How do commercial VPNs achieve app-level split tunnel in Windows?

Question

My understanding is that, in multi homed hosts, based on the routing table in the OS, the source IP address/NIC is chosen for any connection. Further an application can also be designed to choose which source IP to use for a connection arising from that application.

But how do one application(VPN) enforces other application(any) to use a specific interface/source IP?

From what I've read, there are apps like ForceBindIP which makes this possible by dll injection. But most programs block third party dll injections. So how is app level split tunnel achieved by commercial VPN applications?

p.s. There is a similiar post asked but with no answer How do these VPNs achieve per-app tunneling?

score 2 · Answer 1 · answered Dec 14 '22 at 00:34

The commercial implementations usually use a kernel networking driver to achieve this. You can look at the source code of apps like Mullvad to see how it is done.

I am developing a Windows WireGuard vpn client that implements application based split tunneling using a kernel networking driver: https://github.com/TunnlTo/desktop-app

How do commercial VPNs achieve app-level split tunnel in Windows?

1 Answers1

Linked