Forward rule with GEOIP

hello there

im using wireguard on my openwrt router and its connected and working properly.

my lan users traffic are passing through vpn.

since some apps and website are only avaiable in my country i want to use GEOIP

to check if the destination ip is from my country which is IR , trrafic wont pass from wireguard instead pass directly from my WAN connection.

i cant find a good topic about this can anybody help me?

example: this site isnt avaiable from outside of Iran. since my whole router is passing trrafic from vpn connection my lan users has lo access to that website, i need something to exclude the IR websites like geoip to pass through wan not vpn.


figure out which IP ranges are IR specific, and bypass the VPN tunnel for those.

There are so many ips i dont think thats the best way, cant i use geoip with iptables? Idont know the rules and commands to use. :frowning:

how will you going to discover/look up if a specific IP belongs to IR ?

With geoip library i think !!?

See Dest geoip routing thougth vpn as an example, there are other similar topics available.
Note that iptables is not used anymore.

pretty sure the maxmind geo lib is no more, you'll need to generate the CSV yourself.
there might be other options I'm unaware of though.


The Policy Based Routing package is, to my understanding, the package to use for this use case. The user stangri is the guy who is the main developer. The support thread is here: Policy-Based-Routing (pbr) package discussion

Here is a thread which seems to cover exactly your use case, download a list of IPs hosted in a specific country and route those IPs through the WAN interface directly and not over a VPN: Routing my country via the WAN


based on the 3rd last posts in that thread, we can get a ready to use IP list


I'm thinking about this though my knowledge is not super good in this.

Would it not be better to avoid geo lookups, and instead do:

  1. Create a file in /etc/dnsmasq.d/ir.conf or in /etc/dnsmasq/ir.conf and then write something like this: address=/.ir/iripset/ this will get all ips from tld .ir and every subdomain getting resolved by the dns, the dot is a wildcard (though im not so sure how far support goes also for nftset here).

  2. Create a firewall portforward or traffic rule which marks this ipset with a firewall mark probably through port 53 for dns?

  3. Set a default route to wan if the firewall mark matches?

Then the only thing the OP needs is someone who can show him this better or explain how this works, I never tried to create split tunnels myself but I do have a generic idea how it could work.

If you have an ipset, you wouldn't actually do any geo lookups.

Kind of depends on how the restriction is set up.
If it's only on DNS level, you'll need to make sure the .IR DNS names are resolved
"locally". that can be solved by a dnsmasq rule (and probably some firewall magic).

If the IPs can't be access from abroad, you'll have make sure all IR traffic doesn't go
through the VPN tunnel.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.