Selective-VPN

This scenario can help you selectively send some app traffic to an L3VPN/L4Proxy while keeping most other app traffic on your local internet connection (Wi-Fi or cellular network), to imporve your experience when using VPNs.

Sample Configuration

L3VPN/L4Proxy interface

Let's use WireGuard L3VPN interface as example.

You can create a WireGuard L3VPN interface by the following ways:

  • Import a WireGuard configuration from iCloud, the config file can be downloaded from major VPN provider such as Mullvad, Windscribe and etc.
  • Scan the QR code with your phone camera, VPN provider such as Mullvad support generate QR code
  • Create WireGuard interface manually based on you self-hosted WireGuard server.

App Routing

In this scenario, you do need to enable App Routing, please enable it in the App Routing toggle of the main screen of the App.

You should add the following routes in the App Routing section:

  • VPN Domain Set to L3VPN interface created by the above step

    First, create the domain set and add the domains related to the apps you want to route to the L3VPN interface. this route will route all the traffic associated with the domains in the VPN Domain Set

  • VPN CIDR Set to L3VPN interface created by the above step 1

    First, create the CIDR set and add the IP ranges related to the apps you want to route to the L3VPN interface. this route will route all the traffic associated with the IP ranges in the CIDR Set

  • VPN DNS server IP CIDR to the L3VPN interface

    Create a route for the VPN DNS server you configured in the Split DNS Settings.

    this route will ensure that domain queries from the VPN Domain Set to the VPN DNS server use the L3VPN interface instead of the local internet, which may cause DNS pollution, provide incorrect IPs, and prevent the apps from working correctly.

  • DNS fallback route to Direct Virtual interface

    since you only define limited domains in Domain Set, thus you must configure a DNS fallback route to specify the domains not present in any Somain Sets should be handled, by set to Direct Virtual interface, the domains will be queried using Direct DNS servers configured in the below step.

  • 0.0.0.0/0 to Direct Virtual interface.

this will keep most of the traffic routed to the local internet.

VPN & DNS Settings

You can't set up the primary and secondary DNS servers the DNS Settings of the VPN Settings because will iOS will use internal VPN server of the MintFlow NetStack if App Routing is enabled.

You must set up both the VPN DNS servers and the Direct DNS servers in the Split DNS settings.

You do not need to specify the route for the Direct DNS server since it's covered by the above 0.0.0.0/0 route.

To differentiate VPN DNS and Direct DNS servers, we recommend you use the following servers:

  • VPN DNS servers

    Use 8.8.8.8 and 8.8.4.4. Some VPN providers, such as Windscribe, provide customized DNS servers that can perform ad blocking. You can find these in the WireGuard configuration file or view them in the app's interface section, where we have saved the original configuration data as debug data.

  • Direct DNS servers

    Use 1.1.1.1 and 1.0.0.1, or other local internet-provided DNS servers, or your self-hosted Pi-hole DNS server.

Desired Behavior

With this configuration, only the traffic of selected apps will be routed to the VPN, while most of the remaining iOS app traffic will be routed to the local internet.

This scenario can be used to unlock some content blocking(such as NetFlix) in you location.

  1. this is optional if the Apps only used domains to provide service for you.