Domain Bypass

Domain bypass allows specified domains to be routed outside the encrypted VPN tunnel, directly through the regular internet connection. This can be beneficial in scenarios where certain traffic doesn't need to or shouldn't be sent through the VPN for performance, compatibility, or security reasons.

When domain bypass is configured, the VPN client checks each outgoing network request against a list of excluded domains. If the target domain matches an entry in the bypass list, the request is routed through the device's regular network interface and internet connection. If there's no match, the request is sent through the encrypted VPN tunnel as normal.

How it works

Domain can be assigned to more than one DNS record and there is no way to take all addresses even for one domain name. For example, google uses a lot of CDN servers and when you open google.com with and without VPN traffic will go to different servers.

All requests to unknown resources start with domain resolving and SDK handles those DNS responses and if domain is in bypass list then SDK creates routes for addresses immediately.

SDK doesn't store any data about visited sites by user.

Domain bypass will not work if user uses any DNS protection methods like DNS-over-TLS. There is no way to resolve all IP addresses even for one domain.

Use Cases

There are several common scenarios where bypassing the VPN for certain domains can be advantageous:

Use Case	Description
Accessing Local Network Resources	If the VPN client is used on a device connected to a local network, accessing local network shares, printers, or intranet sites through the VPN may be unnecessary and could negatively impact performance. Bypassing the VPN for local domains keeps that traffic routing efficiently on the LAN.
Streaming Geo-Restricted Media	Some streaming platforms restrict content to certain geographic regions based on the user's IP address. When connected to a VPN, this can prevent the user from accessing media available in their actual physical location. Configuring a bypass for domains like netflix.com allows the user to stream content as if they weren't using a VPN.
Reducing VPN Server Load	If an organization has a large number of devices connected to a VPN but only actually needs to secure a subset of their traffic, using domain bypass for non-sensitive domains can significantly reduce the bandwidth and processing burden on the VPN server infrastructure.
Compatibility with Captive Portals	Captive portals, commonly found in public Wi-Fi networks, often require users to log in or agree to terms of service before granting internet access. By bypassing the VPN for captive portal domains, apps can ensure that users can properly authenticate and access the internet when connected to such networks.

Domain Matching Behavior

Understanding how domain patterns are matched is essential for configuring bypass rules correctly.

Exact String Matching

The domain matching algorithm performs exact string matching. This means that a pattern like example.com will only match example.com exactly—it will not match www.example.com or any other subdomain.

Pattern	Matches	Does NOT Match
example.com	example.com	www.example.com, api.example.com

Wildcard Matching

The asterisk (*) acts as a suffix wildcard: it replaces zero or more characters at the beginning of the domain string. The pattern *example.com therefore matches any domain whose name ends in the characters example.com.

Pattern	Matches	Why
*example.com	example.com	Zero characters replaced
*example.com	www.example.com	www. replaced
*example.com	api.example.com	api. replaced
*example.com	myexample.com	my replaced — unintended

Using *example.com may produce unintended matches. For instance, it would match malicious-example.com or notexample.com, because the wildcard replaces any characters before example.com — including partial domain names.

Best Practice: Matching a Domain and All Subdomains

To correctly match a domain and all its subdomains without unintended side effects, use two separate rules:

1. example.com — matches the base domain exactly

2. *.example.com — matches all subdomains (note the dot before the domain)

The dot (.) before the domain name ensures that only valid subdomains are matched:

Pattern	Matches	Does NOT Match
*.example.com	www.example.com, api.example.com	example.com, malicious-example.com

Platform

For Apple, see domain-bypass.md

For Android, see domain-bypass.md

For Windows, see domain-bypass.md