens, sometimes getting thrown back to the main menu after a long loading screen (this is disastrous in Competitive mode). Setup was the fastest though.
  • IPsec/L2TP sometimes failed to load Overwatch 2 - it kept showing the message "Lost Connection to Server" after the "Entering Game" stage. IPsec/L2TP also took the longest time to setup, especially on low resource VMs.
  • OpenVPN had none of the above issues in Overwatch 2. Setup time was tolerable.

Elder Scrolls Online did not seem to have any issues with the above games. But it was not properly tested.

Do you have more to share? Comment below!

Best cloud computing platform to host your VPN server for gaming

What's best for me may not be the best for you as it is dependent on ISP and country.

In order of Best to Neutral based on Singapore (Singtel)

  1. Azure (Use this to test global pings) (Alternative)
  2. Google Cloud (Use this to test global pings)
  3. Digitalocean (Use this to test global pings)
  4. Linode (Use this to test global pings)
  5. Hetzner (Use this to test global pings)
  6. Amazon AWS (Use this to test global pings)

Note that if there's a Premium Bandwidth option, it should be used.

Azure is the best, but is also the most expensive and requires the most amount of time to setup a simple Ubuntu Virtual Machine .

Google Cloud allows me to create a free "Instance Template" and I could use to instantly fire up a VM (in Compute Engine) in a few seconds. You can even set it to auto delete in X hours, for situations where you may forget to delete the VM.

Why not just use Mudfish

Here are the reasons why I don't prefer to use Mudfish

  1. Dedicated resources. On Mudfish, a server may be used by many players at once. On my own VM, I am the only one using it (although resources are still shared with others).
  2. Cost. Believe it or not, it is cheaper using my dedicated VM as if it is only running for a few hours. However the savings are minuscule (in cents) but it adds up.
  3. Cost for unexpected traffic. Sometimes a game will download its GBs of update over the VPN and that will use up your mudfish credits instantly. Using your own server does not avoid this but greatly reduces the cost.

Time is the major disadvantage. It takes about 5 minutes to setup a server in Google Cloud as I got used to it. On your first few attempts, you may take longer times as you get accustomed to the process.

FAQ

Coming soon

Last Updated 6 June 2024.

Errors? Omissions? Need Help? Know something? Post your queries in the comments below.

This document is Copyright(©) 2019 - 2024 by G.Ganesh. Visit Bootstrike.Com (http://bootstrike.com).

0 comments RSS of last 10 posts

new post


Privacy Policy - Terms of Use - Contact Us - Site Map - Advertise
All original content (©) Copyright 1997-2021 Bootstrike.Com (ACRA Reg. No 53084890B).