TLDR: Even tho this package depends on iptables/ipset and dnsmasq support for ipset, it works just fine with recently released OpenWrt 22.03.0. You can safely ignore the warning on the Status -> Firewall page about legacy iptables rules created by this package.
vpnbypass has been superceeded by the new package called
pbr and there are now two versions of
pbr-iptables if you want to use iptables/ipset/dnsmasq.ipset options and
pbr-nftables which supports nft (but because OpenWrt’s
dnsmasq doesn’t support nft sets yet, you can’t use
dnsmasq to resolve domain names from policies). Please note that
vpnbypass will not be transitioned to nftables and will become obsolete once OpenWrt’s
dnsmasq package no longer supports ipset.
A simple procd-based
vpnbypass service for OpenWrt. This is useful if your router accesses Internet through a VPN client/tunnel, but you want specific traffic (ports, IP ranges, domains or local IP ranges) to be routed outside of this tunnel.
iptablesrules which are automatically updated on WAN up/down events.
luci-app-vpnbypass) is provided so all features may be configured from the Web UI.
This service requires the following packages to be installed on your router:
iptables. Additionally, if you want to use the Domain Bypass feature, you need to install
dnsmasq-full requires you uninstall
To fully satisfy the requirements for both IP/Port VPN Bypass and Domain Bypass features connect via ssh to your router and run the following commands:
opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset iptables libnettle8 libnetfilter-conntrack3; opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f /tmp/dnsmasq-full*.ipk;
To satisfy the requirements for just IP/Port VPN Bypass connect to your router via ssh and run the following commands:
opkg update; opkg install ipset iptables
If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.
Please ensure that the requirements are satisfied and install
luci-app-vpnbypass from the Web UI or connect to your router via ssh and run the following commands:
opkg update opkg install vpnbypass luci-app-vpnbypass
These packages have been designed to be backwards compatible with OpenWrt 19.07, OpenWrt 18.06, OpenWrt Project 17.01 and OpenWrt 15.05. However, on systems older than OpenWrt 18.06.6 and/or a system which has deviated too far (or haven’t been updated to keep in-sync) with official OpenWrt release you may get a message about missing
luci-compat dependency, which (and only which) you can safely ignore and force-install the luci app using
opkg install --force-depends command instead of
The default configuration ships with the service disabled, use the Web UI to enable/start the service or run
uci set vpnbypass.config.enabled=1; uci commit vpnbypass;. It routes Plex Media Server traffic (port 32400) and LogmeIn Hamachi traffic (126.96.36.199/8) outside of the VPN tunnel. Internet traffic from local IPs
192.168.1.81-192.168.1.87 is also routed outside the VPN tunnel. You can safely delete these example rules if they do not apply to you.
Please head to OpenWrt Forum for discussions of this service.
Domain lists should be in the following format/syntax:
/domain1.com/domain2.com/vpnbypass. Please do not forget the leading
/ and trailing
/vpnbypass. There is no validation if you enter something incorrectly – it simply will not work. Please see Notes/Known Issues if you wish to edit this setting manually, without using the Web UI.
wan) works with other interface names (like
/etc/config/vpnpass, but rather in
/etc/config/dhcp. To add/delete/edit domains you can use VPN Bypass Web UI or you can edit
/etc/config/dhcpmanually or run the following commands:
uci add_list dhcp.@dnsmasq[-1].ipset='/github.com/plex.tv/google.com/vpnbypass' uci add_list dhcp.@dnsmasq[-1].ipset='/hulu.com/netflix.com/nhl.com/vpnbypass' uci commit dhcp /etc/init.d/dnsmasq restart
This feature requires
dnsmasq-full to work. See the Requirements section for more details.
I’d like to thank everyone who helped create, test and troubleshoot this package. I would also like to specifically thank: T81 for thorough testing and assistance with bugfixing and vsviridov and jow for their invaluable contributions in migrating the WebUI for this package to client-side rendering.