Domain Bypass

Domain bypass allows users to selectively route internet traffic for specific domains outside of a VPN connection. This feature provides flexibility in managing network traffic, optimizing performance, and maintaining access to certain resources that may be restricted or perform poorly when accessed through a VPN.

Understanding Domain Bypass Configuration

At its core, domain bypass is controlled through a configuration structure that specifies which domains should bypass the VPN. This configuration typically includes three main components:

1. A boolean flag to enable or disable bypass functionality

2. A list of domains that should bypass the VPN

3. An optional DNS server to use for bypassed domains

For example, a basic domain bypass configuration might look like this:

let bypassConfig = BypassConfiguration(
    isBypassEnabled: false,
    bypassDomains: ["*domain1.com", "domain2.net", "domain3.org"],
    bypassDNSServer: nil
)

• Since we do not provide default values for this initializer at the moment, you need to explicitly specify isBypassEnabled: false.

• It's important to be aware that if you use isBypassEnabled: true, it will result in a full bypass, meaning that all traffic will be bypassed and not routed through the VPN.

The resulting BypassConfiguration instance may look like this when inspected:

{
  bypassDomains = 3 values {
    [0] = "*domain1.com"
    [1] = "domain2.net"
    [2] = "domain3.org"
  }
  bypassDNSServer = nil
  bypassDomainsBehaviour = bypass
}

The configuration supports wildcards. In the example, *domain1.com will match any domain ending with domain1.com. See the Domain Matching Behavior section below for important details on how patterns are matched.

Currently WireGuard protocol does not support wildcards as it is expects IPv4 addresses to be provided for bypassing. Domain names are undergoing conversion in this case and wildcard representation can't be converted without significant delays in protocol workflow.

Domain Matching Behavior

Understanding how domain patterns are matched is essential for configuring bypass rules correctly.

Exact String Matching

The domain matching algorithm performs exact string matching. This means that a pattern like example.com will only match example.com exactly—it will not match www.example.com or any other subdomain.

Pattern	Matches	Does NOT Match
example.com	example.com	www.example.com, api.example.com

Wildcard Matching

When you use an asterisk (*) at the beginning of a pattern, it matches any domain ending with that string. For example, *example.com will match:

• example.com

• www.example.com

• api.example.com

• anything-else-example.com (unintended match)

Pattern	Matches
*example.com	example.com, www.example.com, myexample.com, test-example.com

Using *example.com may produce unintended matches. For instance, it would match malicious-example.com or notexample.com since these strings end with example.com.

Best Practice: Matching a Domain and All Subdomains

To correctly match a domain and all its subdomains without unintended side effects, use two separate rules:

let bypassDomains = [
    "example.com",      // Matches the base domain exactly
    "*.example.com"     // Matches all subdomains (note the dot before the domain)
]

The dot (.) before the domain name ensures that only valid subdomains are matched:

Pattern	Matches	Does NOT Match
*.example.com	www.example.com, api.example.com	example.com, malicious-example.com

Configuration Requirements

For domain bypass to function correctly, ensure that the following are properly configured:

• Bypass Interface: The network interface for bypassed traffic must be correctly specified and active (e.g., if set to wired ethernet, but the device is using Wi-Fi, bypass will not work as expected).

• Bypass DNS Server: If specified, the DNS server used for resolving bypassed domains must be reachable and correctly configured.

If domain bypass is not working as expected, verify that both the bypass interface and bypass DNS server settings match the actual network configuration of the device.

Use Cases

Use Case	Description
Improved Performance	For domains that don't require VPN protection, such as content delivery networks (CDNs) or local network resources, bypassing the VPN can improve network performance and reduce latency. This is especially beneficial for apps that heavily rely on media streaming or frequent communication with local devices.
Access to Local Resources	When connected to a VPN, Apple devices may have difficulty accessing resources on the local network, such as printers, smart home devices, or media servers. By bypassing the VPN for local network domains, apps can seamlessly communicate with these resources while still maintaining VPN protection for other connections.
Compliance with Regional Restrictions	Some services or content may be restricted or have different behavior based on the user's geographical location. If an app needs to access such services or content, bypassing the VPN for those specific domains allows the app to comply with regional restrictions and provide the appropriate user experience.
Compatibility with Captive Portals	Captive portals, commonly found in public Wi-Fi networks, often require users to log in or agree to terms of service before granting internet access. By bypassing the VPN for captive portal domains, apps can ensure that users can properly authenticate and access the internet when connected to such networks.

macOS Network Extension Requirements

When using domain bypass on macOS with Network Extensions (app extensions), you must ensure the App Sandbox capability is properly configured.

App Sandbox Configuration

For macOS apps using Network Extensions (not System Extensions), the main application target must have the App Sandbox capability with "Incoming Connections (Server)" enabled. This corresponds to the com.apple.security.network.server entitlement.

Without this configuration, bypassed domains may fail to load even though the bypass configuration appears correct.

How to Enable

1. In Xcode, select your Application target

2. Go to Signing & Capabilities

3. Ensure App Sandbox is enabled

4. Under App Sandbox, check "Incoming Connections (Server)" under the Network section

Alternatively, add the following to your application's entitlements file:

<key>com.apple.security.network.server</key>
<true/>

This requirement applies only to macOS apps using Network Extensions (app extensions). It does not apply to:

• iOS apps: App Sandbox works differently on iOS

• macOS apps using System Extensions: System Extensions run in a separate system-managed process with their own entitlements and do not require App Sandbox configuration

Why This Is Required

Network Extensions (app extensions) run with the privileges of the calling application. When domain bypass is configured, the VPN needs to allow certain traffic to flow outside the tunnel, which requires the application to have network server capabilities enabled in its sandbox.

System Extensions, by contrast, run as standalone processes managed by the system with their own entitlements, so they don't inherit sandbox restrictions from the main application.