pfSense domain based split tunnel VPN

7up · May 31, 2026, 11:44pm

I’d like to properly configure pfSense with a split tunnel VPN to route only specific domains over the VPN and all other traffic to regular ISP. For example, just netflix.com would use the VPN.

I have it working by

OpenVPN client configured and working.

DNS resolver:

I could post all settings but for

outgoing interfaces: both WAN and VPN

Domain Overrides: VPN DNS servers for each domain specified in VPN alias

Alias: specifies the domains to route over the VPN

Floating rule: WAN kill switch Block domain(s) if VPN down (Tagged to NO_WAN_EGRESS)

LAN rules

Allow LAN to DNS resolver
Route domains (specified in alias) to VPN gateway (Tag: NO_WAN_EGRESS)
Any Any rule. Allow LAN to access internet.

I spent many hours before I got it working as I ran into DNS issues and internet access blocked if the VPN went down. I’m reasonably certain regular ISP and the VPN traffic are using the correct DNS servers as when I added dnsleaktest.com to the alias and added the domain with VPN DNS servers in DNS Resolver Domain Overide, when the VPN is up, the leak test confirms I’m on VPN DNS servers and no leak. Another test I used was NordVPN website as when domain is routed to the VPN and shows the VPN IP and DNS servers. Tracert to a domain in the VPN alias doesn’t show the path which I think is expected? I’m open to anymore tests you can suggest to confirm things are working as they should. Seems like common use scenario, Tom any interest in a new tutorial video?

LTS_Tom · June 1, 2026, 10:45am

The solution I use is instead of dealing with per domain rules, I have per device rules. Each device that I want to access an online service I would prefer goes out a specific VPN has all of it’s traffic going out that VPN.

neogrid · June 1, 2026, 11:57am

I wouldn’t bother taking that approach, it’s much easier to set up vlans, setting one of the gateways to your VPN. The killswitch will work without any thinking required.

Taking this approach allows many devices to show up as one connection for your VPN provider too.

7up · June 1, 2026, 2:58pm

Thank you both for your replies. Both solutions are device based whereas the solution needed was domain based. The same device needs to route most traffic thru ISP and selected traffic thru VPN. The challenging part was getting DNS and kill switch setup correctly but I think I have it.

xMAXIMUSx · June 1, 2026, 4:47pm

Pfsense can kind of do this but, it’s not great. You would create an alias with the domains you want, but the caveat is that you cannot specify wildcards.

Then create your firewall rule to the destination of your alias and choose your gateway for your VPN.