Split-Tunneling for V2Ray: Configure Smart Traffic Routing in Minutes

Introduction

Split-tunneling is an essential technique for optimizing network traffic when using proxy frameworks like V2Ray. Instead of forcing all traffic through a single encrypted tunnel, split-tunneling lets you selectively route traffic through V2Ray (the secure proxy) or directly to the public internet. For site administrators, enterprise operators, and developers, split-tunneling reduces latency for local services, minimizes bandwidth costs, and enforces fine-grained access control — all while preserving privacy for sensitive flows.

Why Split-Tunneling with V2Ray?

V2Ray is a versatile proxy platform with flexible routing capabilities. Out of the box it supports multiple protocols (VMess, VLess, Socks, HTTP), stream multiplexing, obfuscation, and advanced routing rules. Implementing split-tunneling with V2Ray provides several concrete benefits:

Performance: Route high-bandwidth, latency-sensitive services (CDNs, video, backups) directly to the internet, avoiding extra hops.
Security selectively applied: Only sensitive traffic (SSH, corporate apps, databases) traverses the encrypted tunnel.
Cost and throughput control: Reduce bandwidth usage on metered links or VPN concentrators by excluding non-critical traffic.
Compliance and access control: Keep region-restricted or local-only services accessible while tunneling other flows for compliance reasons.

Core Concepts and Architecture

Split-tunneling with V2Ray typically involves three logical components:

Client-side V2Ray instance: Runs on the user’s machine, intercepting selected traffic via transparent proxying, SOCKS/HTTP proxy, or local routing rules.
V2Ray server (remote): Receives proxied traffic and forwards it to the internet, optionally through additional relays.
Routing rules: The heart of split-tunneling — a set of match conditions (domain lists, IP ranges, port-based rules) that decide whether a packet is proxied or sent directly.

Deployment Models

Common deployment approaches include:

Per-host routing: Configure clients with routing tables or iptables rules that redirect only specific processes or destination IPs through V2Ray.
Per-application routing: Use OS-level features or third-party tools (e.g., proxychains, Proxifier) to direct particular apps via V2Ray.
Transparent gateway: A gateway machine intercepts traffic from LAN devices and applies split-tunnel rules centrally.

V2Ray Routing: Practical Configuration

V2Ray v4+ uses a JSON configuration with sections like “inbounds”, “outbounds”, and “routing”. Split-tunneling is achieved primarily by specifying precise routing rules that match domains, IP ranges, or ports and assign them to either a direct outbound or the proxy outbound. Below is a compact example illustrating a split-tunnel setup:

Minimal routing snippet (JSON inside V2Ray config) — place inside the top-level “routing” object:

{
“domainStrategy”: “IPIfNonMatch”,
“rules”: [
{
“type”: “field”,
“domain”: [“geosite:china”, “domain:local.company.internal”],
“outboundTag”: “direct”
},
{
“type”: “field”,
“domain”: [“geosite:blocked-services”],
“outboundTag”: “proxy”
},
{
“type”: “field”,
“network”: “tcp,udp”,
“outboundTag”: “direct”
}
] }

Key points in the example:

domainStrategy: “IPIfNonMatch” helps ensure domain names are resolved and fallback to IP matching, reducing leakage.
geosite: Built-in domain sets (e.g., geosite:china) allow grouping large rule sets without listing every domain.
outboundTag: Controls whether traffic goes via “proxy” or “direct” outbound objects defined in “outbounds”.

Outbounds Definition

Ensure you define outbounds for both direct and proxy behavior. A simple example:

{
“outbounds”: [
{
“tag”: “proxy”,
“protocol”: “vmess”,
“settings”: {
“vnext”: [{ “address”: “server.example.com”, “port”: 443, “users”: [{ “id”: “…”, “alterId”: 0 }] }] },
“streamSettings”: { “network”: “tcp”, “security”: “tls” }
},
{
“tag”: “direct”,
“protocol”: “freedom”,
“settings”: {}
}
] }

The “freedom” protocol sends traffic directly to the destination IP.

Advanced Matching Techniques

For enterprise-grade split-tunneling, simple domain matches might be insufficient. Consider the following advanced techniques:

IP CIDR Matching

Route entire IP ranges (e.g., AWS ranges, internal subnets) by listing them in routing rules using “ip”:

{
“type”: “field”,
“ip”: [“10.0.0.0/8”, “172.16.0.0/12”, “203.0.113.0/24”],
“outboundTag”: “direct”
}

Process-Level Split-Tunneling

Operating-system-specific tools can be used to bind certain processes to proxy ports. On Linux, you can combine iptables + ip rule + ip route + a separate network namespace to force chosen processes through V2Ray’s TPROXY/SOCKS port. On Windows and macOS, third-party tools (e.g., ForceBindIP, Proxifier) perform process-level redirection.

Domain Suffix and Regex Matching

V2Ray supports domain suffix rules (domain:google.com) and wildcard patterns. For more control, pre-populate custom geosite lists or use community-maintained lists tailored to your organization’s needs.

Transparent Proxying (TPROXY) Setup

For gateway-based split-tunneling where client devices are unmodified, set up V2Ray with a transparent inbound (e.g., “dokodemo-door”) that accepts redirected TCP/UDP via iptables TPROXY rules. A concise outline:

Set up V2Ray inbound using “dokodemo-door” bound to 0.0.0.0:12345 and “transparent”: true.
On Linux gateway, use iptables (and ip rule/ip route for UDP) to redirect desired traffic to that port only for selected source subnets or destination IPs.
Configure V2Ray routing rules to decide what to proxy vs direct.

TPROXY is powerful because you can control split-tunneling per client IP or per VLAN without installing software on client devices.

Testing and Verification

After configuring split-tunneling, validate behavior using these steps:

Use traceroute/tracert to confirm the path for a proxied host vs a direct host. Proxied traffic should show the V2Ray server as the next hop (or at least a different path) depending on configuration.
For web traffic, visit IP-identifying services (e.g., “what is my ip”) from proxied and direct apps to confirm different exit IPs.
Monitor V2Ray logs at “access” and “log” levels to inspect matched rules and decide whether traffic is sent via the “proxy” or “direct” outbound.
Use tcpdump or Wireshark on gateway interfaces to confirm which flows are being redirected and whether DNS lookups leak.

DNS Considerations and Leak Prevention

DNS is a common source of unintended leaks. If a DNS query is resolved locally while the corresponding traffic is proxied, adversaries or local DNS resolvers may learn the intended destination. Mitigation strategies:

Use V2Ray’s built-in DNS to forward queries through the proxy: configure the “dns” object with “servers” pointing to secure resolvers.
Set domainStrategy to “IPIfNonMatch” or “AsIs” depending on your needs — IPIfNonMatch tends to limit DNS leaks by resolving locally only when necessary.
Force DNS queries from proxied applications through the tunnel or use DNS-over-HTTPS/TLS resolvers reachable through the proxy outbound.

Security and Compliance Considerations

While split-tunneling improves performance, it introduces compliance concerns if sensitive traffic inadvertently bypasses inspection. Recommended safeguards:

Whitelist vs blacklist: Prefer explicit whitelists for direct access (deny-by-default) rather than broad blacklists that may miss critical flows.
Logging and audit: Maintain logs for policy compliance and periodically audit routing rules against corporate policies.
Use mutual authentication: Ensure V2Ray client and server use strong authentication (UUIDs, TLS) and rotate credentials periodically.
Network segmentation: Keep direct-access resources on separate VLANs or IP ranges and monitor traffic from those segments closely.

Performance Tuning

When implementing split-tunneling at scale, consider:

Offloading DNS and heavy non-sensitive traffic to edge caches or CDNs to reduce proxy load.
Using multiple V2Ray outbounds and failover strategies to distribute load; use routing rules with “balancer” options to implement weighted routing.
Enabling stream-level optimizations like multiplexing and tuning TCP window sizes if your users frequently use high-latency tunnels.

Common Pitfalls and Troubleshooting

Some frequent issues and remedies:

Unintended direct access: Check routing precedence — V2Ray rules are evaluated top to bottom. Place specific rules before general ones.
DNS leaks: Ensure client DNS uses proxy-aware resolvers or V2Ray’s DNS settings.
Split-tunnel bypass: Applications that use their own DNS or UDP transport may bypass system proxies; use transparent proxying or per-application binding to capture such flows.
IPv6 handling: If your environment has IPv6, ensure your rules and outbounds handle IPv6 addresses to avoid accidental direct routing.

Conclusion

Split-tunneling with V2Ray offers a flexible, high-performance approach to applying secure proxying only where it’s needed. By combining V2Ray’s rich routing language with OS-level networking (iptables, network namespaces, process binders), administrators can finely control which services traverse encrypted tunnels and which ones access the public internet directly. Careful attention to DNS, logging, and rule design will avoid leaks and maintain compliance. For enterprises and developers, this model reduces latency, saves bandwidth, and improves the user experience while preserving a security posture for sensitive traffic.

For more deployment examples, advanced routing templates, and downloadable configuration snippets tailored to gateways and clients, visit Dedicated-IP-VPN: https://dedicated-ip-vpn.com/