Statement about OpenWrt 22.03 and this package
The OpenWrt 22.03 release brought the use of
nft instead of
iptables and this package heavily depends on
iptables. Due to this, I have created the new package:
pbr and in the OpenWrt 22.03 (and newer) the
pbr has replaced both
vpnbypass packages in OpenWrt repositories.
vpnbypass package is now obsolete in the current OpenWrt development and latest release branches, no further updates nor development will happen.
If you need a policy-based routing on an OpenWrt older than 22.03, I would recommend you install the
pbr-iptables package from my personal repo.
A simple procd-based
vpnbypass service for OpenWrt. This is useful if your router accesses Internet through a VPN client/tunnel, but you want specific traffic (ports, IP ranges, domains or local IP ranges) to be routed outside of this tunnel.
- Define local ports so traffic to them is routed outside of the VPN tunnel (by default it routes Plex Media Server traffic (port 32400) outside of the VPN tunnel).
- Define IPs/subnets in local networks so their traffic is routed outside the VPN tunnel (by default it routes traffic from 192.168.1.81-192.168.1.87 outside the VPN tunnel).
- Define remote IP ranges that are accessed outside the VPN tunnel (by default, LogmeIn Hamachi traffic (22.214.171.124/8) is routed outside the VPN tunnel).
- Creates list of domain names which should be accessed outside the VPN tunnel (useful for Netflix, Hulu, etc).
- Does not reside in RAM – creates
iptablesrules which are automatically updated on WAN up/down events.
- A companion package (
luci-app-vpnbypass) is provided so all features may be configured from the Web UI.
- Proudly made in Canada, using locally-sourced electrons.
This service requires the following packages to be installed on your router:
iptables. Additionally, if you want to use the Domain Bypass feature, you need to install
dnsmasq-full requires you uninstall
To fully satisfy the requirements for both IP/Port VPN Bypass and Domain Bypass features connect via ssh to your router and run the following commands:
opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset iptables libnettle8 libnetfilter-conntrack3; opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f /tmp/dnsmasq-full*.ipk;
To satisfy the requirements for just IP/Port VPN Bypass connect to your router via ssh and run the following commands:
opkg update; opkg install ipset iptables
If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.
How to install
Please ensure that the requirements are satisfied and install
luci-app-vpnbypass from the Web UI or connect to your router via ssh and run the following commands:
opkg update opkg install vpnbypass luci-app-vpnbypass
These packages have been designed to be backwards compatible with OpenWrt 19.07, OpenWrt 18.06, OpenWrt Project 17.01 and OpenWrt 15.05. However, on systems older than OpenWrt 18.06.6 and/or a system which has deviated too far (or haven’t been updated to keep in-sync) with official OpenWrt release you may get a message about missing
luci-compat dependency, which (and only which) you can safely ignore and force-install the luci app using
opkg install --force-depends command instead of
The default configuration ships with the service disabled, use the Web UI to enable/start the service or run
uci set vpnbypass.config.enabled=1; uci commit vpnbypass;. It routes Plex Media Server traffic (port 32400) and LogmeIn Hamachi traffic (126.96.36.199/8) outside of the VPN tunnel. Internet traffic from local IPs
192.168.1.81-192.168.1.87 is also routed outside the VPN tunnel. You can safely delete these example rules if they do not apply to you.
Documentation / Discussion
Please head to OpenWrt Forum for discussions of this service.
Bypass Domains Format/Syntax
Domain lists should be in the following format/syntax:
/domain1.com/domain2.com/vpnbypass. Please do not forget the leading
/ and trailing
/vpnbypass. There is no validation if you enter something incorrectly – it simply will not work. Please see Notes/Known Issues if you wish to edit this setting manually, without using the Web UI.
- No longer depends on hardcoded WAN interface name (
wan) works with other interface names (like
- Table ID, IPSET name and FW_MARK as well as FW_MASK can be defined in config file.
- Uses iptables, not ip rules for handling local IPs/ranges.
- More reliable creation/destruction of VPNBYPASS iptables chain.
- Updated Web UI enables, starts and stops the service.
- Domains to be accessed outside of VPN tunnel are handled by dnsmasq and thus are not defined in
/etc/config/vpnpass, but rather in
/etc/config/dhcp. To add/delete/edit domains you can use VPN Bypass Web UI or you can edit
/etc/config/dhcpmanually or run the following commands:
uci add_list dhcp.@dnsmasq[-1].ipset='/github.com/plex.tv/google.com/vpnbypass' uci add_list dhcp.@dnsmasq[-1].ipset='/hulu.com/netflix.com/nhl.com/vpnbypass' uci commit dhcp /etc/init.d/dnsmasq restart
This feature requires
dnsmasq-full to work. See the Requirements section for more details.
I’d like to thank everyone who helped create, test and troubleshoot this package. I would also like to specifically thank: T81 for thorough testing and assistance with bugfixing and vsviridov and jow for their invaluable contributions in migrating the WebUI for this package to client-side rendering.