How to Exempt Websites on your VPN

One of the reasons for getting a VPN is to protect your computer or mobile device from external threats, or to hide your browsing activity. So you might be wondering, “Why would I want to exempt a website from a VPN?” There are a number of instances where you might want to restrict your VPN. One example is if you are living outside the US, and you are using a VPN to access services like Netflix. You might then want to access a local website, but the site has blocked access with a VPN. Therefore, to reach the local site, you would think to disconnect your VPN – but this makes it inconvenient to then watch Netflix, and it can also leave your device vulnerable. Therefore, we will explain how to modify your VPN connection to bypass VPN for certain websites to exempt websites without disabling your VPN’s protection.

There are two essentially two approaches to achieving this:

1. Send all the traffic out over your VPN, except for specific sites.
2. Only send traffic for specific sites out over your VPN.

You can complete the first approach with only a simple change to the OpenVPN configuration file. Option two requires that you make an entry in your routing table. Option two is slightly more complicated, but effective. Below we will show you how to do both.

How to Exclude Specific Websites From Your VPN

Whether you are using ExpressVPN, NordVPN, or another VPN provider, the way each has set up OpenVPN is going to be basically the same. So these instructions will work for almost any VPN in order to exempt websites from your VPN.

First, if you are using Windows VPN, or any other VPN, then the only way you can exclude specific websites is with OpenVPN. It is the only VPN software that lets you edit the configuration in a simple text file.

To get started, you will need:

1. The IP address of your home or office Wi-Fi router.
2. The IP address of the site that you want to exclude.
3. The location of your OpenVPN configuration file.

To find the IP address of the website you want to exclude, go to the command prompt, meaning run cmd, then type:

ping website

You can’t use the domain name, only the IP address. In this example, to show how this works (and that it does work) we pick whatsmyip.org. Its IP address is 208.64.38.55.

To obtain the IP address of your Wi-FI router you need to run:

ipconfig /all

Look for the text that says “Default Gateway”. For most home or small offices, the IP address will be 192.168.1.1. In the example above it is 192.168.1.2.

Now open the .opvn config file associated with your VPN connection. You could have copied it from anywhere, but most likely it is located in C:\Program Files\OpenVPN\easy-rsa.

Add this line anywhere in the file, changing the IP address 208.64.38.55 to the site you picked.

route 208.64.38.55 255.255.255.255 192.168.1.1

Now restart OpenVPN. What we did is tell the computer to use the regular Wi-Fi IP address when accessing that site. If you were to look, by running route print or ifconfig /all, you will see all other traffic is using the VPN internal IP address, which probably starts with 10.

Now Test It

Here we test it by going to two different websites that show your IP address, www.whatsmyip.org and www.HideMyAss.com. Go to www.whatsmyip.org. Note the IP address below.

And below is the IP address shown on www.HideMyAss.com. Note that it is different from the IP address from www.whatsmyip.org. The site also tells you where you are geo-located. As you can see it says USA, instead of another country.

Send Traffic Out Via VPN Only for Certain Sites

This configuration is slightly more complex, as you can’t simply add an entry to the .opvn config file. This is because you need the IP address of the VPN connection, and that will not be the same every time you connect. That is not the same as the IP address of your VPN server. It is the internal IP address created by OpenVPN.

If you were to run OpenVPN from the command line and look at the logs, you would see a command like this one:

ip route add 0.0.0.0/0 via 10.3.122.254

The basically means send all traffic (0.0.0.0/0) out over the IP address 10.3.122.254. That is an internal IP address created on your computer. It is not the same as the IP address of the VPN server that you are connecting to.

Add this entry to .opvn. It tells OpenVPN to not update the routing table when you connect. In other words it says do not alter any traffic.

route-nopull

Then, using ipconfig or on Ubuntu ifconfig or ip route list note the internal IP address. On Windows you can also use routeprint.

The IP address you need will probably start with 10. And it will be associated with the VPN connection shown as tap or tun.

Below is what it looks like on Ubuntu with the internal address highlighted in red.

default via 192.168.1.1 dev eno1
10.3.123.0/24 dev tun0 proto kernel scope link src 10.3.123.170
169.254.0.0/16 dev eno1 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.82 metric 100

Then enter this into the command prompt:

ip route add 208.64.38.55 via 10.3.122.0

On Windows you will use:

route add 208.64.38.55 mask 255.0.0.0 10.3.122.0

Now all traffic will go out in the normal way, and only traffic for the exempted website mentioned above will use your VPN. You can make as many routing table entries as you want like this.

If you want to learn more about VPNs, and how to get the most out of your VPN, you can check out these great articles.