{"id":16139387,"url":"https://github.com/networkop/envoy-split-proxy","last_synced_at":"2025-06-19T05:07:40.337Z","repository":{"id":50244032,"uuid":"327972553","full_name":"networkop/envoy-split-proxy","owner":"networkop","description":"L7 split-routing with Envoy","archived":false,"fork":false,"pushed_at":"2021-05-31T16:39:12.000Z","size":315,"stargazers_count":21,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-02T17:22:11.907Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/networkop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-08T17:43:02.000Z","updated_at":"2024-09-03T08:09:56.000Z","dependencies_parsed_at":"2022-09-11T18:01:21.852Z","dependency_job_id":null,"html_url":"https://github.com/networkop/envoy-split-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/networkop/envoy-split-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networkop%2Fenvoy-split-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networkop%2Fenvoy-split-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networkop%2Fenvoy-split-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networkop%2Fenvoy-split-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/networkop","download_url":"https://codeload.github.com/networkop/envoy-split-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networkop%2Fenvoy-split-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260690833,"owners_count":23047100,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-09T23:48:52.310Z","updated_at":"2025-06-19T05:07:35.313Z","avatar_url":"https://github.com/networkop.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# envoy-split-proxy\n\nConfigure Envoy to act as a TCP proxy and SNI-based router to allow VPN bypass for VPN-sensitive applications like Netflix, BBC iPlayer, Amazon Prime etc. The assumption is that the host OS has multiple default routes and you want to steer _some_ traffic to a non-preferred default interface (the one that has higher metric). The current application will parse a [YAML file](./split.yaml) containing that non-default interface and a list of URLs and will configure Envoy to do SNI-based routing of these domains to that interface:\n\n![](./arch.png)\n\nThe `envoy-split-proxy` process continues to run as an agent, monitoring all changes to the supplied configuration file and synchronizing the state with the Envoy proxy.\n\n## Quickstart\n\nOn your client device, redirect all traffic to the box that will be running Envoy:\n\n```\nip route add default via \u003cIP_OF_ARM_BOX\u003e metric 10\n```\n\nOn the ARM box set up an iptables redirect to send all HTTP and HTTPS traffic to envoy:\n\n```\nsudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 10000\nsudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10001\n```\n\nCopy `envoy.yaml` and `split.yaml` into your `pwd` and run:\n\n```\ndocker run --name envoy -d --net=host -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml envoyproxy/envoy:v1.16.2 --config-path /etc/envoy/envoy.yaml\n\ndocker run --name app -d --net=host -v $(pwd)/split.yaml:/split.yaml networkop/envoy-split-proxy -conf /split.yaml\n```\n\nAll traffic is now (L7-)transparently proxied by Envoy and all domains specified in `split.yaml` are redirected to the interface specificed.\n\n\n## Discovering domain names\n\nIn order to succesfully re-route a certain application's traffic, we need to know all the domain name it uses (or at least the ones that it uses for location discovery). This will most likely _not_ be a standard domain like `netflix.com` or `bbc.co.uk`. One approach is to load the app in your browser and watch the network traffic in a developer console. Another approach I found is using [netify.ai](netify.ai/resources/applications) website. For example if I wanted to find all domains for Amazon Video (Prime), I would do:\n\n```\n$ curl -sL netify.ai/resources/applications/amazon-video | grep \"\u003eDomains\u003c\" -A12\n    \u003ch3 class=\"feature-title\"\u003eDomains\u003c/h3\u003e\n    \u003cul class=\"default-ul indent-2\"\u003e\n                    \u003cli\u003eaiv-cdn.net\u003c/li\u003e\n                    \u003cli\u003eaiv-cdn.net.c.footprint.net\u003c/li\u003e\n                    \u003cli\u003eaiv-delivery.net\u003c/li\u003e\n                    \u003cli\u003eamazonvideo.com\u003c/li\u003e\n                    \u003cli\u003eatv-ext.amazon.com\u003c/li\u003e\n                    \u003cli\u003eatv-ps.amazon.com\u003c/li\u003e\n                    \u003cli\u003ed25xi40x97liuc.cloudfront.net\u003c/li\u003e\n                    \u003cli\u003edmqdd6hw24ucf.cloudfront.net\u003c/li\u003e\n                    \u003cli\u003emedia-amazon.com\u003c/li\u003e\n                    \u003cli\u003eprimevideo.com\u003c/li\u003e\n            \u003c/ul\u003e\n```\nI would than add these domains to the list of URLs one by one or, if I'm lazy, just add all of them. It's very unlikely that such indiscriminate approach is going to break anything.\n\nThe most reliable approach involves taking a packet capture of a client application traffic. We only need to capture TCP SYNs to see where the traffic is going and additional can narrow down the search by specifying the source address (e.g. 192.168.0.57):  \n\n```\nsudo tcpdump -i any \"hostname 192.168.0.57 \u0026\u0026 tcp[tcpflags] \u0026 tcp-syn != 0\"\n\n15:28:55.101209 IP 192.168.0.57.38342 \u003e ec2-52-19-112-13.eu-west-1.compute.amazonaws.com.https: Flags [S], seq 1055004181, win 14600, options [mss 1460,sackOK,TS val 4294904284 ecr 0,nop,wscale 6], length 0\n```\n\nWith that information we can use openssl, [step](https://github.com/smallstep/cli) or any web browser to extract domain names from the TLS certificate:\n\n```\nstep certificate inspect https://ec2-52-19-112-13.eu-west-1.compute.amazonaws.com -insecure --format json | jq '.names'\n[\n  \"*.fe.api.amazonvideo.com\",\n  \"*.ec.api.amazonvideo.com\",\n  \"atv-ext-eu.amazon.com\",\n  \"api.amazonvideo.com\",\n  \"*.api.amazonvideo.com\",\n  \"*.eu.ec.api.amazonvideo.com\",\n  \"atv-eu.amazon.com\",\n  \"*.na.api.amazonvideo.com\",\n  \"*.eu.api.amazonvideo.com\"\n]\n```\n\nThe above can be summarised to the following two configuration lines\n\n```\n## Amazon Prime\n- \"*.amazonvideo.com\"\n- \"atv-ext-eu.amazon.com\"\n```\n\n\n## Troubleshooting\n\nTo check to current list of bypassed domain names from a host running envoy do:\n\n```\ncurl localhost:19000/config_dump | jq '.configs[2]'\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetworkop%2Fenvoy-split-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetworkop%2Fenvoy-split-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetworkop%2Fenvoy-split-proxy/lists"}