Hello!
I have just installed Openwrt and LuCi on my router to run Wireguard and it works perfectly. Now I want my TV to not go thru the tunnel. How to I fix that in a good way?
Thanks in advance!
Best Regards,
Hi
I think what you're looking for is split tunneling. Try this Readme link first.
https://github.com/stangri/openwrt_packages/blob/master/vpnbypass/files/README.md
You can just create a rule in /etc/config/network and a static route for 0.0.0.0/0 to be forwarded to the ISP.
config rule
option in 'lan'
option src '192.168.1.XXX/32' <- IP of the TV
option lookup '100'
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
option gateway 'X.X.X.X' <- use if wan is ethernet
2 Likes
Hi!
Thank you! So I just need to fill in the IP of my TV in the config you sent me and then the TV is going to wan that is connected to my ISP?
What do you mean with ” option gateway”? My TV is connected thru wifi to my router.
Thank you for helping a newbie 
That is the first step, to classify the traffic from the tv and to be routed out of the ISP only.
The route is not for the tv, so it is irrelevant how it connects. You can try to add the route without the gateway. If it doesn't work, then you'll try with the gateway. The gateway is the same that you have on the wan interface.
Sorry for all noobie questions.
But where do I put in the details? Can I do it thru the Openwrt GUI?
When I run VPN Policy Routing and forward the TV´s IP-adress to WAN I got no internet connection.
This is how my router is config to my VPN provider.
In /etc/config/network It cannot be done from the Luci, there is no page for rules.
Edit the file and add the settings at the bottom. Install nano if you are not familiar with the default editor vi.
I have now edited the /etc/config/network file and added the rule you gave me. When I dont have the label 'option gateway' I get no internet on no device in my home. If I add the wan IP on 'option gateway' I am on step 1 again with my VPN IP-adress.
Sounds like you are removing the gateway from the wan interface.
I told you to add this set of rule/route and adjust the gateway on the route accordingly.
1 Like
Sorry I dont get it. I have set everything up by this guide on my VPN-providers website.
https://mullvad.net/en/help/running-wireguard-router/
I just want this to work sometime....
This guide disables the masquerade and mss clamping on the wan firewall zone. You need to switch them back on to be able to use your ISP again. Also post here the uci export network; uci export firewall to make sure everything is right.
1 Like
Oh okej. Do you have a little guide on how I switch it on? I post what I got now. And post a new one when I found out how to switch the thing on.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fc00:bbbb:bbbb:bb01::1:e034/128'
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.99.1'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
option private_key '-'
option listen_port '51820'
list addresses '10.64.224.53/32'
config wireguard_WGINTERFACE
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key '-'
option endpoint_host '185.65.135.71'
option endpoint_port '51820'
config rule
option in 'lan'
option src '192.168.99.159'
option lookup '100'
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
option gateway '81.224.....'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'WGZONE'
option masq '1'
option mtu_fix '1'
option network 'WGINTERFACE'
option input 'REJECT'
config forwarding
option dest 'WGZONE'
option src 'lan'
Edit the previous post and use preformatted text for the console output (the </> button), not blockquote.
Go to the firewall page and click the tickboxes, save, apply.
1 Like
Okej. I have now clicked the tickboxes and saved, applied and restarted my router but I dont get my ISP on my TV. And if I remove " option gateway '81.224.36.163/24'" I get no internet connection"
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fc00:bbbb:bbbb:bb01::1:e034/128'
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.99.1'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option force_link '1'
option private_key '70RkyC6CU5wp54oxuZ+BHhasUrHO29lPxoAD1jIU+04='
option listen_port '51820'
list addresses '10.64.224.53/32'
config wireguard_WGINTERFACE
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key 'v02a3f1hdtTFD+bzStbGN6FxwOMAA/4d/yjNKoLTXFI='
option endpoint_host '185.65.135.71'
option endpoint_port '51820'
config rule
option in 'lan'
option src '192.168.99.159'
option lookup '100'
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
option gateway '81.224.36.163/24'
package firewall
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option network 'wan wan6'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'WGZONE'
option masq '1'
option mtu_fix '1'
option network 'WGINTERFACE'
option input 'REJECT'
config forwarding
option dest 'WGZONE'
option src 'lan'
The gateway option doesn't take mask, it's just an IP.
1 Like
You mean option gateway '81.224.36.163**/24**'?
I have removed /24 but then I dont get any internet on any device in the house.
And the src option in the rule needs a mask.
option src '192.168.99.159/32'
1 Like
Okej, now I got internet on everything in the house but no internet on my TV. What do you think?