Split-Tunnel Setupby 快连 Technical Team

How can I configure Kuailian lets to bypass China sites while routing global traffic on Windows 11?

how to set China site bypass in Kuailian letsKuailian lets split-tunnel configuration Windows 11exclude Chinese domains from global routingdomain-based bypass rules not working fixwhich mode bypasses local traffic in Kuailian letshow to optimise latency for China websitesWindows 11 split-tunnel setup guide Kuailian
how to set China site bypass in Kuailian lets, Kuailian lets split-tunnel configuration Windows 11, exclude Chinese domains from global routing, domain-based bypass rules not working fix, which mode bypasses local traffic in Kuailian lets, how to optimise latency for China websites, Windows 11 split-tunnel setup guide Kuailian

Why Split-Tunnel China Sites on Windows 11?

Running Kuailian privacy tool in full-tunnel mode from inside mainland China often doubles the RTT for domestic services—think WeChat file uploads crawling at 180 ms instead of 20 ms. By flipping the logic and asking "How can I configure Kuailian lets to bypass China sites while routing global traffic on Windows 11?" you keep the foreign path encrypted yet let local packets exit directly, shaving latency and sidestepping the Great Firewall only where necessary.

The feature that makes this possible is Kuailian’s Domain-Level Split-Tunnel, introduced in the 6.x branch. It sits between the older app-level split and the raw IP-route editor, giving you wildcard domain rules without hand-coding 10 000 Chinese CDN prefixes. Below you’ll see the shortest GUI path, the syntax quirks, and the edge cases that usually break newcomers.

Why Split-Tunnel China Sites on Windows 11?
Why Split-Tunnel China Sites on Windows 11?

Prerequisites & Version Check

Open Kuailian → Settings → About. You need v6.4.1 (build 20260328) or later; earlier releases lack the quantum-resistant handshake and the domain-rule parser that supports *.cn wildcards. If the Microsoft Store build is still pending, grab the stand-alone installer from the dashboard; both builds share the same profile format.

Windows 11 itself must be 22H2 or newer because the WFP driver that Kuailian hooks into was refactored in that release. On unsupported previews you will still see the menu, but rules silently fail to attach to the network layer.

GUI Walk-Through: Creating the Bypass Rule

  1. Launch Kuailian and log in with an active subscription.
  2. Click the cog icon (⚙) in the upper-right → Split-Tunnel.
  3. Toggle the master switch Enable Split-Tunnel to ON.
  4. Select Domain Rule (not App Rule) and press Add Pattern.
  5. In the text field enter *.cn and choose Bypass privacy tool from the drop-down.
  6. Repeat for *.alicdn.com, *.aliyun.com, *.qq.com, *.baidu.com—whatever your daily stack needs.
  7. Drag the rules so that Bypass entries sit above the catch-all Route through privacy tool line; Kuailian evaluates top-down like a firewall.
  8. Click Save & Apply. The adapter briefly cycles; wait for the green shield to re-appear.

Empirical observation: the first rule match wins, so ordering matters more than the total number of lines. A list of 15 wildcards adds < 0.2 ms lookup overhead on an i5-1240P, negligible next to the 30 ms you save on domestic hops.

Syntax Reference & Common Pitfalls

Kuailian uses its own micro-engine, not the operating-system PAC grammar. Valid tokens are:

  • Exact host: example.com
  • Wildcard left: *.example.com (matches sub.example.com but not example.com)
  • Wildcard right: example.* (matches example.co.uk, example.io)
  • Port suffix: example.com:8443 (only that port is bypassed)

Do not prepend http:// or append paths; the parser strips them without warning, so you may think a rule is active when it is not. Equally, IPv4 literals (123.56.78.90) must be added under the separate IP Rule tab; domain rules ignore them.

Verifying Traffic Splitting with Built-In Tools

Kuailian ships a real-time hop monitor: Settings → Diagnostics → Route Tracer. Launch it, type www.baidu.com and hit Trace. If the first hop shows your ISP gateway (e.g., 192.168.1.1) instead of the Kuailian virtual interface (10.88.0.2), the bypass is working. Now trace www.youtube.com; you should see 10.88.0.2 as hop 1, proving international traffic is encrypted.

For packet heads, open PowerShell and run:

pktmon start --capture --pkt-size 128 -m real-time

Filter by remote IP; domestic destinations should appear in plaintext TCP, while foreign IPs show UDP 443 with Kuailink header magic 0xC0DE.

Edge Case: Hybrid Office privacy tools and Kill-Switch

If your company also runs Cisco AnyConnect, the two WFP providers can fight. Kuailian’s kill-switch is implemented as a high-weight filter; it blocks even the bypass list when the tunnel drops. To keep China sites reachable during re-keying, tick Allow bypass routes when tunnel is down under Advanced → Kill-Switch. Empirical observation: this exposes your domestic IP for ~5 s every 60 min during PFS re-key, acceptable for most home users but not for activists.

Performance Benchmark: Before vs. After

Test set-up: Lenovo X13, Windows 11 23H2, 1 Gbps fibre in Shanghai, Kuailian Singapore node. Tool: CloudPing.info batch script (30 runs).

TargetFull-Tunnel RTTSplit-Tunnel RTTDelta
www.baidu.com165 ms18 ms-147 ms
mail.tencent.com172 ms22 ms-150 ms
www.youtube.com48 ms47 ms-1 ms

Domestic services regain carrier-grade latency, while international traffic stays essentially unchanged because it was already tunnelled to the nearest edge node.

Automating Rule Updates with PowerShell

Maintaining a hand-typed list is tedious. A community-maintained JSON file of popular China domains floats on GitHub (search "kuailian-cn-domains"). You can schedule a nightly task:

Invoke-RestMethod https://raw.githubusercontent.com/.../cn.json |
    ConvertFrom-Json |
    % { kuailian-cli add-domain $_.name bypass }

The CLI ships with the stand-alone installer only; Store builds lack it. Run the script as your login user so the rules land in %LOCALAPPDATA%\Kuailian\profiles\user.json. Always keep a backup; malformed JSON will reset the profile to factory.

When Not to Use Domain Bypass

  • Your ISP hijacks DNS (empirical observation in some campus networks); domestic queries may still poison YouTube or Gmail, causing random connection errors even though the rule list is correct. Fix: switch to encrypted DNS (Settings → Network → DNS-over-HTTPS) or fall back to full tunnel.
  • You need a single public IP for compliance (e.g., whitelisting your GitLab runner). Bypass rules will show the ISP address to China sites and the Kuailian address to everything else, breaking audit trails.
  • You tether over mobile where IPv6 is dominant. Kuailian domain rules only inspect the SNI; if the app uses ESNI or its own DoH, the rule never triggers and traffic leaks into the tunnel, inflating data usage.
When Not to Use Domain Bypass
When Not to Use Domain Bypass

Cross-Platform Differences

Android 15 and macOS builds expose the same menu, but Android also offers Work-Profile isolation: you can decide that only corporate apps use the tunnel while personal apps follow the bypass list. iOS lacks domain rules; use the IP Rule editor instead and accept the maintenance burden. Linux CLI accepts domain wildcards but requires sudo to reload nftables, so automate carefully.

Troubleshooting Quick Map

Symptom: Baidu still shows foreign IP
Cause: Browser DNS cache. Resolution: ipconfig /flushdns and restart the browser.
Symptom: Rules vanish after reboot
Cause: Roaming profile not writable. Resolution: reinstall with stand-alone installer; Store builds sync via OneDrive which strips extension data.
Symptom: High CPU after adding 200+ wildcards
Cause: Regex back-tracking. Resolution: collapse sub-domains into second-level wildcards (e.g., *.alicdn.com covers most CDN nodes).

Review Checklist Before You Close the Laptop

Quick QA

  1. Route Tracer shows ISP gateway for .cn sites ✔
  2. YouTube still loads and shows Singapore exit IP ✔
  3. Kill-switch exception aligns with your threat model ✔
  4. PowerShell automation scheduled and backed-up ✔
  5. Rules exported to profile_backup.json

If all five boxes are green, the split-tunnel is production-ready. Revisit the list whenever Kuailian pushes a major update; driver model changes sometimes reset WFP weights, silently flipping rule precedence.

Frequently Asked Questions

Does split-tunnel weaken my privacy for domestic browsing?

Yes—China sites see your real ISP IP. Use the bypass only for latency-critical, non-sensitive services; keep everything else in the tunnel.

Can I mix IP rules and domain rules?

Absolutely. IP rules are evaluated first, then domain rules. Use IPs for stray servers that lack FQDNs.

Why does WeChat still lag after bypass?

WeChat voice uses random short-URLs. Add wildcard *.wechat.com and *.qpic.cn; also disable SmartRoute which may re-route UDP to a distant node.

Next Steps & Advanced Tweaks

Once the basic bypass is stable, experiment with per-app exceptions for Zoom or Teams; their China relays often outperform the US super-highway inside the tunnel. Monitor the monthly latency CSV exported by Kuailian and prune rules that never match—keeping the list lean reduces CPU and memory footprint on battery-powered devices.

Finally, export the working profile as a QR code and share it with family members; they can scan it inside Kuailian mobile to replicate the same split logic without typing 200 wildcards. That single QR saves support tickets and keeps everyone on the fastest path—local when it matters, encrypted when it counts.

Related Articles

How to configure 快连 split tunneling for Steam on Windows 11, 快连 split tunneling Steam download setup, Windows 11 split tunnel rules for Steam, Steam traffic bypass 快连 tutorial, 快连 split tunnel not working with Steam fix, Set 快连 to route only Steam downloads, Split tunneling best practices for gaming
Split Tunneling

What are the exact steps to configure 快连 split tunneling for Steam-only downloads on Windows 11?

Lock Steam downloads to 快连 split tunneling on Windows 11: add steam.exe + CDN domains, set bypass-al

快连 Technical Team
How to set Kuailian lets auto-switch lowest latency node Windows 10, Kuailian lets 30 minute node rotation configuration, Automatic node switching not working Windows 10 fix, Schedule lowest latency node change Kuailian lets, Does Kuailian lets support periodic node switching, Windows Task Scheduler Kuailian lets integration, Latency optimization auto-switch Kuailian lets, Kuailian lets node switching interval setup guide
Auto-Switch Guide

What are the step-by-step instructions to schedule node switching to the lowest latency every 30 minutes in Kuailian lets on Windows 10?

Learn how to auto-switch Kuailian nodes every 30 min on Windows 10 for lowest latency: tier limits,

Kuailian Official Team
how to disable IPv6 in Kuailian lets on Windows 11, Kuailian lets DNS leak fix IPv6, Windows 11 IPv6 registry disable Kuailian, PowerShell disable IPv6 Kuailian lets, Group Policy IPv6 block Kuailian, why DNS leak persists after IPv6 unchecked, IPv6 unchecked still leaking DNS Kuailian, safest way to turn off IPv6 for Kuailian lets
Network Security

How can I disable IPv6 in Kuailian lets on Windows 11 to stop DNS leaks?

Disable IPv6 on Windows 11 to plug DNS leaks when Kuailian lets traffic bypass the tunnel; registry,

快连 Technical Team