Firewall + VPN: How to pass all traffic through VPN, except for Zoom/video calls

Hi folks,

I configured my router to pass all my traffic through NordVPN with this guide here.

Unfortunately the VPN sometimes introduces big latency spikes - using the different network interfaces on the router to ping a web IP, I see the latency only show up on the VPN interface.

For normal web this is fine, for video calls it's problematic. Zoom have a list of IPs and ports here, but I'm struggling to get the firewall configured correctly to bypass the VPN for Zoom.

I always find firewalls and networking can be a bit of a rabbit hole to fully understand. Can you recommend a quick overview that could help me get on the right path, or make a suggestion for what I should be googling for to learn enough to get this working?

I have pasted the config files below.

Thanks,
Herbert

Linksys WRT3200ACM
OpenWrt 19.07.2 r10947-65030d81f3 / LuCI openwrt-19.07 branch git-20.105.64099-eeba108
4.14.171

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd94:b6bb:02f6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '103.86.96.100'
	list dns '103.86.99.100'
	option force_link '1'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'
	option reqaddress 'try'
	option force_link '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

root@OpenWrt:/etc/config# cat /etc/openvpn/nordvpn.ovpn

client
dev tun
proto tcp
remote 185.216.33.23 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass secret
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
...
...

root@OpenWrt:/etc/config# cat firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '111'
	option name 'NFS'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '32777-32780'
	option name 'NFS2'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '8200'
	option name 'dlna'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '137-139'
	option name 'Samba'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '445'
	option src 'lan'
	option name 'Samba (internal to network)'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '4070'
	option name 'Spotify Incoming Events'
	option dest 'lan'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '80'
	option name 'Internet Radio'

config zone
	option name 'vpnfirewall'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'nordvpntun'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'vpnfirewall'
	option src 'lan'

config rule
	option src_port '443 8801 8802 '
	option dest 'wan'
	list dest_ip '3.7.35.0/25 3.21.137.128/25  3.22.11.0/24 3.23.93.0/24 3.25.41.128/25 3.25.42.0/25 3.25.49.0/24 3.80.20.128/25 3.96.19.0/24 3.101.32.128/25 3.101.52.0/25 3.104.34.128/25 3.120.121.0/25 3.127.194.128/25 3.208.72.0/25 3.211.241.0/25 3.235.69.0/25 3.235.71.128/25 3.235.72.128/25 3.235.73.0/25 3.235.82.0/23 3.235.96.0/23 4.34.125.128/25 4.35.64.128/25 8.5.128.0/23 13.52.6.128/25 13.52.146.0/25 18.157.88.0/24 18.205.93.128/25 20.203.158.80/28 20.203.190.192/26 50.239.202.0/23 50.239.204.0/24 52.61.100.128/25 52.202.62.192/26 52.215.168.0/25 64.125.62.0/24 64.211.144.0/24 64.224.32.0/19 65.39.152.0/24 69.174.57.0/24 69.174.108.0/22 99.79.20.0/25 101.36.167.0/24 101.36.170.0/23 103.122.166.0/23 111.33.115.0/25 111.33.181.0/25 115.110.154.192/26 115.114.56.192/26 115.114.115.0/26 115.114.131.0/26 120.29.148.0/24 129.151.1.128/27 129.151.1.192/27 129.151.2.0/27 129.151.3.160/27 129.151.7.96/27 129.151.11.64/27 129.151.11.128/27 129.151.12.0/27 129.151.13.64/27 129.151.15.224/27 129.151.16.0/27 129.151.31.224/27 129.151.40.0/25 129.151.40.160/27 129.151.40.192/27 129.151.41.0/25 129.151.41.192/26 129.151.42.0/27 129.151.42.64/27 129.151.42.128/26 129.151.42.224/27 129.151.43.0/27 129.151.43.64/26 129.151.48.0/27 129.151.48.160/27 129.151.49.0/26 129.151.49.96/27 129.151.49.128/27 129.151.49.192/26 129.151.50.0/27 129.151.50.64/27 129.151.52.128/26 129.151.53.32/27 129.151.53.224/27 129.151.55.32/27 129.151.56.32/27 129.151.57.32/27 129.151.60.192/27 129.159.2.32/27 129.159.2.192/27 129.159.3.0/24 129.159.4.0/23 129.159.6.0/27 129.159.6.96/27 129.159.6.128/26 129.159.6.192/27 129.159.160.0/26 129.159.160.64/27 129.159.163.0/26 129.159.163.160/27 129.159.208.0/21 129.159.216.0/26 129.159.216.64/27 129.159.216.128/26 130.61.164.0/22 132.226.176.0/25 132.226.176.128/26 132.226.177.96/27 132.226.177.128/25 132.226.178.0/27 132.226.178.128/27 132.226.178.224/27 132.226.179.0/27 132.226.179.64/27 132.226.180.128/27 132.226.183.160/27 132.226.185.192/27 134.224.0.0/16 140.238.128.0/24 140.238.232.0/22 144.195.0.0/16 147.124.96.0/19 149.137.0.0/17 150.230.224.0/25 150.230.224.128/26 150.230.224.224/27 152.67.20.0/24 152.67.118.0/24 152.67.168.0/22 152.67.180.0/24 152.67.184.32/27 152.67.240.0/21 152.70.0.0/25 152.70.0.128/26 152.70.0.224/27 152.70.1.0/25 152.70.1.128/26 152.70.1.192/27 152.70.2.0/26 152.70.7.192/27 152.70.10.32/27 152.70.224.32/27 152.70.224.64/26 152.70.224.160/27 152.70.224.192/27 152.70.225.0/25 152.70.225.160/27 152.70.225.192/27 152.70.226.0/27 152.70.227.96/27 152.70.227.192/27 152.70.228.0/27 152.70.228.64/27 152.70.228.128/27 156.45.0.0/17 158.101.64.0/24 158.101.184.0/23 158.101.186.0/25 158.101.186.128/27 158.101.186.192/26 158.101.187.0/25 158.101.187.160/27 158.101.187.192/26 160.1.56.128/25 161.199.136.0/22 162.12.232.0/22 162.255.36.0/22 165.254.88.0/23 166.108.64.0/18 168.138.16.0/22 168.138.48.0/24 168.138.56.0/21 168.138.72.0/24 168.138.74.0/25 168.138.80.0/25 168.138.80.128/26 168.138.80.224/27 168.138.81.0/24 168.138.82.0/23 168.138.84.0/25 168.138.84.128/27 168.138.84.192/26 168.138.85.0/24 168.138.86.0/23 168.138.96.0/22 168.138.116.0/27 168.138.116.64/27 168.138.116.128/27 168.138.116.224/27 168.138.117.0/27 168.138.117.96/27 168.138.117.128/27 168.138.118.0/27 168.138.118.160/27 168.138.118.224/27 168.138.119.0/27 168.138.119.128/27 168.138.244.0/24 170.114.0.0/16 173.231.80.0/20 192.204.12.0/22 193.122.16.0/25 193.122.16.192/27 193.122.17.0/26 193.122.17.64/27 193.122.17.224/27 193.122.18.32/27 193.122.18.64/26 193.122.18.160/27 193.122.18.192/27 193.122.19.0/27 193.122.19.160/27 193.122.19.192/27 193.122.20.224/27 193.122.21.96/27 193.122.32.0/21 193.122.40.0/22 193.122.44.0/24 193.122.45.32/27 193.122.45.64/26 193.122.45.128/25 193.122.46.0/23 193.122.208.96/27 193.122.216.32/27 193.122.222.0/27 193.122.223.128/27 193.122.226.160/27 193.122.231.192/27 193.122.232.160/27 193.122.237.64/27 193.122.244.160/27 193.122.244.224/27 193.122.245.0/27 193.122.247.96/27 193.122.252.192/27 193.123.0.0/19 193.123.40.0/21 193.123.128.0/19 193.123.168.0/21 193.123.192.224/27 193.123.193.0/27 193.123.193.96/27 193.123.194.96/27 193.123.194.128/27 193.123.194.224/27 193.123.195.0/27 193.123.196.0/27 193.123.196.192/27 193.123.197.0/27 193.123.197.64/27 193.123.198.64/27 193.123.198.160/27 193.123.199.64/27 193.123.200.128/27 193.123.201.32/27 193.123.201.224/27 193.123.202.64/27 193.123.202.128/26 193.123.203.0/27 193.123.203.160/27 193.123.203.192/27 193.123.204.0/27 193.123.204.64/27 193.123.205.64/26 193.123.205.128/27 193.123.206.32/27 193.123.206.128/27 193.123.207.32/27 193.123.208.160/27 193.123.209.0/27 193.123.209.96/27 193.123.210.64/27 193.123.211.224/27 193.123.212.128/27 193.123.215.192/26 193.123.216.64/27 193.123.216.128/27 193.123.217.160/27 193.123.219.64/27 193.123.220.224/27 193.123.222.64/27 193.123.222.224/27 198.251.128.0/17 202.177.207.128/27 204.80.104.0/21 204.141.28.0/22 206.247.0.0/16 207.226.132.0/24 209.9.211.0/24 209.9.215.0/24 213.19.144.0/24 213.19.153.0/24 213.244.140.0/24 221.122.63.0/24 221.122.64.0/24 221.122.88.64/27 221.122.88.128/25 221.122.89.128/25 221.123.139.192/27'
	option target 'ACCEPT'
	list proto 'tcp'
	option name 'zoom-tcp-bypass-vpn'
	option src '*'

config rule
	option src_port '3478 3479 8801-8810'
	option src '*'
	option dest 'lan'
	list dest_ip '3.7.35.0/25 3.21.137.128/25 3.22.11.0/24 3.23.93.0/24 3.25.41.128/25 3.25.42.0/25 3.25.49.0/24 3.80.20.128/25 3.96.19.0/24 3.101.32.128/25 3.101.52.0/25 3.104.34.128/25 3.120.121.0/25 3.127.194.128/25 3.208.72.0/25 3.211.241.0/25 3.235.69.0/25 3.235.71.128/25 3.235.72.128/25 3.235.73.0/25 3.235.82.0/23 3.235.96.0/23 4.34.125.128/25 4.35.64.128/25 8.5.128.0/23 13.52.6.128/25 13.52.146.0/25 18.157.88.0/24 18.205.93.128/25 20.203.158.80/28 20.203.190.192/26 50.239.202.0/23 50.239.204.0/24 52.61.100.128/25 52.202.62.192/26 52.215.168.0/25 64.125.62.0/24 64.211.144.0/24 64.224.32.0/19 65.39.152.0/24 69.174.57.0/24 69.174.108.0/22 99.79.20.0/25 101.36.167.0/24 101.36.170.0/23 103.122.166.0/23 111.33.115.0/25 111.33.181.0/25 115.110.154.192/26 115.114.56.192/26 115.114.115.0/26 115.114.131.0/26 120.29.148.0/24 129.151.1.128/27 129.151.1.192/27 129.151.2.0/27 129.151.3.160/27 129.151.7.96/27 129.151.11.64/27 129.151.11.128/27 129.151.12.0/27 129.151.13.64/27 129.151.15.224/27 129.151.16.0/27 129.151.31.224/27 129.151.40.0/25 129.151.40.160/27 129.151.40.192/27 129.151.41.0/25 129.151.41.192/26 129.151.42.0/27 129.151.42.64/27 129.151.42.128/26 129.151.42.224/27 129.151.43.0/27 129.151.43.64/26 129.151.48.0/27 129.151.48.160/27 129.151.49.0/26 129.151.49.96/27 129.151.49.128/27 129.151.49.192/26 129.151.50.0/27 129.151.50.64/27 129.151.52.128/26 129.151.53.32/27 129.151.53.224/27 129.151.55.32/27 129.151.56.32/27 129.151.57.32/27 129.151.60.192/27 129.159.2.32/27 129.159.2.192/27 129.159.3.0/24 129.159.4.0/23 129.159.6.0/27 129.159.6.96/27 129.159.6.128/26 129.159.6.192/27 129.159.160.0/26 129.159.160.64/27 129.159.163.0/26 129.159.163.160/27 129.159.208.0/21 129.159.216.0/26 129.159.216.64/27 129.159.216.128/26 130.61.164.0/22 132.226.176.0/25 132.226.176.128/26 132.226.177.96/27 132.226.177.128/25 132.226.178.0/27 132.226.178.128/27 132.226.178.224/27 132.226.179.0/27 132.226.179.64/27 132.226.180.128/27 132.226.183.160/27 132.226.185.192/27 134.224.0.0/16 140.238.128.0/24 140.238.232.0/22 144.195.0.0/16 147.124.96.0/19 149.137.0.0/17 150.230.224.0/25 150.230.224.128/26 150.230.224.224/27 152.67.20.0/24 152.67.118.0/24 152.67.168.0/22 152.67.180.0/24 152.67.184.32/27 152.67.240.0/21 152.70.0.0/25 152.70.0.128/26 152.70.0.224/27 152.70.1.0/25 152.70.1.128/26 152.70.1.192/27 152.70.2.0/26 152.70.7.192/27 152.70.10.32/27 152.70.224.32/27 152.70.224.64/26 152.70.224.160/27 152.70.224.192/27 152.70.225.0/25 152.70.225.160/27 152.70.225.192/27 152.70.226.0/27 152.70.227.96/27 152.70.227.192/27 152.70.228.0/27 152.70.228.64/27 152.70.228.128/27 156.45.0.0/17 158.101.64.0/24 158.101.184.0/23 158.101.186.0/25 158.101.186.128/27 158.101.186.192/26 158.101.187.0/25 158.101.187.160/27 158.101.187.192/26 160.1.56.128/25 161.199.136.0/22 162.12.232.0/22 162.255.36.0/22 165.254.88.0/23 166.108.64.0/18 168.138.16.0/22 168.138.48.0/24 168.138.56.0/21 168.138.72.0/24 168.138.74.0/25 168.138.80.0/25 168.138.80.128/26 168.138.80.224/27 168.138.81.0/24 168.138.82.0/23 168.138.84.0/25 168.138.84.128/27 168.138.84.192/26 168.138.85.0/24 168.138.86.0/23 168.138.96.0/22 168.138.116.0/27 168.138.116.64/27 168.138.116.128/27 168.138.116.224/27 168.138.117.0/27 168.138.117.96/27 168.138.117.128/27 168.138.118.0/27 168.138.118.160/27 168.138.118.224/27 168.138.119.0/27 168.138.119.128/27 168.138.244.0/24 170.114.0.0/16 173.231.80.0/20 192.204.12.0/22 193.122.16.0/25 193.122.16.192/27 193.122.17.0/26 193.122.17.64/27 193.122.17.224/27 193.122.18.32/27 193.122.18.64/26 193.122.18.160/27 193.122.18.192/27 193.122.19.0/27 193.122.19.160/27 193.122.19.192/27 193.122.20.224/27 193.122.21.96/27 193.122.32.0/21 193.122.40.0/22 193.122.44.0/24 193.122.45.32/27 193.122.45.64/26 193.122.45.128/25 193.122.46.0/23 193.122.208.96/27 193.122.216.32/27 193.122.222.0/27 193.122.223.128/27 193.122.226.160/27 193.122.231.192/27 193.122.232.160/27 193.122.237.64/27 193.122.244.160/27 193.122.244.224/27 193.122.245.0/27 193.122.247.96/27 193.122.252.192/27 193.123.0.0/19 193.123.40.0/21 193.123.128.0/19 193.123.168.0/21 193.123.192.224/27 193.123.193.0/27 193.123.193.96/27 193.123.194.96/27 193.123.194.128/27 193.123.194.224/27 193.123.195.0/27 193.123.196.0/27 193.123.196.192/27 193.123.197.0/27 193.123.197.64/27 193.123.198.64/27 193.123.198.160/27 193.123.199.64/27 193.123.200.128/27 193.123.201.32/27 193.123.201.224/27 193.123.202.64/27 193.123.202.128/26 193.123.203.0/27 193.123.203.160/27 193.123.203.192/27 193.123.204.0/27 193.123.204.64/27 193.123.205.64/26 193.123.205.128/27 193.123.206.32/27 193.123.206.128/27 193.123.207.32/27 193.123.208.160/27 193.123.209.0/27 193.123.209.96/27 193.123.210.64/27 193.123.211.224/27 193.123.212.128/27 193.123.215.192/26 193.123.216.64/27 193.123.216.128/27 193.123.217.160/27 193.123.219.64/27 193.123.220.224/27 193.123.222.64/27 193.123.222.224/27 198.251.128.0/17 202.177.207.128/27 204.80.104.0/21 204.141.28.0/22 206.247.0.0/16 207.226.132.0/24 209.9.211.0/24 209.9.215.0/24 213.19.144.0/24 213.19.153.0/24 213.244.140.0/24 221.122.63.0/24 221.122.64.0/24 221.122.88.64/27 221.122.88.128/25 221.122.89.128/25 221.123.139.192/27'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'Zoom-udp-vpn-bypass'

This is just the tip of the iceberg statement. It's so true and in your case much more will be needed; to that later, for now let me ask how was Zoom/Video without the introduction of all the user/firewall rule and specifically Nord VPN's openvpn addition?

The reason I'm asking is two fold.

  1. If it worked well before the inclusion of the Nord openvpn; then we, as suggestion/guidance givers, would recommend a less cpu intensive vpn protocol. (WireGuard) , and keep you off having to invest time in QOS packages to manage the balance between VPN traffic and Zoom bandwidth hungry consumtion.

    • WireGuard: That would bring a whole new setup, and a list of challenges. (But OpenWrt Forum has trusted members to guide you if you choose that path.)
  2. If it worked before the inclusion of Nord openvpn; did you have to tell your router where to call? Ie: Zoom firewall rules

.zoom.us
TCP	443, 8801, 8802	All Zoom clients	
IPv4:

3.7.35.0/25
3.21.137.128/25
3.22.11.0/24
3.23.93.0/24
3.25.41.128/25
3.25.42.0/25
3.25.49.0/24
3.80.20.128/25
3.96.19.0/24
...Truncated...
  • If you didn't have to tell your router any of this connection endpoint, then we don't want to have to do it in the router now either.

.... to that later (from above) ....

If you have to use Nord's OpenVPN or do not wish to bend the learning curve towards WireGuard:

  • Suggest you run:
    ip route show default; ubus call system board
    • These command will tells us where your currently send traffic thur your gateway.
    • The type of router/target/version and let us view the specs of your device from the toh page gauging items like cpu and ram.
    • Introduction or reintroduction into "Metric" and "Lookup" will be visited with the inclusion of your user/firewall rules.
    • You may see suggestions to remove the vpn firewall zone and put everything in WAN zone to ease up the hardship of configuration, to thus split the wanted VPN traffic from the Zoom/video by "metric/lookup". All this hopefully without having to use "Zoom firewall rules" from their page.

Turning this back to you and the forthcoming Experts we have here!

Thanks for the quick response Bill.

To be honest I don't remember - I've had it running over the VPN for a long time, but I'm only recently doing more video calls. I do believe it's the VPN though, because I can be sitting on a call and have two separate pings running from the router to the web on different interfaces. One interface has a consistent 20ms ping, and the one through the VPN will jump to >1000ms at the same time as the video call starts acting up.

default via 192.168.2.1 dev eth1.2 proto static src 192.168.2.2 

{
	"kernel": "4.14.171",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,rango",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.2",
		"revision": "r10947-65030d81f3",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 19.07.2 r10947-65030d81f3"
	}
}

https://openwrt.org/toh/linksys/wrt3200acm

Sorry I'm not following here - is there more I can provide on the user/firewall rules?

OpenWRT 19.07.2 is a few years old now, I've considered upgrading but I've been hesitant to change it when it's not broken and I don't want to have to set up everything again.

Thanks,
Herbert

  1. Install the ipset package.
  2. Download the txt file corresponding to the service you are using to directory /root.
  3. Add the following to your configuration files:

/etc/config/firewall

config  ipset
        option  name            'zoom'
        option  match           'dest_net'
        option  storage         'hash'
        option  enabled         '1'
        option  loadfile        '/root/zoom.txt' #Use the correct filename

/etc/firewall.user

iptables -t mangle -I PREROUTING -m set --match-set zoom dst -j MARK --set-mark 1

/etc/config/network

config rule
        option mark   '0x1'
        option lookup '101'

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option table '101'
  1. Restart the network and firewall services.

If it doesn't work as expected, post the output of the following commands:

ipset list zoom; ip rule list fwmark 0x1; ip route list table 101; iptables -t mangle -nvL PREROUTING
1 Like

I use NordVPN (WireGuard) and direct all my zoom and teams calls for extensive business use through that on an LTE connection and it works perfectly well. I have about two or three such calls per week.

Have you set up sqm properly? A challenge with sqm in the context of VPN is dealing with mixture of encrypted and unencrypted flows. I spent many hours on this and ended up writing my own script to set up sqm (rather than use the default sqm tool in OpenWrt):

It's very simple. In short what this does is this:

For download it checks to see if there is a WireGuard peer. If there is then it sets up a single ifb interface incorporating mixture of a) unencrypted data on wan (it passes over the encrypted data on wan) and b) unencrypted data on VPN interface. If no interface it just takes all traffic from wan.

For upload it relies on cake's ability to work with flow has preservation enabling cake to see differentiate encrypted flows on upload.

Thus we end up with a single interface despite VPN pbr on which to apply cake and keep latency nice and low.

See e.g. this thread:

The solution on that is an alternative but shows how I grappled with this issue.

You should also switch to WireGuard because it's faster and can be set up with NordVPN by extracting credentials using Linux client on Virtual machine having connected with their nordlynx service.

See here:

Perhaps OpenVPN is overwriting the DHCP config all the time. So I'd suggest ditching OpenVPN and switching to WireGuard anyway and seeing how that goes since ultimately unless some reason is holding you to OpenVPN WireGuard is technically superior anyway.

1 Like

Thanks for the input @Lynx and @pavelgl - I had to mess around with my overlay (somehow it got reverted back to the internal flash instead of the external USB). The configuration is now a little borked, so I still need to get it straightened out (or start from scratch) before I can try anything new.

For now I've disabled the VPN on the router and instead I am running it locally on my PC to compare. I haven't run into the same issue yet of ping spikes. This has me questioning if the VPN is the problem. Here are some other things that I've thought might be the issue:

  • VPN protocol (TCP vs UDP)
  • Router processing capacity
  • Selecting a bad VPN server
  • OpenVPN overhead (vs WireGuard)

I guess it makes sense to have an idea of where the problem is before I try and solve it :upside_down_face:.

I would also look into bufferbloat and SQM and consider getting that resolved as that's important. Then make that work with VPN if you need VPN.

Don't you see bufferbloat using this test:

What will ruin latency sensitive applications like Zoom when downloading etc.

Happily OpenWrt offers fantastic countermeasure in the form of CAKE.

1 Like