diff --git a/include/global/NekoGui_DataStore.hpp b/include/global/NekoGui_DataStore.hpp
index 5524530..0207ab4 100644
--- a/include/global/NekoGui_DataStore.hpp
+++ b/include/global/NekoGui_DataStore.hpp
@@ -113,6 +113,7 @@ namespace NekoGui {
 
         // VPN
         bool fake_dns = false;
+        bool enable_tun_routing = false;
 #ifdef Q_OS_MACOS
         QString vpn_implementation = "gvisor";
 #else
diff --git a/include/ui/setting/dialog_vpn_settings.ui b/include/ui/setting/dialog_vpn_settings.ui
index 0349ba8..23317ba 100644
--- a/include/ui/setting/dialog_vpn_settings.ui
+++ b/include/ui/setting/dialog_vpn_settings.ui
@@ -93,6 +93,16 @@
         </property>
        </widget>
       </item>
+      <item>
+       <widget class="QCheckBox" name="tun_routing">
+        <property name="toolTip">
+         <string>&lt;html&gt;&lt;head/&gt;&lt;body&gt;&lt;p&gt;When enabled, Direct IP CIDRs and rule sets will also be added to the Tun setting to be excluded at OS routing level. IMPORTANT: Large rule sets have been reported to cause massive CPU usage in windows, please enable this option with caution.&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;</string>
+        </property>
+        <property name="text">
+         <string>Enable Tun Routing</string>
+        </property>
+       </widget>
+      </item>
      </layout>
     </widget>
    </item>
diff --git a/src/configs/ConfigBuilder.cpp b/src/configs/ConfigBuilder.cpp
index f223553..3e29dfc 100644
--- a/src/configs/ConfigBuilder.cpp
+++ b/src/configs/ConfigBuilder.cpp
@@ -504,7 +504,7 @@ namespace NekoGui {
             if (dataStore->vpn_ipv6) tunAddress += "fdfe:dcba:9876::1/96";
             inboundObj["address"] = tunAddress;
             inboundObj["domain_strategy"] = dataStore->routing->domain_strategy;
-            if (dataStore->routing->def_outbound == "proxy")
+            if (dataStore->enable_tun_routing && dataStore->routing->def_outbound == "proxy")
             {
                 if (!directIPCIDRs.isEmpty()) inboundObj["route_exclude_address"] = directIPCIDRs;
                 if (!directIPSets.isEmpty()) inboundObj["route_exclude_address_set"] = directIPSets;
diff --git a/src/global/NekoGui.cpp b/src/global/NekoGui.cpp
index 0d14764..8590ef7 100644
--- a/src/global/NekoGui.cpp
+++ b/src/global/NekoGui.cpp
@@ -308,6 +308,7 @@ namespace NekoGui {
         _add(new configItem("stats_tab", &stats_tab, itemType::string));
         _add(new configItem("proxy_scheme", &proxy_scheme, itemType::string));
         _add(new configItem("disable_privilege_req", &disable_privilege_req, itemType::boolean));
+        _add(new configItem("enable_tun_routing", &enable_tun_routing, itemType::boolean));
     }
 
     void DataStore::UpdateStartedId(int id) {
diff --git a/src/ui/setting/dialog_vpn_settings.cpp b/src/ui/setting/dialog_vpn_settings.cpp
index 7407e76..cad64a1 100644
--- a/src/ui/setting/dialog_vpn_settings.cpp
+++ b/src/ui/setting/dialog_vpn_settings.cpp
@@ -16,6 +16,7 @@ DialogVPNSettings::DialogVPNSettings(QWidget *parent) : QDialog(parent), ui(new
     ui->vpn_mtu->setCurrentText(Int2String(NekoGui::dataStore->vpn_mtu));
     ui->vpn_ipv6->setChecked(NekoGui::dataStore->vpn_ipv6);
     ui->strict_route->setChecked(NekoGui::dataStore->vpn_strict_route);
+    ui->tun_routing->setChecked(NekoGui::dataStore->enable_tun_routing);
     ADJUST_SIZE
 }
 
@@ -31,6 +32,7 @@ void DialogVPNSettings::accept() {
     NekoGui::dataStore->vpn_mtu = mtu;
     NekoGui::dataStore->vpn_ipv6 = ui->vpn_ipv6->isChecked();
     NekoGui::dataStore->vpn_strict_route = ui->strict_route->isChecked();
+    NekoGui::dataStore->enable_tun_routing = ui->tun_routing->isChecked();
     //
     QStringList msg{"UpdateDataStore"};
     msg << "VPNChanged";