Welcome to docs.openwrt.melmac.net!

VPN Bypass

Statement about OpenWrt 22.03.0 release and this package

TLDR: Even tho this package depends on iptables/ipset and dnsmasq support for ipset, it works just fine with recently released OpenWrt 22.03.0. You can safely ignore the warning on the Status -> Firewall page about legacy iptables rules created by this package.

The vpnbypass has been superceeded by the new package called pbr and there are now two versions of pbr available: pbr-iptables if you want to use iptables/ipset/dnsmasq.ipset options and pbr-nftables which supports nft (but because OpenWrt’s dnsmasq doesn’t support nft sets yet, you can’t use dnsmasq to resolve domain names from policies). Please note that vpnbypass will not be transitioned to nftables and will become obsolete once OpenWrt’s dnsmasq package no longer supports ipset.

Description

A simple procd-based vpnbypass service for OpenWrt. This is useful if your router accesses Internet through a VPN client/tunnel, but you want specific traffic (ports, IP ranges, domains or local IP ranges) to be routed outside of this tunnel.

Features

Screenshot (luci-app-vpnbypass)

screenshot

Requirements

This service requires the following packages to be installed on your router: ipset and iptables. Additionally, if you want to use the Domain Bypass feature, you need to install dnsmasq-full (dnsmasq-full requires you uninstall dnsmasq first).

To fully satisfy the requirements for both IP/Port VPN Bypass and Domain Bypass features connect via ssh to your router and run the following commands:

opkg update; cd /tmp/ && opkg download dnsmasq-full; opkg install ipset iptables libnettle8 libnetfilter-conntrack3;
opkg remove dnsmasq; opkg install dnsmasq-full --cache /tmp/; rm -f /tmp/dnsmasq-full*.ipk;

To satisfy the requirements for just IP/Port VPN Bypass connect to your router via ssh and run the following commands:

opkg update; opkg install ipset iptables

Unmet dependencies

If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.

How to install

Please ensure that the requirements are satisfied and install vpnbypass and luci-app-vpnbypass from the Web UI or connect to your router via ssh and run the following commands:

opkg update
opkg install vpnbypass luci-app-vpnbypass

If these packages are not found in the official feed/repo for your version of OpenWrt, you will need to add a custom repo to your router following instructions on GitHub/jsDelivr first.

These packages have been designed to be backwards compatible with OpenWrt 19.07, OpenWrt 18.06, OpenWrt Project 17.01 and OpenWrt 15.05. However, on systems older than OpenWrt 18.06.6 and/or a system which has deviated too far (or haven’t been updated to keep in-sync) with official OpenWrt release you may get a message about missing luci-compat dependency, which (and only which) you can safely ignore and force-install the luci app using opkg install --force-depends command instead of opkg install.

Default Settings

The default configuration ships with the service disabled, use the Web UI to enable/start the service or run uci set vpnbypass.config.enabled=1; uci commit vpnbypass;. It routes Plex Media Server traffic (port 32400) and LogmeIn Hamachi traffic (25.0.0.0/8) outside of the VPN tunnel. Internet traffic from local IPs 192.168.1.81-192.168.1.87 is also routed outside the VPN tunnel. You can safely delete these example rules if they do not apply to you.

Documentation / Discussion

Please head to OpenWrt Forum for discussions of this service.

Bypass Domains Format/Syntax

Domain lists should be in the following format/syntax: /domain1.com/domain2.com/vpnbypass. Please do not forget the leading / and trailing /vpnbypass. There is no validation if you enter something incorrectly – it simply will not work. Please see Notes/Known Issues if you wish to edit this setting manually, without using the Web UI.

What’s New

1.3.0:

Notes/Known Issues

  1. Domains to be accessed outside of VPN tunnel are handled by dnsmasq and thus are not defined in /etc/config/vpnpass, but rather in /etc/config/dhcp. To add/delete/edit domains you can use VPN Bypass Web UI or you can edit /etc/config/dhcp manually or run the following commands:
uci add_list dhcp.@dnsmasq[-1].ipset='/github.com/plex.tv/google.com/vpnbypass'
uci add_list dhcp.@dnsmasq[-1].ipset='/hulu.com/netflix.com/nhl.com/vpnbypass'
uci commit dhcp
/etc/init.d/dnsmasq restart

This feature requires dnsmasq-full to work. See the Requirements section for more details.

Thanks

I’d like to thank everyone who helped create, test and troubleshoot this package. I would also like to specifically thank: T81 for thorough testing and assistance with bugfixing and vsviridov and jow for their invaluable contributions in migrating the WebUI for this package to client-side rendering.