There are two approaches. In both cases, you need a list of blocked IPs, you can take it on the anti-ban , for example.
The next question is how to send traffic.
1. There was material on Habré about dynamic loading of routes via BGP . Plus - it works with any protocols and does not require additional configuration from the side of the proxied software. Cons - it is significantly more difficult to understand, in my opinion, and there may be problems with cross-platform. The article shows the implementation on the Mikrotik router.
2. Use the proxy.pac file . It can be generated with a script like this:

#!/bin/bash
DNS_SERVER=8.8.8.8
BLACKLIST_URL="http://antizapret.prostovpn.org/iplist.txt"
#куда класть файл proxy.pac
PACDIR=/var/www/html
TMPLIST=/tmp/iplist.txt
#домены, которые нужно пускать через прокси независимо от содержимого iplist.txt
DOMAINS=(\
rutracker.org \
facebook.com \
facebook.net \
fbcdn.net \
twitter.com \
twitter.co \
t.co \
twimg.com \
twitpic.com \
periscope.tv \
pscp.tv \
)
#качаем чёрный список
wget -q --tries=10 -O "$TMPLIST" "$BLACKLIST_URL"
# вытаскиваем IP наших прописанных доменов
declare -a EXTRAIPS=()
for domain in "${DOMAINS[@]}"
do
        dig A "$domain" +short @$DNS_SERVER | grep -v '\.$' >>"$TMPLIST"
done
#в чёрном списке есть отдельные IP и есть подсети
#также чёрный список очень длинный, поэтому кодируем его более компактно.
IPLIST=`grep -Ex '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' "$TMPLIST" | awk '/^[0-9]+/ {split($1,b,/\./); printf("0x%02x%02x%02x%02x,", b[1],b[2],b[3],b[4]);}'`
SUBNETLIST=`awk '/[0-9.]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+/ {split($1,p,/\//); printf("[\"%s\", %s], ", p[1], p[2]);}' <"$TMPLIST"`
#генерируем proxy.pac по шаблону
#он проверяет домен на вхождение в фиксированные домены, а потом IP по списку.
function templatePAC {
        NAME=$1
        shift
        DMNLIST=("[email protected]")
        cat >"$PACDIR/$NAME" <<EOF
function FindProxyForURL(url, host) {
  var domainblacklist = [
EOF
        for d in "${DMNLIST[@]}"
        do
                echo "  '$d'," >>"$PACDIR/$NAME"
        done
        cat >>"$PACDIR/$NAME" <<EOF
  ];
  var ipblacklist = [ $IPLIST ];
  var subnetblacklist = [ $SUBNETLIST ];

  function endsWith(str, suffix) {
    return str.indexOf(suffix, str.length - suffix.length) !== -1;
  }
  function numberToMask(n) {
    var m=[0,128,192,224,240,248,252,254,255];
    var r=[];
    for (var i=0; i<4; i++) {
      var p = (n > 8) ? 8 : n;
      r[i] = m[p];
      n -= p;
    }
    return r.join(".");
  }
  function maskMatch(ip, mask) {
    var m = numberToMask(mask[1]);
    return isInNet(ip, mask[0], m);
  }

  var blocked = false;
  for (var i=0; !blocked && (i<domainblacklist.length); i++)
    blocked = blocked || ((host == domainblacklist[i]) || endsWith(host, '.'+domainblacklist[i]));
  if (!blocked) {
    var ip = dnsResolve(host);
    for (var i=0; !blocked && (i<subnetblacklist.length); i++)
      blocked = blocked || maskMatch(ip, subnetblacklist[i]);
    blocked = blocked || (ipblacklist.indexOf(convert_addr(ip)) != -1);
  }
  if (blocked)
    return "PROXY ТУТ_ТВОЙ_ПРОКСИ:ПОРТ";
  else
    return "DIRECT";
}
EOF
}
# генерируем файл
templatePAC proxy.pac "${DOMAINS[@]}"

rm -f "$TMPLIST"

Personally, I am aware of the existence of two options for access through routers. I won’t tell you the instructions anymore, since I did this a year or two ago.
1. Through a Mikrotik router.
2. Through a router with OpenWRT firmware.
The essence of both methods is that two connections are created: the main one and the VPN. All sites that are in the created list are wrapped on the VPN. The rest through normal access.
In this way, I wrap the sites I need on Mikrotik on the OpenVPN server, but I fiddled with several articles for a long time, and when it worked for me, I myself did not understand how. More precisely, I did not understand what I had done wrong before that did not work for me.

You can use the ANTI-prohibit service - there is an add-on for browsers
You can set up a VPN client on the router and redirect traffic to a specific list of domains via VPN (if the router can do it)
You can do the same on a PC ...
You can buy \ install somewhere the proxies themselves and also register their settings in the browser (the same anti-prohibition has the option of installing through a container with a ready-made proxy)
As a result, everything will go through the provider, and blocked through the proxy
itself so that the VPN is turned on / off - there is no such thing. This is not how it works.
What prevents you from keeping VPN enabled? it doesn't actually eat resources if not used

It is not easier to subscribe to a ready-made service where there is split tunneling or black and white lists. It comes out even cheaper.
For example https://adguard-vpn.com/en/ AdGuard VPN has both split tunneling for applications and a white/black list of sites. Plus, it is possible to change the DNS, AdGuard's DNS is also available, which cuts ads or family DNS, which prevents you from entering industrial sites and cuts ads, etc.
$35.94 per year is $2.99 ​​per month.
https://rus.windscribe.com - on mobile clients it definitely has split tunneling and, not least, GPS Spoofing . For example, Twitter on smartphones takes your location from GPS. GPS Spoofingreplaces the coordinates with the country to which you are connected. We need to check the desktop client, whether there is split tunneling
$49 per year or $4.08 per month. It's still cheaper than keeping a server on DigitalOchean for example.
Plus, there are clients for all systems and no need to dance with a tambourine.

Dig in the direction of the routes to the desired resources. But in general, vpn is not intended for this, proxies work at the HTTP level.

Take microcurrents and set it up according to this article

If you just need to go to the sites that Roskomnadzor has blocked, I use Chrome + the Bypass Runet Blocks plugin, for a year now without problems and quickly opens all blocked sites.

https://bitbucket.org/anticensority/antizapret-vpn...

VPN features
Non-standard routing method
Unlike regular VPNs that redirect individual IP addresses or ranges using OS routing tools, AntiBan VPN uses routing based on domain names, using a special DNS server created for this purpose.
A special DNS resolver is running on the VPN server, which establishes a mapping (match, mapping) of the real IP address of the domain to a free IP address of a large internal subnet, and gives the requested client an address from the internal subnet.
This approach has many advantages:

• Only one or a few routes are set for the client, instead of tens of thousands of routes;
  
• Only blocked domains are routed, not all sites on the blocked IP address;
  
• Ability to update the list of blocked sites without reconnecting the client;
  
• Correct work with domains that constantly change IP addresses and with CDN services;
  
• Correct work with providers that block all subdomains of a blocked domain (blocking the entire DNS zone). An example of such a provider is Yota.
  

But there are also disadvantages:

• Only the DNS server inside the VPN needs to be used. It will not work with other DNS servers.
  
• Works only for blocked domains and programs using domain names. For blocked IP addresses, normal routing must be used.