WinDivert & VPN coexistence – unable to capture original SNI before VPN modification

[sysdev-jay]

I am working with WinDivert to capture and process network traffic at network layer. However, I am encountering an issue when a secure VPN is active on the system.

When the VPN is enabled, WinDivert does not seem to capture the original outbound traffic before it is processed by the VPN. As a result, in the TLS ClientHello packet, the SNI is not the actual destination (e.g., github.com), but instead reflects the VPN server address.

Example:

• VPN enabled on the system
• Attempt to access github.com
• Observed behavior:
  Captured ClientHello SNI = VPN server address
• Expected behavior:
  Captured ClientHello SNI = github.com

Problem:
It appears that the VPN modifies or encapsulates the traffic before WinDivert can intercept it, preventing access to the original destination information.

Question:

1. Is there a way to configure WinDivert to capture packets before they are processed or altered by the VPN?
2. Are there specific layers, filters, or modifications needed in WinDivert to ensure access to the original outbound traffic (including the correct SNI) when a VPN is active?

Goal:
Capture and process packets at an earlier stage so that the original destination (e.g., SNI in ClientHello) is preserved, even when a VPN is in use.

[one-api]

It's likely you are using Layer 2 VPN like L2TP but Windivert is only working on L3 and above.