Skip to main content

On-Demand Rules and Split DNS: Automatic VPN Without the Overhead

Jacky LiangJacky Liang

The simplest VPN setup is a toggle: on or off. But in practice, that means users either forget to connect when they should, or they route all traffic through the tunnel when they don't need to — wasting bandwidth and adding latency for services that don't require VPN access.

Vylos 1.2.0 adds on-demand activation rules and split DNS to solve both problems.

On-Demand Activation

On-demand rules tell Vylos when to automatically connect or disconnect a tunnel based on network conditions. No manual toggling required.

Each tunnel can be configured with rules for two network types:

  • Cellular (iOS) or Ethernet (macOS) — Automatically connect when on cellular data or a wired connection
  • Wi-Fi — Four modes:
    • Off — No automatic activation on Wi-Fi
    • Any SSID — Connect on any Wi-Fi network
    • Only these SSIDs — Connect only on specific networks (whitelist)
    • Except these SSIDs — Connect on all Wi-Fi except specific networks (blacklist)

The SSID-based modes are particularly useful for organizations. "Only these SSIDs" ensures the VPN activates on the office Wi-Fi but not on employees' home networks. "Except these SSIDs" does the opposite — the VPN stays on everywhere except the trusted corporate network where traffic is already routed internally.

Clash Detection

When multiple tunnels have on-demand rules enabled, they can conflict. Two tunnels both set to activate on cellular data, or two tunnels that both claim the same SSID — the result is unpredictable.

Vylos detects four types of overlap:

  • Cellular or Ethernet overlap
  • Wi-Fi "Any SSID" overlap
  • Specific SSID overlap (two tunnels claiming the same network name)
  • Broad Wi-Fi overlap (one tunnel on "Any" conflicting with another on specific SSIDs)

When a clash is detected, Vylos displays a warning so administrators or users can resolve the conflict before it causes unexpected behavior. The warning is informational — it does not prevent the configuration from being saved.

Split DNS

Standard VPN configurations route all DNS queries through the tunnel. This works, but it means every DNS lookup — even for public services — goes through the VPN server. For organizations with internal hostnames that only resolve on corporate DNS, this forces all traffic through the tunnel just to reach a few internal services.

Split DNS changes that. Each tunnel can be configured with two sets of domains:

Match Domains — DNS queries for these specific domains are routed through the tunnel. Everything else uses the device's default DNS. For example, setting corp.example.com as a match domain means only queries for that domain (and its subdomains) go through the VPN.

Search Domains — Appended to bare hostname queries. If a user types intranet in a browser, the device appends the search domain to try intranet.example.com, which then resolves through the tunnel's DNS.

The result is that internal resources are reachable through the VPN while external traffic flows normally. This reduces load on the VPN server and improves performance for everything that doesn't need tunnel access.

The Vylos File Format

Standard WireGuard .conf files don't support on-demand rules or split DNS — those features simply don't exist in the WireGuard configuration spec. Rather than mixing custom fields into the .conf format, which would break compatibility with other WireGuard clients, we created the .vylos format.

A .vylos file is a ZIP archive that bundles the standard WireGuard .conf file alongside a separate settings file for on-demand rules and split DNS configuration. The WireGuard config stays untouched — no custom fields, no proprietary extensions. The additional settings live in their own file within the archive.

This keeps things uniform and clean. A .conf exported from Vylos works in any WireGuard client. A .vylos file carries the full configuration including on-demand and split DNS, but only Vylos knows how to read it.

Export supports three format options: .conf only, .vylos only, or both.

Getting Started

On-demand rules and split DNS are available in Vylos 1.2.0 for iOS, macOS, and visionOS. Configure them per-tunnel through the tunnel edit form, or push them via MDM through managed tunnel configurations.

See the user guide for configuration details and the admin guide for MDM deployment options.