Let’s imagine I am running a VPN tunnel and a VPN policy on my Apple TV from the router. I have a set of IP addresses that I am excluding from this VPN tunnel.
However, I have left the IP masquerading option ON in the tunnel options. Will my IP address be the source IP address when visiting the IP addresses of the excluded websites, or will my IP address be the VPN tunnel address?
I assume that the Apple TV’s source address will be used when visiting the excluded IP addresses/domains, but I just want to make sure.
I think for vpn policies masquarading remains unaffected in this case.
What happens is this:
Client makes request to the router, the software sees this and marks it with a mark, when mark is included it will preroute over wan, the prerouting chain is before the actual routing chain.
For domains it is a little different.
Client requests on 53 dns on the router, dns server resolves domain and all sub domains and put the ip in a ipset, if remote ip x is in ipset then the traffic will be compared, if it matches the dest ip traffic against the ipset, the src ip gets a mark to bypass vpn.
Basicly it is ignoring all default routing, but the src remains the src ip of the local vpn client which is just a virtual ip, it will not go into the tunnel since it is pre routed.