diff --git a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
index 3a6a7be..c559113 100644
--- a/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
+++ b/TunnelKit/Sources/AppExtension/TunnelKitProvider.swift
@@ -492,7 +492,7 @@ extension TunnelKitProvider: SessionProxyDelegate {
             }
         }
 
-        bringNetworkUp(remoteAddress: remoteAddress, reply: reply) { (error) in
+        bringNetworkUp(remoteAddress: remoteAddress, configuration: proxy.configuration, reply: reply) { (error) in
             if let error = error {
                 log.error("Failed to configure tunnel: \(error)")
                 self.pendingStartHandler?(error)
@@ -523,15 +523,18 @@ extension TunnelKitProvider: SessionProxyDelegate {
         socket?.shutdown()
     }
     
-    private func bringNetworkUp(remoteAddress: String, reply: SessionReply, completionHandler: @escaping (Error?) -> Void) {
-        
-        // route all traffic to VPN
+    private func bringNetworkUp(remoteAddress: String, configuration: SessionProxy.Configuration, reply: SessionReply, completionHandler: @escaping (Error?) -> Void) {
         var ipv4Settings: NEIPv4Settings?
         if let ipv4 = reply.options.ipv4 {
-            let defaultRoute = NEIPv4Route.default()
-            defaultRoute.gatewayAddress = ipv4.defaultGateway
+            var routes: [NEIPv4Route] = []
+
+            // route all traffic to VPN?
+            if configuration.routingPolicies?.contains(.IPv4) ?? false {
+                let defaultRoute = NEIPv4Route.default()
+                defaultRoute.gatewayAddress = ipv4.defaultGateway
+                routes.append(defaultRoute)
+            }
             
-            var routes: [NEIPv4Route] = [defaultRoute]
             for r in ipv4.routes {
                 let ipv4Route = NEIPv4Route(destinationAddress: r.destination, subnetMask: r.mask)
                 ipv4Route.gatewayAddress = r.gateway
@@ -545,10 +548,15 @@ extension TunnelKitProvider: SessionProxyDelegate {
 
         var ipv6Settings: NEIPv6Settings?
         if let ipv6 = reply.options.ipv6 {
-            let defaultRoute = NEIPv6Route.default()
-            defaultRoute.gatewayAddress = ipv6.defaultGateway
+            var routes: [NEIPv6Route] = []
+
+            // route all traffic to VPN?
+            if configuration.routingPolicies?.contains(.IPv6) ?? false {
+                let defaultRoute = NEIPv6Route.default()
+                defaultRoute.gatewayAddress = ipv6.defaultGateway
+                routes.append(defaultRoute)
+            }
 
-            var routes: [NEIPv6Route] = [defaultRoute]
             for r in ipv6.routes {
                 let ipv6Route = NEIPv6Route(destinationAddress: r.destination, networkPrefixLength: r.prefixLength as NSNumber)
                 ipv6Route.gatewayAddress = r.gateway
@@ -556,7 +564,7 @@ extension TunnelKitProvider: SessionProxyDelegate {
             }
 
             ipv6Settings = NEIPv6Settings(addresses: [ipv6.address], networkPrefixLengths: [ipv6.addressPrefixLength as NSNumber])
-            ipv6Settings?.includedRoutes = [defaultRoute]
+            ipv6Settings?.includedRoutes = routes
             ipv6Settings?.excludedRoutes = []
         }
         
diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift
index d769168..9f9afc7 100644
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@@ -79,7 +79,8 @@ public class SessionProxy {
     
     // MARK: Configuration
     
-    private let configuration: Configuration
+    /// The session base configuration.
+    public let configuration: Configuration
     
     /// The optional credentials.
     public var credentials: Credentials?