WFP: Bypass application specific traffic from Wireguard interface without changing wireguard code

Pandapqr123

We have a requirement to bypass application/domain specific traffic from the Wireguard VPN interface without modifying the Wireguard code.
How can we achieve this using the WFP framework?

Wireguard internally creates its own interface & routes this traffic to its interface and sends all the traffic to the Wireguard server using this interface.
Now we want some applications/domains to not use wireguard VPN and go directly to the internet.
We are parsing DNS requests to get an IP address for the domain using FWPS_LAYER_DATAGRAM_DATA_V4 | FWPS_LAYER_DATAGRAM_DATA_V6 classify routine.

How can we prevent that matching application/domain not to going through wireguard VPN tunnel?

Tim_Roberts

You can use the "route" command to do this. No programming is required.

Pandapqr123

We can only add an IP address there. How can we add an application/domain?

Tim_Roberts

If you know the domain name, then you know the IP. Right?

MBond2

what you are talking about is called policy routing. Normal IP routing considers only the destination IP address and finds the next hop, and egress interface, for each packet based on a single routing table. This is true for both IPv4 and IPv6.

With policy routing, additional factors extend the route lookup process. Typically, protocol, port and source IP. But other factors like the time of day are also considered by some implementations.

For server versions of Windows, the network policy server feature implements some policy routing. I'm not aware of any other support in Windows for policy routing. Typically windows hosts leave most routing decisions to network devices like firewalls and routers

to implement a policy routing filter, you first need to EXACTLY quantify the kind of policy that you plan to support, and then think about how you will obtain the required information to inform policy decisions