Exclude IP from VPN

skyking · December 6, 2025, 10:06pm

New to OpenWRT but not tech (retired 40 yr techie). Decided to expand my horizons and dump my years old ASUS with Merlin. Purchased two GL.iNet routers: AC1300 for my Starlink Mini and the MT-6000 for home.

I'm also helping some folks test their new VPN Service EpicVPN that uses VLESS. So I installed v2Ray and Xray-core. VPN is up and running but I need to create a list of IP addresses for my routers that should bypass the VPN and go straight through WAN. Easy on the ASUS as you simply select from the list of devices and assign external destination and WAN interface. Not so easy with OpenWRT.

So, looking for advice or cookbook example to do the exclusions. I'll write up the solution and pass it on to the EpicVPN folks to use in their Quick Start Guide. Thanks for any input.

frollic · December 6, 2025, 10:11pm

skyking · December 7, 2025, 12:42am

I did find this example: Wifi-OpenVpn- Exclude IP - #5 by pavelgl

egc · December 7, 2025, 7:11am

You can install the full PBR app as outlined by @frollic which has many possibilities (like DNS policies to stop DNS leaks) or do it manually as shown in the link you posted.

For some more information how to do it manually see my notes:
OpenWRT Policy Based Routing (PBR)

skyking · December 8, 2025, 2:13pm

I have installed pbr and set up the following policies:

config policy
	option name 'wg-all'
	option src_addr '192.168.3.0/24'
	option interface 'wg0'

config policy
	option name 'rtr'
	option src_addr '192.168.3.1'
	option dest_addr '0.0.0.0'
	option interface 'wan'

config policy
	option name 'ex10'
	option src_addr '192.168.3.10'
	option dest_addr '0.0.0.0'
	option interface 'wan'
	option chain 'postrouting'

But client at 192.168.3.10 still goes through WireGuard (wg0). Ideas for correct settings? Thanks.

egc · December 8, 2025, 2:18pm

Remove the following two rules:

and

remove dest_addr:

skyking · December 8, 2025, 2:44pm

Then how do I specify individual IP addresses to bypass WireGuard (wg0) if I remove the ex10 policy?

egc · December 8, 2025, 2:54pm

This is the rule you need to route your LAN client with IP address 192.168.3.1 via the wan:

If that is not the IP address of the LAN client you want to route via the WAN then substitute 192.168.3.1 with the IP address you want

skyking · December 8, 2025, 2:56pm

AH, sorry - didn't see you changed the IP. Client is 192.168.3.10. I changed it but still shows VPN IP not ISP (Starlink) IP. When setting up wg, I did create a firewall zone that 'allows forward from lan' and covered network is the wg0 interface.

Kinda missing my ASUS -Merlin where to exclude in VPN server, you select IP/MAC from pulldown of all attached devices, enter 0.0.0.0 (or specific IP), select WAN, and save. No messing around with pbr, routing, firewalls. Spoiled with the easy UI.

Seems like it should be easy enough to specify in routing an IP to a destination via wan. But I've tried a dozen ways and nothing works. Steep learning curve with few results so far (2 days).

Don't see why this should't work

skyking · December 11, 2025, 10:43am

I have disabled my VLESS VPN and installed Wireguard and it's working. In pbr I added one simple rule:

config policy
	option name '.10'
	option src_addr '192.168.1.10'
	option interface 'wan'

But that IP continues to go through Wireguard and not the WAN.

Note: Service Gateway for wan is showing wan/100.64.0.1 not 192.168.1.1
Default Gateway is wg/10.11.5.89

egc · December 11, 2025, 10:55am

It will help if you show your configs.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
service pbr restart
service pbr status

skyking · December 11, 2025, 10:58am

I made a change to the WireGuard Firewall Zone and my pbr rule is now working to exclude the IP from the VPN. Will try with my VLESS (podkop) now. Thanks for everyone's suggestions.

Update: the pbr rule to exclude also works with my VLESS podkop Proxy VPN! Outstanding!

egc · December 11, 2025, 11:34am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · December 21, 2025, 11:34am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.