Easiest way to temporarily disable Wireguard VPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi gang, first thanks for polite and helpful forums, I've enjoyed reading through as I've worked through setting up my Linksys WRT3200ACM with OpenWrt 18.06.4, and getting it connected to Mullvad VPN using Wireguard. Finally everything works great!

Sometimes I would like the router NOT to go through the Mullvad Wireguard VPN. For example, when connected to the VPN, my up and down speeds tend to be about 70 Mbps / 10 Mbps, resp, and so if I have a huge file to download, it would be nice to have an easy way to have the router pass my network traffic directly through my ISP without VPN overhead. That allows me much greater speeds, of course it also allows my ISP to peek through my packets, but that's life sometimes.

What might be the easiest / fastest way to reconfigure things temporarily so my network traffic goes directly through my ISP without VPN overhead, which I can subsequently revert back to a normal state where all traffic goes through the VPN?

In my scenario, I use Mullvad VPN with the Wireguard protocol. Mullvad's OpenWrt configuration instructions are here. Given my very limited network knowledge, I think the crux of things is the firewall setup as follows:

OpenWrtZones
OpenWrtZones.png777×229 18.8 KB

Here, I've modified things so that the lan traffic no longer forwards to a WAN destination, but instead to a new 'WGZONE' destination. WGZONE subsequently utilizes a new WGINTERFACE, wherein the WireGuard VPN protocol utilizes the Mullvad VPN servers.

So it seems like I could simply pop into here and temporarily revert lan to forward to its original WAN destination, to go around the VPN? Probably obviously, I'm in over my head here. In my ideal world, I'd have a shiny button I could click in the OpenWrt UI to disable VPN for 10 minutes (for example). A ssh script would be next best I believe.

One concern is whether I would need to restart any/all of the interfaces, which could be time consuming and perhaps require a router reboot, all of which are undesirable unless required.

Any suggestions are appreciated! Thank you for your help.

Edit: A complication is use of a VPN watchdog cronjob shell script that pings the VPN every 10 minutes and if failure, reboots the router... so this would need to be temporarily disabled as well, either by modifying its cron entry, or by having the script be aware of when "VPN bypass mode" is on.

2

Create a service that will enable/disable the WireGuard interface, LAN to WAN forwarding, cron job, etc.
https://openwrt.org/docs/techref/initscripts

1 Like
3

In my option, the easiest way would be if you (and it can be scripted):

  • statically setup routes to use the WG tunnel (0.0.0.0/1 and 128.0.0.0/1)
  • simply remove the routes when you desire to use WAN

The more specific routes that setup the tunnel to the encrypted UDP port should be OK and not break anything.

4

Even better just add a rule when you want a specific host to access the internet via the ISP.

1 Like
5

Do consider vpn-policy-routing package.

3 Likes
6

Thanks for all the ideas thus far guys! It sounds like a common thread in most replies thus far is to create a script that "does some stuff", which I could then invoke with an rsh invocation from any machine on my LAN.

I am intrigued by this and need to do more homework. I really know nothing about firewalls and networking so it's a steep learning curve for me, but upon quick browsing, I did see that @stangri mentioned "... put the devices you want to use Netflix in a policy routing them thru WAN". That sounds like a good solution, where I can just say "all network traffic from/to 192.168.0.5 should route through WAN rather than the WG tunnel" ... I just need to find some examples to help me figure out exactly how to do this!

One unknown is, once I make such a change, do I have to reboot the router for it to take effect? Or just restart some services? Would other computers on my LAN are uninterrupted?

7

README is a great place to start as it has some examples.

No need to reboot the router. Once the vpn-policy-routing is restarted/reloaded, everything should work. If you are doing some domain-based policies with dnsmasq.ipset option, you may need to flush the dns cache on your clients which for some devices may need the reboot.

8

A bit late but you don't need to disable the vpn you only need to forward traffic according to what you need.

I'm "repurposing" the wps button and led available in an Archer C7 v5 so that it redirects the traffic on and off the vpn whenver I press it. Your device is similar in this regard, it has wps button and led.

It's still the first version but works ok for my needs. I still have to write a service that will detect the state at boot and monitor the vpn state.

/etc/rc.button/wps

#!/bin/sh

if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then

vpn_forward_state=$(uci get firewall.@zone[-1].masq)

if [ $vpn_forward_state -eq 1 ];
    then
        echo "then"
        uci set firewall.@zone[-1].masq=0
        uci set firewall.@zone[1].masq=1
        uci set firewall.@forwarding[0].dest='wan'
        uci commit firewall
        /etc/init.d/firewall restart
        route del default
        route add default gw 192.168.0.1
        echo 0 > /sys/devices/platform/leds/leds/tp-link:green:wps/brightness
    else
       echo "else"
        uci set firewall.@zone[-1].masq=1
        uci set firewall.@zone[1].masq=0
        uci set firewall.@forwarding[0].dest='WGZONE'
        uci commit firewall
        /etc/init.d/firewall restart
        route del default
        route add default dev WGINTERFACE
        echo 1 > /sys/devices/platform/leds/leds/tp-link:green:wps/brightness
fi
fi