Inbounds and split tunneling
What an inbound is in CreateYourVPN: masquerading as a website, torrent blocking, and split tunneling — which traffic goes through the VPN and which goes direct.
"Inbound" is the most technical word in the panel, but the idea behind it is simple: it's a configured entry point into your VPN on a specific server. In the terminology lesson we compared inbounds to the doors of a building — now let's see what such a door is made of and what its settings are.
What an inbound is
When a user's app connects to your server, it doesn't knock on "the server in general" — it knocks on a specific inbound, and gets exactly the rules you set in that inbound: which website to masquerade as, whether to cut torrents, which traffic to send around the VPN.
A single worker node can host several inbounds with different settings. For example:
- "🇩🇪 Germany" — a regular inbound for everyone;
- "🇩🇪 Germany · no torrents" — the same, but with BitTorrent blocking;
- "🇩🇪 Germany · blocked sites only" — only sites unreachable without a VPN go through it.
Every inbound runs on the VLESS + Reality protocol — the very one that makes VPN traffic look like ordinary HTTPS visits to a popular website.
The inbound's name is what the user sees in their app as the server name. Name them clearly: country + city or purpose ("🇫🇮 Finland", "🎬 Streaming").
Creating an inbound
On the cluster page, click "New inbound". In the form:
- Protocol — VLESS + Reality (the only one, and the recommended one).
- Server — which worker node to bring the entry point up on. Inbounds live only on connected nodes — you can't create an inbound on a "pure" master.
- Name — that very name for your users, flag included.
- Website to masquerade as — which site the traffic disguises itself as. Pick a large HTTPS site that works flawlessly in the server's country: Google/Microsoft/Apple for Europe and the US, Yandex or VK for Russia. In the panel's advanced mode you can fine-tune the parameters by hand (DEST, SERVER_NAMES, FINGERPRINT) — but most people never need to.
- Split tunneling and Block torrents — covered below.
- Route — which route to bind the new entry point to (you can pick "No route" and bind it later — but remember from lesson 4: an inbound outside of a route is invisible to users).
The cluster's first inbound is bound to the default route automatically — so the subscription works right away. All the following ones you bind yourself: at creation time, from the inspector (the "Add to route" action), or by dragging on the diagram.
Torrent blocking
The "Block torrents" toggle cuts BitTorrent traffic right on the server. This matters: the block works even if the user disables all rules in their app — it can't be bypassed by editing the config. It's on by default for new inbounds: torrents on a VPS are a common source of complaints from hosting providers.
Split tunneling
Split tunneling answers the question: which traffic goes through the VPN, and which goes direct? You set the rules once in the inbound, and they're delivered to users' apps automatically — users don't have to configure anything.
The classic scenarios:
- Everything except local. The bank, government services, and local sites go direct (they don't like foreign addresses); everything else goes through the VPN.
- List only. Only blocked sites go through the VPN; everything else goes direct, with no loss of speed.
Three rule lists
The "Split tunneling" section has three independent blocks:
| Block | What it describes | Examples |
|---|---|---|
| Websites | Specific sites and domain zones | example.com (including subdomains), *.ru (the whole zone) |
| GeoSite | Ready-made service categories | google, netflix, telegram, category-ads-all (ads) |
| GeoIP | Whole countries and networks by IP | ru, cn, private (local network), 10.0.0.0/8 |
Each block gets a mode:
- "All via VPN" — the block is off;
- "All except list" — items on the list go directly, bypassing the VPN; everything else goes through the VPN;
- "Only the list" — only items on the list go through the VPN; everything else goes direct.
Lists are filled in with "chips": paste domains separated by commas or new lines; GeoSite and GeoIP have one-click presets.
The "All except list" and "Only the list" modes can't be mixed within one inbound — they set opposite behavior for "all the rest" of the traffic. The panel simply won't let you pick a conflicting combination.
How the rules reach the user
The rules are added to the subscription and enforced in the user's app. All the recommended apps (Happ, v2rayN/v2rayNG, Streisand, V2Box) receive them automatically; routers are supported too — OpenWRT and Keenetic. And if a user imports the subscription into some exotic app that doesn't understand the rules, the VPN keeps working — all traffic simply goes through the tunnel.
One subtlety has been handled for you: different inbounds can carry different rules, and each "server" in the user's app brings its own — switch to another server, get its rules.
Key takeaways
- An inbound = an entry point on a node: camouflage + traffic rules + the name the user sees.
- One server can host several inbounds for different purposes.
- Torrent blocking works on the server and can't be bypassed by the client.
- Split tunneling: three lists (sites, categories, countries), "all except" / "list only" modes, automatic delivery to apps.
- An inbound without a route is invisible — don't forget to bind it.
Up next
An inbound can be more than just a door — it can be a suite of several servers in a row, where traffic enters in one country and exits in another.