What is the problem with having a bypass list for the PIA app? I'm tired of shutting off the app everytime I want to access my Amazon Prime Video account. It seems there are a lot of PIA customers in the same boat. I plan to jump ship at the end of my current contract if this is not fixed.
What is the problem with having a bypass list for the PIA app?
It's a hard problem to solve because PIA doesn't proxy your traffic, it just passes it along. It's not possible to whitelist individual websites on a system-wide level simply because PIA works with IP addresses, and websites are domain names (which are resolved via DNS). One could think it's as simple as learning the IPs from the DNS requests, but there are a lot of websites that are behind what is called a Content Delivery Network, or CDN for short. These websites share IPs with other websites, so even if we whitelist a single outgoing IP to bypass the VPN, you just gave away your real IP and ISP to the CDN and every website behind it, including ones you possibly don't want to learn your real IP like some random person's blog or forum.
This gets even worse because domains are freely movable pointers to IP addresses by their owner. A domain can point to any IP (or even many IPs) it wants at any time, which could be used to trick you into whitelisting one website and then effectively be able to cause you to whitelist any other IP of their choosing.
This is why we recommend using the extension for this, as it works directly from inside the browser, and therefore can inspect individual requests before they are encrypted and decide to route them outside the VPN. At best the PIA app on a computer can whitelist whole apps (with some network driver voodoo), or whole IPs (via routing table). Unfortunately, not individual websites
ok. I get that. But couldn't there be some kind of "exclude this window" option where you could just open a new window that's not behind the VPN?.... kind of like an incognito session but in reverse, I guess.
ok. I get that. But couldn't there be some kind of "exclude this window" option where you could just open a new window that's not behind the VPN?.... kind of like an incognito session but in reverse, I guess.
It's technically doable, but doing so would be extremely painful. The only way I can think of that would make this work would be to have the app scan all windows being opened on the system, getting the process ID that owns it and then separately have a firewall hook to rewrite the packet in a way that it would bypass the VPN. That would easily require 10x more code than the whole app as it is right now, and I'm being conservative with the estimation.
That would also involve heavily messing with Windows' network stack in ways that it was never intended for which means it would likely also be quite buggy and could break at any time if Microsoft pushes an update that changes things.
I've done something somewhat similar on Linux with network namespaces and even on Linux it gets weird really fast (and I can't even do it dynamically because namespaces are inherited, so I can't reassign an existing process to another namespace). After messing with it for a while, I've settled on just using a virtual machine as my "Incognito" session. It's much faster to set up, it's easy to set up because you only need to install the PIA app into the VPN and you're good to go. And it's reliable and I can further protect the VM against leaks with firewall rules on the host.
It would definitely be a killer feature to have and I think we're looking at making it in the future but we're not quite there at the moment.
Comments
This gets even worse because domains are freely movable pointers to IP addresses by their owner. A domain can point to any IP (or even many IPs) it wants at any time, which could be used to trick you into whitelisting one website and then effectively be able to cause you to whitelist any other IP of their choosing.
This is why we recommend using the extension for this, as it works directly from inside the browser, and therefore can inspect individual requests before they are encrypted and decide to route them outside the VPN. At best the PIA app on a computer can whitelist whole apps (with some network driver voodoo), or whole IPs (via routing table). Unfortunately, not individual websites
That would also involve heavily messing with Windows' network stack in ways that it was never intended for which means it would likely also be quite buggy and could break at any time if Microsoft pushes an update that changes things.
I've done something somewhat similar on Linux with network namespaces and even on Linux it gets weird really fast (and I can't even do it dynamically because namespaces are inherited, so I can't reassign an existing process to another namespace). After messing with it for a while, I've settled on just using a virtual machine as my "Incognito" session. It's much faster to set up, it's easy to set up because you only need to install the PIA app into the VPN and you're good to go. And it's reliable and I can further protect the VM against leaks with firewall rules on the host.
It would definitely be a killer feature to have and I think we're looking at making it in the future but we're not quite there at the moment.