Two attacks to make send traffic outside protected VPN tunnel.

1. exploit VPN's LAN direct access mechanism by spoofing fake IP for target.com
2. spoof the IP for VPN server

I reckon these methods should only affect unencrypted traffic or TLS without proper CN checks. Interestingly, this technique is used by some VPN software in China as an alternative way to selectively route traffic to VPN (to circumvent internet censorship). https://dreamacro.github.io/clash/configuration/dns.html#fake-ip

This thing amazes me when I saw it. Although I can roughly see how it may work, this still feels magical to me.

Then I realized, isn't this technique known as "inverse kinematics"?