Bypass Wireguard VPN on access point without policy routing app

Is there a way to have a Wireguard VPN only work on a specific access point and then have another access point bypassing the VPN? I'm aware of the vpn policy routing app but using it will force me to disable my killswitch which doesn't work for me.

I did see one tutorial where someone did make an access point bypassing the Wireguard VPN, by isolating it into its own interface, but the author noted that you would need more than 1 ethernet ports to achieve this.

For reference I'm running openwrt on a Raspberry Pi 4.

tis working on rpi4 comfirmed :slight_smile:

u dont need kiilswitch its a gadget , configure a good rule and remove this app :wink: firewall lan2 ===> vpn only ( no wan ) good!
drop the packet dont use reject is better ( reject need response from you rpi4 a ddoser can shoot u rpi4, drop dont need reponse from you rpi4 have more co2 :slight_smile:

Thank you for the guide, I'm following it now. But I can't seem to get a second wifi access point up and running. I press apply configuration and it hangs and reverts back.

Is this a known issue? Should I try manually adding it?

on rpi4 seconde wifi dont work the wifi on rpi4 is on beta for two years :slight_smile:

remove kill switch , install dnmasq-full reboot install pbr and set u policy by ip to vpn or wan what u want

Oh that's unfortunate, I didn't know that!

So instead of the killswitch you're recommending that I enforce my devices to go through VPN instead of getting a device to bypass the VPN?

what u want u make bypass vpn or vpn through me i making a through

So I have 4 devices on my network: phone, ipad, main laptop, and gaming laptop.

I want my gaming laptop to bypass the VPN, due to latency issues. All the other devices should go through VPN at all times and internet access should be denied if the VPN connection is lost.

So I'm guessing how this works is I assign a static IP address for all my devices and use that in the pbr to enforce traffic through VPN? If so is there a way to enforce a static IP for a specific mac address on the router itself?

For example my phone will always be assigned the static ip address

So I got the pbr bypass VPN, but now I can't route traffic through the VPN.

This is my config

Device razer can connect to the internet, bypassing the VPN.
Device phone and ipad cannot access the internet through the VPN.

the web us port 80 , u dont specify any port specify 0-65535 , 0-65535 for all trafic pass through

install dnmasq-full

I specified the ports and install dnsmaq-full but still no internet on my phone. I also put my firewall setting below, which I believe are correct.

good job , but i think u dont have installed dnsmasq-full and no reboot

Just rebooted and I can confirm dnsmasq-full is installed, I see it in the software installed list.

Could the issue be that I disabled pbr earlier and manually deleted the rules? Could that be causing this issue?

Make screen of front of pbr .
Who is u défaut gateway ?
No when u you have problème u need look u logs . And when u dont have problème u need to see u logs logs logs logs logs logs is not beacuse its marked 'good ' its good , now see u logs :wink: a recomand to use openvpn instead of wireguard

I got it working! There was something weird going on with my phone and assigning static ip addresses. So I just made a policy to direct all traffic to the VPN and created an exception on top of it.

Again thank you so much for your help!

for what u have to set a static ip on iphone ? lol stop with this . but now see u logs its a good source for problem or solution

I didn't think I could create a catch all rule in pbr! So I thought the only solution would be to assign static ip addresses to all my devices and then create separate rules.

This way is mcuh better though haha

use dhcp with time of 600d and lets go turn off static my advise . or add hostname with specified ip and you with this a lan dns like iphone.lan openwrt.lan pc.lan

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.