Jigsaw-Code
Add option to skip proxying local network in Outline Client
Is there an existing issue that is already proposing this?
- [x] I have searched the existing issues
Application
Outline Client
What are you trying to do? What is your use case?
I use Outline Client to securely access the internet via VPN, but I also need to access devices and services on my local network, such as printers, file servers, and internal websites. Currently, all traffic is routed through the VPN, which makes it impossible or inconvenient to reach these local resources. My use case is to be able to use Outline for secure internet access while still having direct access to my local network devices without disconnecting the VPN.
Is your feature request related to a problem? Please describe it.
Description: It would be very useful to add an option in Outline Client to exclude local addresses (e.g., 192.168.0.0/16, 10.0.0.0/8, 127.0.0.1, etc.) from being proxied. This would allow users to access local resources (printers, NAS, internal websites, etc.) directly, bypassing the VPN/proxy, which is often required in corporate and home networks. Use case: I use Outline to access the internet via VPN, but I need traffic to local devices (e.g., printers, local servers) to go directly, not through the VPN. Currently, there is no such option, and I have to manually disconnect Outline to work with local resources. Suggestion: Add an option in the client settings to exclude certain IP ranges (e.g., standard local network ranges) from being proxied.
Describe the solution you'd like.
I would like to have an option in the Outline Client settings that allows users to exclude local network addresses (such as 192.168.0.0/16, 10.0.0.0/8, 127.0.0.1, etc.) from being proxied through the VPN. This option should enable direct access to local network resources while all other traffic continues to be routed through the VPN. Ideally, users should be able to specify which IP ranges to exclude, or simply enable a checkbox to "Skip proxy for local network".
Describe alternatives you've considered
No response
Hi @whonion, thank you for your detailed request.
It's already the intended behavior for Outline to bypass local addresses. Here's an example of excluded address list and another.
Could you say more about the kind of devices you're accessing on your local network that you find you need to turn off the VPN to access? What IP addresses are they located at?
Hey there, @ohnorobo I looked at the list of exceptions. And yes indeed my local network is included in these subnet masks: 192.168.0.0/24 The current local network has a DHCP server configured to give DNS servers: 192.168.1.2 (Local AD/DS) 192.168.1.1 (WAN-router) 94.140.14.14 (Adguard) 94.140.15.15 (Adguard)
But the thing is that data forwarding with the global Outline proxy enabled is processed slower than if the VPN is disabled. That is, requests to the local network via SMB protocol or when sending a job to a network printer “hangs” As if proxying still occurs or is pre-executed. Sometimes with the Outline VPN turned on, requests to the legacy SMB protocol don't happen at all until I turn the VPN off.
OS: Windows 11x64
Protocols: SMB WDS LPR/LPD
Also with VPN enabled, ping does not go through to any computer by domain name until I turn off the VPN.
Perhaps more fine tuning is needed in my situation, but it seems that in the current configuration with global proxy enabled, the local network DNS server is simply ignored and the following is taken (Adguard)
Ah, okay. I think there are 3 separate issues.
Local Adguard DNS
Outline has a longstanding behavior where it forces DNS requests to its own choice of DNS server in a very opinionated way. This works for most mainstream users, but you're far from the first power user it has annoyed. See https://github.com/Jigsaw-Code/outline-apps/issues/568. As you might guess from the age of that feature request though, it's not something that we will prioritize anytime soon. There are a few workarounds in that thread, but I think only for choosing your own cloud DNS, none that will work for accessing local DNS.
Local network printer protocols
For SMB / WDS / LPR/LPD they sometimes succeed, but sometimes hang and then succeed after you go through and turn off the VPN? I don't know about those specific protocols, but I wonder if we could be taking too long buffering traffic that should be passed through to the local network. Paging @jyyi1 who knows more about the windows routing.
Ping
When you say ping to any computer do you mean any computer anywhere, or any computer on your local network?
I just ran ping ping-test.net through my outline connection (not using windows) for example and it works fine. Does that fail for you, or is it a more local issue? Could it be local domains failing to resolve due to AD/DS not working?
It seems to be a bug, we should exclude local traffic from the VPN:
https://github.com/Jigsaw-Code/outline-apps/blob/fc0b03edf0ddf3c9b8a829d4ef709c57fe1b4e1c/client/electron/windows/OutlineService/OutlineService/OutlineService.cs#L693-L707
@whonion can you confirm whether these routing entries exist in the routing table?
@ohnorobo
In my case, I am trying to ping a local computer by its hostname — specifically, the DNS server that is listed first in my system's network settings (192.168.1.2). When Outline VPN is enabled, pinging this hostname does not resolve to the local IP, but instead to an external address. With VPN disabled, everything works as expected and the local DNS server responds.
@jyyi1
Here are the logs you requested:
With Outline VPN enabled:
route print
===========================================================================
Interface List
9...XX:XX:XX:XX:XX:XX ......VirtualBox Host-Only Ethernet Adapter
7...XX:XX:XX:XX:XX:XX ......Realtek Gaming 2.5GbE Family Controller
12...XX:XX:XX:XX:XX:XX ......Realtek 8852CE WiFi 6E PCI-E NIC
24...XX:XX:XX:XX:XX:XX ......Microsoft Wi-Fi Direct Virtual Adapter
17...XX:XX:XX:XX:XX:XX ......Microsoft Wi-Fi Direct Virtual Adapter #2
26...XX:XX:XX:XX:XX:XX ......VMware Virtual Ethernet Adapter for VMnet1
18...XX:XX:XX:XX:XX:XX ......VMware Virtual Ethernet Adapter for VMnet8
20...XX:XX:XX:XX:XX:XX ......TAP-Windows Adapter V9 #2
3...XX:XX:XX:XX:XX:XX ......Bluetooth Device (Personal Area Network) #3
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Address Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.108 25
0.0.0.0 128.0.0.0 10.0.85.1 10.0.85.2 35
0.0.0.0 255.0.0.0 192.168.1.1 192.168.1.108 25
10.0.0.0 255.0.0.0 192.168.1.1 192.168.1.108 25
10.0.85.2 255.255.255.255 On-link 10.0.85.2 291
100.64.0.0 255.192.0.0 192.168.1.1 192.168.1.108 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 10.0.85.1 10.0.85.2 35
169.254.0.0 255.255.0.0 192.168.1.1 192.168.1.108 25
172.16.0.0 255.240.0.0 192.168.1.1 192.168.1.108 25
192.0.0.0 255.255.255.0 192.168.1.1 192.168.1.108 25
192.0.2.0 255.255.255.0 192.168.1.1 192.168.1.108 25
192.31.196.0 255.255.255.0 192.168.1.1 192.168.1.108 25
192.52.193.0 255.255.255.0 192.168.1.1 192.168.1.108 25
192.88.99.0 255.255.255.0 192.168.1.1 192.168.1.108 25
192.168.0.0 255.255.0.0 192.168.1.1 192.168.1.108 25
192.168.1.0 255.255.255.0 On-link 192.168.1.108 281
192.168.1.108 255.255.255.255 On-link 192.168.1.108 281
192.168.1.255 255.255.255.255 On-link 192.168.1.108 281
192.168.37.0 255.255.255.0 On-link 192.168.37.1 291
192.168.37.1 255.255.255.255 On-link 192.168.37.1 291
192.168.37.255 255.255.255.255 On-link 192.168.37.1 291
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.152.0 255.255.255.0 On-link 192.168.152.1 291
192.168.152.1 255.255.255.255 On-link 192.168.152.1 291
192.168.152.255 255.255.255.255 On-link 192.168.152.1 291
192.175.48.0 255.255.255.0 192.168.1.1 192.168.1.108 25
198.18.0.0 255.254.0.0 192.168.1.1 192.168.1.108 25
198.51.100.0 255.255.255.0 192.168.1.1 192.168.1.108 25
203.0.113.0 255.255.255.0 192.168.1.1 192.168.1.108 25
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.152.1 291
224.0.0.0 240.0.0.0 On-link 10.0.85.2 291
224.0.0.0 240.0.0.0 On-link 192.168.37.1 291
224.0.0.0 240.0.0.0 On-link 192.168.1.108 281
240.0.0.0 240.0.0.0 192.168.1.1 192.168.1.108 25
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.152.1 291
255.255.255.255 255.255.255.255 On-link 10.0.85.2 291
255.255.255.255 255.255.255.255 On-link 192.168.37.1 291
255.255.255.255 255.255.255.255 On-link 192.168.1.108 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Metric
192.168.1.0 255.255.255.0 [REDACTED] 1
===========================================================================
> nslookup server
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.2
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
> ping server
Pinging cdl-lb-1356093980.us-east-1.elb.amazonaws.com [3.211.254.194] with 32 bytes of data:
Reply from 3.211.254.194: bytes=32 time<1ms TTL=64
Reply from 3.211.254.194: bytes=32 time<1ms TTL=64
Reply from 3.211.254.194: bytes=32 time<1ms TTL=64
Reply from 3.211.254.194: bytes=32 time<1ms TTL=64
Ping statistics for 3.211.254.194:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
With Outline VPN disabled:
route print
===========================================================================
Interface List
9...XX:XX:XX:XX:XX:XX ......VirtualBox Host-Only Ethernet Adapter
7...XX:XX:XX:XX:XX:XX ......Realtek Gaming 2.5GbE Family Controller
12...XX:XX:XX:XX:XX:XX ......Realtek 8852CE WiFi 6E PCI-E NIC
24...XX:XX:XX:XX:XX:XX ......Microsoft Wi-Fi Direct Virtual Adapter
17...XX:XX:XX:XX:XX:XX ......Microsoft Wi-Fi Direct Virtual Adapter #2
26...XX:XX:XX:XX:XX:XX ......VMware Virtual Ethernet Adapter for VMnet1
18...XX:XX:XX:XX:XX:XX ......VMware Virtual Ethernet Adapter for VMnet8
20...XX:XX:XX:XX:XX:XX ......TAP-Windows Adapter V9 #2
3...XX:XX:XX:XX:XX:XX ......Bluetooth Device (Personal Area Network) #3
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Address Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.108 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.108 281
192.168.1.108 255.255.255.255 On-link 192.168.1.108 281
192.168.1.255 255.255.255.255 On-link 192.168.1.108 281
192.168.37.0 255.255.255.0 On-link 192.168.37.1 291
192.168.37.1 255.255.255.255 On-link 192.168.37.1 291
192.168.37.255 255.255.255.255 On-link 192.168.37.1 291
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
192.168.152.0 255.255.255.0 On-link 192.168.152.1 291
192.168.152.1 255.255.255.255 On-link 192.168.152.1 291
192.168.152.255 255.255.255.255 On-link 192.168.152.1 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.152.1 291
224.0.0.0 240.0.0.0 On-link 192.168.37.1 291
224.0.0.0 240.0.0.0 On-link 192.168.1.108 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.152.1 291
255.255.255.255 255.255.255.255 On-link 192.168.37.1 291
255.255.255.255 255.255.255.255 On-link 192.168.1.108 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Metric
192.168.1.0 255.255.255.0 [REDACTED] 1
===========================================================================
> nslookup server
Server: 192.168.1.2
Address: 192.168.1.2
Name: server.localdomain
Address: 192.168.1.2
> ping server
Pinging server.localdomain [192.168.1.2] with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time=2ms TTL=128
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0ms
Among all the listed interfaces, only TAP-Windows Adapter V9 (Outline) and Realtek Gaming 2.5GbE Family Controller (Ethernet) are actually used for connectivity.
Additionally, it would be preferable if TAP interfaces were not duplicated or multiplied after each Outline launch or reinstall (although I am not sure if this is an Outline issue or a Windows issue).
@whonion Thanks for providing the logs—they've really helped clarify the situation!
It turns out that the issue is not about Outline proxying local traffic (actually it's not), but it's about the DNS.
To ensure Outline is secure and prevent your ISP from seeing your activity (which can lead to censorship or other issues), Outline uses a trusted public DNS provider instead of your local one (in your case, it's your router). This means that public DNS can't resolve local hostnames, causing access to local services to fail.
This is a known limitation and a long-standing feature request (#249). We're still exploring the best way to address it, and feel free to add your thoughts to that feature request.
We're closing this issue due to inactivity. We apologize if we never had a chance to respond to your original inquiry. If you're still experiencing problems or have any further questions, please feel free to reopen this issue or create a new one.