fix: remove wildcard domain feature (macOS routing is IP-based)

GeiserX · GeiserX · commit c1ce9ef0b5ec · 2026-05-03T16:19:01.000+02:00
macOS routing tables and /etc/hosts do not support domain wildcards.
The *.example.com feature only resolved the base domain's IPs, not
actual subdomains — misleading users into thinking subdomain routing
worked. Removed all wildcard code; kept isWildcard field for Codable
backward compatibility.
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -92,6 +92,7 @@ After CI completes: `brew update && brew upgrade --cask vpn-bypass` to install l
 - **CI handles releases end-to-end** — pushing a `v*` tag triggers `.github/workflows/release.yml` which builds the DMG, creates the GitHub release, AND updates the Homebrew cask. Do NOT manually create releases or update the cask — CI will overwrite them. Just commit, tag, push.
 - **Test the stale-helper upgrade path after release** — especially with VPN already connected and an older helper still installed. Expected flow: helper preflight on startup, admin prompt if needed, helper update, route apply, and DNS refresh timer start automatically.
 - **Some VPNs route via interface link, not IP gateway** — Cisco Secure Client sets the default route to `link#N` (an interface reference) instead of an IP address. `route -n get default` shows `interface: utunX` with no `gateway:` line. VPN Only mode handles this via `iface:<interface>` convention: the helper uses `route add -host <dest> -interface utunX` instead of an IP gateway. See #26.
+- **Wildcard domains (`*.example.com`) are impossible at the macOS routing level.** macOS routing tables are IP-based — you can only route specific IPs or CIDR ranges, not domain patterns. `/etc/hosts` also does not support wildcards. Any wildcard implementation can only resolve the base domain's IPs, not actual subdomains with different IPs. Don't reintroduce this feature.
 - **Helper launchd plist MUST have `RunAtLoad: true`** — without it, the daemon relies on on-demand XPC activation, which macOS blocks when the Login Items toggle is disabled. Homebrew cask upgrades re-sign the app, causing macOS to reset the toggle, which re-breaks the helper on every boot. `RunAtLoad: true` makes the daemon start unconditionally — no Login Items dependency. NEVER set `RunAtLoad` back to `false`. See #25.
 
 ## Self-Improving Configuration
diff --git a/Casks/vpn-bypass.rb b/Casks/vpn-bypass.rb
@@ -3,7 +3,7 @@
 # Or if using local tap: brew install --cask --no-quarantine ./Casks/vpn-bypass.rb
 
 cask "vpn-bypass" do
-  version "2.6.0"
+  version "2.6.1"
   sha256 "8da2ba2e2073f8dbcd9d413658e995d244b52adc94559aecc31690448a9acf42"
 
   url "https://github.com/GeiserX/VPN-Bypass/releases/download/v#{version}/VPN-Bypass-#{version}.dmg"
diff --git a/Info.plist b/Info.plist
@@ -23,7 +23,7 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>2.6.0</string><!-- VERSION -->
+	<string>2.6.1</string><!-- VERSION -->
 	<key>CFBundleVersion</key>
 	<string>22</string>
 	<key>LSMinimumSystemVersion</key>
diff --git a/README.md b/README.md
@@ -111,7 +111,7 @@ Click the shield icon in the menu bar to:
 Click the gear icon to access settings:
 
 **Domains Tab**
-- Add custom domains to bypass (supports wildcards: `*.example.com` matches all subdomains)
+- Add custom domains to bypass
 - Enable/disable individual domains
 - See resolved IPs
 
diff --git a/Sources/RouteManager.swift b/Sources/RouteManager.swift
@@ -340,10 +340,6 @@ final class RouteManager: ObservableObject {
             self.isWildcard = isWildcard
         }
 
-        var resolvableDomain: String {
-            isWildcard ? String(domain.dropFirst()) : domain
-        }
-
         init(from decoder: Decoder) throws {
             let container = try decoder.container(keyedBy: CodingKeys.self)
             id = try container.decode(UUID.self, forKey: .id)
@@ -1242,14 +1238,14 @@ final class RouteManager: ObservableObject {
                 if domain.isCIDR {
                     inverseCIDRs.append(domain.domain)
                 } else {
-                    let resolvable = domain.resolvableDomain
+                    let resolvable = domain.domain
                     allDomains.append((resolvable, domain.domain))
                 }
             }
         } else {
             // Bypass mode: resolve bypass domains + service domains
             for domain in config.domains where domain.enabled {
-                let resolvable = domain.resolvableDomain
+                let resolvable = domain.domain
                 allDomains.append((resolvable, domain.domain))
             }
             for service in config.services where service.enabled {
@@ -1605,7 +1601,7 @@ final class RouteManager: ObservableObject {
                         routesToAdd.append((destination: cidr, gateway: routeGateway, isNetwork: true, source: cidr))
                     }
                 } else {
-                    let cacheKey = domain.resolvableDomain
+                    let cacheKey = domain.domain
                     if let cachedIPs = dnsDiskCache[cacheKey] {
                         for ip in cachedIPs {
                             let key = "\(domain.domain)|\(ip)"
@@ -1659,7 +1655,7 @@ final class RouteManager: ObservableObject {
             }
 
             for domain in config.domains where domain.enabled {
-                let cacheKey = domain.resolvableDomain
+                let cacheKey = domain.domain
                 if let cachedIPs = dnsDiskCache[cacheKey] {
                     for ip in cachedIPs {
                         let key = "\(domain.domain)|\(ip)"
@@ -1790,7 +1786,7 @@ final class RouteManager: ObservableObject {
         if isInverse {
             for domain in config.inverseDomains where domain.enabled {
                 if !domain.isCIDR {
-                    let resolvable = domain.resolvableDomain
+                    let resolvable = domain.domain
                     domainsToResolve.append((resolvable, domain.domain))
                 }
             }
@@ -1801,7 +1797,7 @@ final class RouteManager: ObservableObject {
                 }
             }
             for domain in config.domains where domain.enabled {
-                let resolvable = domain.resolvableDomain
+                let resolvable = domain.domain
                 domainsToResolve.append((resolvable, domain.domain))
             }
         }
@@ -2102,13 +2098,13 @@ final class RouteManager: ObservableObject {
                     // CIDR entries: preserve as static routes, no DNS resolution
                     expectedEntries.insert(SourceDest(source: domain.domain, destination: domain.domain))
                 } else {
-                    let resolvable = domain.resolvableDomain
+                    let resolvable = domain.domain
                     domainsToResolve.append((resolvable, domain.domain))
                 }
             }
         } else {
             for domain in config.domains where domain.enabled {
-                let resolvable = domain.resolvableDomain
+                let resolvable = domain.domain
                 domainsToResolve.append((resolvable, domain.domain))
             }
             for service in config.services where service.enabled {
@@ -2358,25 +2354,17 @@ final class RouteManager: ObservableObject {
     
     func addDomain(_ domain: String) {
         let trimmed = domain.trimmingCharacters(in: .whitespacesAndNewlines)
-        let isWildcard = trimmed.hasPrefix("*.")
-        let cleaned: String
-        if isWildcard {
-            let suffix = cleanDomain(String(trimmed.dropFirst(2)))
-            guard !suffix.isEmpty else { return }
-            cleaned = "." + suffix
-        } else {
-            cleaned = cleanDomain(trimmed)
-        }
+        let cleaned = cleanDomain(trimmed)
         guard !cleaned.isEmpty else { return }
         guard !config.domains.contains(where: { $0.domain == cleaned }) else {
             log(.warning, "Domain \(cleaned) already exists")
             return
         }
 
-        let entry = DomainEntry(domain: cleaned, isWildcard: isWildcard)
+        let entry = DomainEntry(domain: cleaned)
         config.domains.append(entry)
         saveConfig()
-        log(.success, "Added \(isWildcard ? "wildcard " : "")domain: \(cleaned)")
+        log(.success, "Added domain: \(cleaned)")
 
         if isVPNConnected && acquireRouteOperation() {
             Task {
@@ -2386,7 +2374,7 @@ final class RouteManager: ObservableObject {
                     log(.error, "Cannot route \(cleaned): no local gateway detected. Try Refresh Routes.")
                     return
                 }
-                if let routes = await applyRoutesForDomain(entry.resolvableDomain, gateway: gateway, source: cleaned) {
+                if let routes = await applyRoutesForDomain(entry.domain, gateway: gateway, source: cleaned) {
                     guard routeEpoch == epoch else { return }
                     activeRoutes.append(contentsOf: routes)
                     if config.manageHostsFile {
@@ -2434,7 +2422,7 @@ final class RouteManager: ObservableObject {
         let epoch = routeEpoch
 
         log(.info, "Retrying DNS for \(domain)...")
-        if let routes = await applyRoutesForDomain(entry.resolvableDomain, gateway: gateway, source: domain) {
+        if let routes = await applyRoutesForDomain(entry.domain, gateway: gateway, source: domain) {
             guard routeEpoch == epoch else { return }
             activeRoutes.append(contentsOf: routes)
             if config.manageHostsFile {
@@ -2490,7 +2478,7 @@ final class RouteManager: ObservableObject {
                         log(.error, "Cannot route \(domain.domain): no local gateway detected")
                         return
                     }
-                    let resolvable = domain.resolvableDomain
+                    let resolvable = domain.domain
                     if let routes = await applyRoutesForDomain(resolvable, gateway: gateway, source: domain.domain) {
                         guard routeEpoch == epoch else { return }
                         activeRoutes.append(contentsOf: routes)
@@ -2531,7 +2519,7 @@ final class RouteManager: ObservableObject {
             for domain in domainsToChange {
                 guard routeEpoch == epoch else { return }
                 if enabled, let gw = gateway {
-                    let resolvable = domain.resolvableDomain
+                    let resolvable = domain.domain
                     if let routes = await applyRoutesForDomain(resolvable, gateway: gw, source: domain.domain, persistCache: false) {
                         guard routeEpoch == epoch else { return }
                         activeRoutes.append(contentsOf: routes)
@@ -2597,17 +2585,12 @@ final class RouteManager: ObservableObject {
 
         // Detect CIDR input (e.g., "192.168.1.0/24") — bypass domain cleaning
         let cidr = isValidCIDR(trimmed)
-        let isWildcard = trimmed.hasPrefix("*.")
         let cleaned: String
         if cidr {
             cleaned = trimmed
         } else if trimmed.contains("/") {
             log(.warning, "Invalid CIDR notation: \(trimmed)")
             return
-        } else if isWildcard {
-            let suffix = cleanDomain(String(trimmed.dropFirst(2)))
-            guard !suffix.isEmpty else { return }
-            cleaned = "." + suffix
         } else {
             cleaned = cleanDomain(trimmed)
             guard !cleaned.isEmpty else { return }
@@ -2617,10 +2600,10 @@ final class RouteManager: ObservableObject {
             log(.warning, "VPN Only entry \(cleaned) already exists")
             return
         }
-        let inverseEntry = DomainEntry(domain: cleaned, isCIDR: cidr, isWildcard: isWildcard)
+        let inverseEntry = DomainEntry(domain: cleaned, isCIDR: cidr)
         config.inverseDomains.append(inverseEntry)
         saveConfig()
-        log(.success, "Added VPN Only \(cidr ? "CIDR" : isWildcard ? "wildcard " : "")domain: \(cleaned)")
+        log(.success, "Added VPN Only \(cidr ? "CIDR" : "")domain: \(cleaned)")
 
         if isVPNConnected && config.routingMode == .vpnOnly && acquireRouteOperation() {
             Task {
@@ -2641,7 +2624,7 @@ final class RouteManager: ObservableObject {
                         ))
                         log(.success, "Routed CIDR \(cleaned) through VPN")
                     }
-                } else if let routes = await applyRoutesForDomain(inverseEntry.resolvableDomain, gateway: gw, source: cleaned) {
+                } else if let routes = await applyRoutesForDomain(inverseEntry.domain, gateway: gw, source: cleaned) {
                     guard routeEpoch == epoch else { return }
                     activeRoutes.append(contentsOf: routes)
                     if config.manageHostsFile { await updateHostsFile() }
@@ -2693,7 +2676,7 @@ final class RouteManager: ObservableObject {
                             ))
                         }
                     } else {
-                        let resolvable = domain.resolvableDomain
+                        let resolvable = domain.domain
                         if let routes = await applyRoutesForDomain(resolvable, gateway: gw, source: domain.domain) {
                             guard routeEpoch == epoch else { return }
                             activeRoutes.append(contentsOf: routes)
@@ -3552,7 +3535,7 @@ final class RouteManager: ObservableObject {
             guard !domain.isCIDR else { continue }
             // Include enabled domains AND disabled domains that still have active kernel routes
             guard domain.enabled || activeRoutes.contains(where: { $0.source == domain.domain }) else { continue }
-            let lookupDomain = domain.resolvableDomain
+            let lookupDomain = domain.domain
             if let ip = firstRoutedIP(for: lookupDomain, in: routedDestinations) {
                 entries.append((lookupDomain, ip))
             }
diff --git a/Sources/SettingsView.swift b/Sources/SettingsView.swift
@@ -199,7 +199,7 @@ struct DomainsTab: View {
                         .font(.system(size: 12))
                         .foregroundColor(Theme.textSecondary)
 
-                    TextField(isInverse ? "e.g., example.com, *.example.com, or 10.0.0.0/24" : "e.g., example.com or *.example.com", text: $newDomain)
+                    TextField(isInverse ? "e.g., example.com or 10.0.0.0/24" : "e.g., example.com", text: $newDomain)
                         .textFieldStyle(.plain)
                         .font(.system(size: 13))
                         .focused($isInputFocused)
@@ -386,15 +386,6 @@ struct DomainRow: View {
                             .background(Theme.warning.opacity(0.15))
                             .cornerRadius(4)
                     }
-                    if domain.isWildcard {
-                        Text("Wildcard")
-                            .font(.system(size: 9, weight: .bold))
-                            .foregroundColor(Theme.cyan)
-                            .padding(.horizontal, 5)
-                            .padding(.vertical, 1)
-                            .background(Theme.cyan.opacity(0.15))
-                            .cornerRadius(4)
-                    }
                 }
             }
 
diff --git a/Tests/VPNBypassTests/VPNBypassTests.swift b/Tests/VPNBypassTests/VPNBypassTests.swift
@@ -312,10 +312,6 @@ final class DomainEntryCodableTests: XCTestCase {
         var isCIDR: Bool
         var isWildcard: Bool
 
-        var resolvableDomain: String {
-            isWildcard ? String(domain.dropFirst()) : domain
-        }
-
         init(domain: String, enabled: Bool = true, isCIDR: Bool = false, isWildcard: Bool = false) {
             self.id = UUID()
             self.domain = domain
@@ -452,79 +448,6 @@ final class DomainEntryCodableTests: XCTestCase {
         XCTAssertEqual(entry.domain, "10.0.0.0/8")
     }
 
-    // MARK: - Wildcard support
-
-    func testDomainEntryInitDefaultsWildcardToFalse() {
-        let entry = DomainEntry(domain: "google.com")
-        XCTAssertEqual(entry.isWildcard, false)
-    }
-
-    func testDomainEntryInitExplicitWildcard() {
-        let entry = DomainEntry(domain: ".google.com", isWildcard: true)
-        XCTAssertEqual(entry.isWildcard, true)
-        XCTAssertEqual(entry.domain, ".google.com")
-    }
-
-    func testDecodeOldJSONWithoutWildcardFieldDefaultsToFalse() throws {
-        let id = UUID()
-        let json: [String: Any] = [
-            "id": id.uuidString,
-            "domain": "telegram.org",
-            "enabled": true
-        ]
-        let data = try JSONSerialization.data(withJSONObject: json)
-        let entry = try JSONDecoder().decode(DomainEntry.self, from: data)
-        XCTAssertEqual(entry.isWildcard, false)
-    }
-
-    func testDecodeJSONWithWildcardTrue() throws {
-        let id = UUID()
-        let json: [String: Any] = [
-            "id": id.uuidString,
-            "domain": ".google.com",
-            "enabled": true,
-            "isWildcard": true
-        ]
-        let data = try JSONSerialization.data(withJSONObject: json)
-        let entry = try JSONDecoder().decode(DomainEntry.self, from: data)
-        XCTAssertEqual(entry.domain, ".google.com")
-        XCTAssertEqual(entry.isWildcard, true)
-    }
-
-    func testRoundTripWildcardEntry() throws {
-        let original = DomainEntry(domain: ".example.com", isWildcard: true)
-        let data = try JSONEncoder().encode(original)
-        let decoded = try JSONDecoder().decode(DomainEntry.self, from: data)
-        XCTAssertEqual(decoded.domain, original.domain)
-        XCTAssertEqual(decoded.isWildcard, original.isWildcard)
-        XCTAssertEqual(decoded.id, original.id)
-    }
-
-    func testWildcardResolvableDomainStripsLeadingDot() {
-        let entry = DomainEntry(domain: ".google.com", isWildcard: true)
-        XCTAssertEqual(entry.resolvableDomain, "google.com")
-    }
-
-    func testNonWildcardResolvableDomainUnchanged() {
-        let entry = DomainEntry(domain: "google.com")
-        XCTAssertEqual(entry.resolvableDomain, "google.com")
-    }
-
-    func testResolvableDomainConsistentAsCacheKey() {
-        let wildcard = DomainEntry(domain: ".example.com", isWildcard: true)
-        let plain = DomainEntry(domain: "example.com")
-        XCTAssertEqual(wildcard.resolvableDomain, plain.resolvableDomain)
-    }
-
-    func testResolvableDomainWithNestedWildcard() {
-        let entry = DomainEntry(domain: ".sub.example.com", isWildcard: true)
-        XCTAssertEqual(entry.resolvableDomain, "sub.example.com")
-    }
-
-    func testCIDREntryResolvableDomainUnchanged() {
-        let entry = DomainEntry(domain: "10.0.0.0/8", isCIDR: true)
-        XCTAssertEqual(entry.resolvableDomain, "10.0.0.0/8")
-    }
 }
 
 // MARK: - AddInverseDomain Logic Tests
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
