FR: Bypass exit nodes for certain domains

[Renari]

What are you trying to do?

When using an exit node I would like to route all traffic from specific applications through tailscale while allowing other applications direct access.

How should we solve this?

Normally this is done when turning on an exit node, you would set a whitelist for applications that would use said exit node.

What is the impact of not solving this?

Currently you would have to use the exit node globally in Tailscale which is not ideal for:

• Bandwidth sensitive applications
• Latency sensitive applications

Or use VPN service that supports split tunneling instead.

Anything else?

No response

[DentonGentry]

whitelist for applications that would use said exit node.

This suggestion of specific applications to bypass the VPN comes up most often for Android, which has an API in its VpnBuilder interface to do this. Is Android the main point of the feature request?

[Renari]

No, there is already an issue up for Android here: #6912

My use-case would be for desktop.

[DentonGentry]

While not exactly the feature requested, I suspect that #1748 will meet the actual need by making certain domains go through the tailnet to a particular egress node.

[jwty]

Instead of bypassing specific domains, would it be possible to bypass entire applications? I think this feature would complement recently announced Mullvad integration really nicely. Big part of Mullvad package is its mullvad-exclude component which makes setting up a split tunnel as simple as launching any application you want to split tunnel through it, either from terminal or through the Mullvad GUI. Thanks to that there's no need to figure out which domains would the application connect to beforehand. For real life usage example, MultiViewer (a motorsport desktop client) supports watching multiple different racing series through it, With Mullvad's split tunneling I can just split tunnel an entire application instead of bypassing dozen of different and sometimes changing domains, while keeping rest of my computer's network connections running through VPN.

[Renari]

That was my original intent, to bypass applications, not domains or conversely only run specific applications through the VPN.

[scuffedjosh]

Would love to see this happen on Linux. If implemented, I'd sign up for Mullvad on Tailscale right away.

[unusualevent]

per-application routing would be pretty damn cool. Could also do per-binary tailnet ACLs.

[davemuench]

Bypassing certain domains, networks or supporting split tunneling is something I thought was already in the new Mullvad support in the Linux client, but based on my testing it doesn't look that way. Would love to see this as I can't use Mullvad via Tailscale till it supports something along these lines, and unfortunately I am going to have to cancel my subscription for now.