Bypass Wireguard VPN on tp link router without pbr

I tried to follow this video that use pbr ---

Somehow I can not figure it out is there any other option to bypass without using this pbr method?
I have openwrt version 22.03.5 on tplink archer A7 v5 and I am not comfortable using ssh mode so if you can suggest luci based guide ..that will be helpful.


IP Routes and IP Rules can be added in LuCI.

The OP wants to bypass a domain hosted by Cloudflare, so PBR app is the easiest way, otherwise it generally requires a lot more work:

  • Periodically re-resolve the domain.
  • Create and populate IP sets.
  • Mark traffic matching the IP sets.
  • Set up a custom routing table.
  • Add routing rules for the marked traffic.

I could successfully use pbr to bypass - not sure what I was doing wrong before but now it works but I tried the same thing for amazon prime video and put under policy and allowed all protocols but it still does not work so with amazon video I have to do something different?

Also may be off the topic question - for WAN and wireguard interface I have use custom DNS server which is given by proton vpn with their wireguard file - so instead of that if I put Google dns and - what will happen?
or I must use dns server given by proton vpn ? if I change that - it wont work and dns will leak?

It should be fine since Google applies geo-balancing by the endpoint.

Not really, but some VPN providers perform DNS hijacking.

It is best to take a DNS leak test to clear your doubts.

Do you think under wan and wireguard interface I am using proton vpn provided dns address - is the problem why I can not access amazon prime video ? I can obviously use just can not use their prime video i.e. streaming section -
If I use google or cloudfare dns addresses ...will that fix the issue?

The documentation linked above states that you must not route DNS to the VPN tunnel in order to use those streaming services, which means you cannot avoid DNS leaks and use streaming services at the same time on the same host, so the best option is using a separate host, such as a smart-TV, for streaming and routing all of its traffic including DNS to WAN.

1 Like

This is still complicated for me so please bear with me.
Under policy routing - I see wg0 IP is shown as default gateway so please confirm that I am using wireguard - wg0 (vpn tunnel) as default gateway correct?
I guess so - so how do I change to wan and if I do that - it will leak dns?

also the above link you sent mentions - if you are using vpn tunnel as default gateway than there are 2 options

  • send ALL traffic from your multimedia devices (by using their IP addresses or device names in the src_addr option in config file or Local addresses /devices field in WebUI) accessing Netflix/Amazon Prime/Hulu to WAN; this is the more reliable and recommended method.
    I think this first option is what you are suggesting - can you please explain a little more as to how can I do that via luci web?)
  1. use the Netflix/AWS custom user files in combination with the Netflix/Amazon Prime/Hulu domains and dnsmasq.ipset option to route traffic to Netflix/Amazon via WAN; this is definitely less reliable method and may not work in all regions.
    Please explain like I am 5 on how do I do this?