Welcome to docs.openwrt.melmac.net!

VPN Bypass

Description

A simple procd-based vpnbypass service for OpenWrt. This is useful if your router accesses Internet through a VPN client/tunnel, but you want specific traffic (ports, IP ranges, domains or local IP ranges) to be routed outside of this tunnel.

Features

Screenshot (luci-app-vpnbypass)

screenshot

Requirements

This service requires the following packages to be installed on your router: ipset and iptables. Additionally, if you want to use the Domain Bypass feature, you need to install dnsmasq-full (dnsmasq-full requires you uninstall dnsmasq first).

To fully satisfy the requirements for both IP/Port VPN Bypass and Domain Bypass features connect via ssh to your router and run the following commands:

opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full

To satisfy the requirements for just IP/Port VPN Bypass connect to your router via ssh and run the following commands:

opkg update; opkg install ipset iptables

Unmet dependencies

If you are running a development (trunk/snapshot) build of OpenWrt on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current OpenWrt release image or current development/snapshot image.

How to install

Please ensure that the requirements are satisfied and install vpnbypass and luci-app-vpnbypass from the Web UI or connect to your router via ssh and run the following commands:

opkg update
opkg install vpnbypass luci-app-vpnbypass

If these packages are not found in the official feed/repo for your version of OpenWrt, you will need to add a custom repo to your router following instructions on GitHub/jsDelivr first.

These packages have been designed to be backwards compatible with OpenWrt 19.07, OpenWrt 18.06, OpenWrt Project 17.01 and OpenWrt 15.05. However, on systems older than OpenWrt 18.06.6 and/or a system which has deviated too far (or haven’t been updated to keep in-sync) with official OpenWrt release you may get a message about missing luci-compat dependency, which (and only which) you can safely ignore and force-install the luci app using opkg install --force-depends command instead of opkg install.

Default Settings

The default configuration ships with the service disabled, use the Web UI to enable/start the service or run uci set vpnbypass.config.enabled=1; uci commit vpnbypass;. It routes Plex Media Server traffic (port 32400) and LogmeIn Hamachi traffic (25.0.0.0/8) outside of the VPN tunnel. Internet traffic from local IPs 192.168.1.81-192.168.1.87 is also routed outside the VPN tunnel. You can safely delete these example rules if they do not apply to you.

Documentation / Discussion

Please head to OpenWrt Forum for discussions of this service.

Bypass Domains Format/Syntax

Domain lists should be in the following format/syntax: /domain1.com/domain2.com/vpnbypass. Please do not forget the leading / and trailing /vpnbypass. There is no validation if you enter something incorrectly – it simply will not work. Please see Notes/Known Issues if you wish to edit this setting manually, without using the Web UI.

What’s New

1.3.0:

Notes/Known Issues

  1. Domains to be accessed outside of VPN tunnel are handled by dnsmasq and thus are not defined in /etc/config/vpnpass, but rather in /etc/config/dhcp. To add/delete/edit domains you can use VPN Bypass Web UI or you can edit /etc/config/dhcp manually or run the following commands:
uci add_list dhcp.@dnsmasq[-1].ipset='/github.com/plex.tv/google.com/vpnbypass'
uci add_list dhcp.@dnsmasq[-1].ipset='/hulu.com/netflix.com/nhl.com/vpnbypass'
uci commit dhcp
/etc/init.d/dnsmasq restart

This feature requires dnsmasq-full to work. See the Requirements section for more details.

Thanks

I’d like to thank everyone who helped create, test and troubleshoot this package. I would also like to specifically thank: T81 for thorough testing and assistance with bugfixing and vsviridov and jow for their invaluable contributions in migrating the WebUI for this package to client-side rendering.