Introduction

V2Ray is a versatile proxy platform that supports multiple transport protocols, dynamic routing, and obfuscation. For administrators, developers, and enterprise users, selectively routing traffic—commonly known as split-tunneling—is a powerful way to balance privacy, compliance, and performance. This article provides a technical, step-by-step walkthrough to implement smart routing with V2Ray, covering JSON configuration, routing strategies, integration with system-level routing (iptables/policy routing), and debugging tips.

Why Split-Tunneling with V2Ray?

Split-tunneling allows you to direct only a subset of network traffic through the proxy while other traffic goes directly to the internet. Benefits include:

  • Reduced latency for local/whitelisted services by avoiding unnecessary proxy hops.
  • Bandwidth savings on the proxy server by excluding high-volume local content.
  • Regulatory compliance by keeping sensitive enterprise traffic on internal networks.
  • Fine-grained control for developers and administrators to apply different policies per app, IP range, or domain.

Core Concepts of V2Ray Routing

V2Ray’s routing is controlled by the “routing” object in the server/client JSON configuration. Key items to understand:

  • domainStrategy — determines how to resolve domains (AsIs, IPIfNonMatch, IPOnDemand).
  • rules — ordered list of matchers and actions (e.g., “outbound”, “direct”, “blocked”).
  • balancers — optional grouping used to load-balance multiple outbounds.
  • geoip/databases — V2Ray supports GeoIP-based matching for country-level rules.

Typical Routing Actions

Common actions in rules:

  • “outbound” — send traffic to a named outbound (e.g., proxy).
  • “direct” — bypass the proxy and send directly.
  • “block” — drop the matched traffic.

Sample JSON: Basic Split-Tunnel Rules

Below is a compact example to demonstrate domain and IP-based split-tunneling. Replace placeholders (e.g., “proxy-out”) with your actual outbound names.

{
“routing”: {
“domainStrategy”: “IPIfNonMatch”,
“rules”: [
{
“type”: “field”,
“domain”: [“geosite:cn”, “domain:internal.example.com”],
“outboundTag”: “direct”
},
{
“type”: “field”,
“ip”: [“geoip:private”, “10.0.0.0/8”, “192.168.0.0/16”],
“outboundTag”: “direct”
},
{
“type”: “field”,
“domain”: [“geosite:category-ads”],
“outboundTag”: “blocked”
},
{
“type”: “field”,
“outboundTag”: “proxy-out”
}
] }
}

Explanation:

  • First rule: domains in the CN geosite or a specific internal domain go direct.
  • Second rule: RFC1918 and other private ranges bypass the proxy.
  • Third rule: block ad domains using geosite categories.
  • Default rule: everything else uses the proxy outbound.

Advanced Matchers: Users, Ports, Network

V2Ray supports additional match criteria that make split-tunneling more granular:

  • inboundTag / outboundTag — useful when multiple inbound listeners exist (e.g., SOCKS for devs, HTTP for apps).
  • user — apply rules per authenticated user ID (useful for multi-tenant setups).
  • port — match by source or destination port ranges (e.g., route SSH differently).
  • network — match by transport layer type (tcp, udp, grpc, ws).

Example: route UDP DNS queries directly but TCP via proxy:

{
“type”: “field”,
“network”: “udp”,
“port”: “53”,
“outboundTag”: “direct”
}

System Integration: Transparent Proxying and Policy Routing

For server-wide split-tunneling (so individual apps don’t need per-app proxy settings), integrate V2Ray with system routing. Two common approaches:

TUN/TAP or tun2socks

On client systems, create a TUN interface and run a userspace proxy like tun2socks, or use V2Ray’s built-in dokodemo-door inbound to accept TUN traffic. Steps:

  • Create a TUN device and set it as the default route or selectively route IP ranges to it.
  • Start V2Ray with dokodemo-door listening on 0.0.0.0:PORT bound to the TUN interface.
  • Ensure local dns resolution is handled properly—consider running a local DNS resolver and configure domainStrategy accordingly.

iptables + ip rule (Policy Routing)

On Linux, use iptables to mark packets and then ip rule to route marked packets through a secondary routing table that points to a local proxy (e.g., with redsocks or TProxy). Basic outline:

  • iptables -t mangle -A OUTPUT -p tcp -m owner –uid-owner 1001 -j MARK –set-mark 1
  • ip rule add fwmark 1 table 100
  • ip route add default via 127.0.0.1 dev lo table 100

This approach lets you decide which user IDs or processes have traffic sent through V2Ray, effectively achieving app-level split-tunneling without per-app configuration.

Handling DNS: Avoiding Leaks and Split Decision Timing

DNS resolution is a common source of leaks. Two recommended strategies:

  • Do DNS over your proxy by configuring a DNS outbound that points to a remote resolver and creating routing rules so that DNS traffic uses the proxy.
  • Use domainStrategy carefully. IPIfNonMatch resolves domains to IPs and falls back; AsIs forwards the domain as-is to the outbound—useful for SNI-based routing.

When using system-level transparent proxying, ensure the local resolver does not perform final resolution for domains that should be proxied—otherwise the system might connect directly to resolved IPs.

Performance and Scalability Considerations

Split-tunneling is a trade-off. Consider:

  • Latency: Routing through the proxy adds RTT. Keep latency-sensitive services direct.
  • Throughput: The proxy server network and encryption overhead limit throughput. Exclude heavy downloads from the tunnel where possible.
  • Server capacity: Use balancers or multiple outbounds for load distribution.
  • Caching and CDN: Directing traffic to local CDN endpoints avoids unnecessary proxy hops.

Troubleshooting and Debugging

Common debugging techniques:

  • Enable V2Ray logging with level “debug” in the “log” block to get detailed connection traces.
  • Use tools like tcpdump/wireshark on client and server to verify packet paths and DNS queries.
  • Temporarily add rules with explicit domain or IP and test connectivity to isolate rule mismatches.
  • Check alignment between geosite/geoip data versions and your V2Ray binary — outdated lists can misclassify domains.

Example debugging JSON snippet (enable debug logging):

{
“log”: {
“access”: “/var/log/v2ray/access.log”,
“error”: “/var/log/v2ray/error.log”,
“loglevel”: “debug”
}
}

Security Best Practices

When implementing split-tunneling for enterprise use, follow these guidelines:

  • Least privilege: Only proxy traffic that requires obfuscation or cross-border traversal.
  • Authentication: Use user-level authentication (VMess, VLess with VLess+TLS) and per-user routing rules to separate tenant traffic.
  • Encryption: Always enable TLS or an obfuscation layer to prevent DPI and man-in-the-middle attacks on proxy links.
  • Logging policies: Limit what you log and ensure logs are stored securely to maintain privacy and compliance.

Deployment Patterns for Enterprises

Recommended patterns depending on needs:

  • Development teams: Use a SOCKS inbound per developer and route only developer subnets through the proxy with user-based rules.
  • Office networks: Use a gateway approach: edge firewall marks external-bound traffic and policy routes certain subnets through a central V2Ray cluster.
  • Multi-tenant hosting: Use per-tenant outbounds with balancing and user-based routing to enforce isolation and scalability.

Conclusion and Next Steps

Configuring V2Ray split-tunneling gives administrators and developers a flexible way to manage traffic flows with precision. Start with the JSON examples here, test thoroughly in a controlled environment, and incrementally tighten rules. For system-wide deployments, combine V2Ray routing with iptables/policy routing or TUN-based solutions to achieve seamless, transparent split-tunnel behavior.

For more in-depth guides and practical deployment resources, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.