1 files changed, 17 insertions, 1 deletions

diff --git a/talpid-core/src/split_tunnel/macos/tun.rs b/talpid-core/src/split_tunnel/macos/tun.rs
index 0e260a1517..2482fadcb7 100644
--- a/talpid-core/src/split_tunnel/macos/tun.rs
+++ b/talpid-core/src/split_tunnel/macos/tun.rs
@@ -19,10 +19,11 @@ use pnet_packet::{
     udp::MutableUdpPacket,
     MutablePacket, Packet,
 };
+use talpid_types::net::{ALLOWED_LAN_NETS, ALLOWED_LAN_MULTICAST_NETS};
 use std::{
     ffi::{c_uint, CStr},
     io::{self, IoSlice, Write},
-    net::{Ipv4Addr, Ipv6Addr},
+    net::{Ipv4Addr, Ipv6Addr, IpAddr},
 };
 use talpid_routing::RouteManagerHandle;
 use tokio::{
@@ -676,6 +677,9 @@ async fn handle_incoming_data_v4(
         log::trace!("Dropping packet to VPN IP on default interface");
         return;
     }
+    if is_non_vpn_destination(IpAddr::from(ip.get_destination())) {
+        return;
+    }
 
     fix_ipv4_checksums(&mut ip, None, Some(vpn_addr));
 
@@ -698,6 +702,9 @@ async fn handle_incoming_data_v6(
         log::trace!("Dropping packet to VPN IP on default interface");
         return;
     }
+    if is_non_vpn_destination(IpAddr::from(ip.get_destination())) {
+        return;
+    }
 
     fix_ipv6_checksums(&mut ip, None, Some(vpn_addr));
 
@@ -710,6 +717,15 @@ async fn handle_incoming_data_v6(
     }
 }
 
+/// Packets routed outside of the split tunneling interface should not be duplicated on the VPN
+/// utun. As a shortcut we do not duplicate any private IPs.
+fn is_non_vpn_destination(ip: IpAddr) -> bool {
+    ALLOWED_LAN_NETS
+        .iter()
+        .chain(ALLOWED_LAN_MULTICAST_NETS.iter())
+        .any(|net| net.contains(ip))
+}
+
 // Recalculate L3 and L4 checksums. Silently fail on error
 fn fix_ipv4_checksums(
     ip: &mut MutableIpv4Packet<'_>,