How to exclude devices from the tun0 interface and route them to the WAN

Hi, I followed the guide at this address https://airvpn.org/forums/topic/15405-using-airvpn-with-openwrt/ to configure the AirVPN service on my Linksys. It works perfectly, but I need to exclude some devices from the VPN, because otherwise they don't work. How can I do?

I believe what you are trying to achieve is source based routing.

Are you sure, you want to do this?
What goal are you trying to achieve with this?

I need to exclude some devices from the VPN, because otherwise they don't work

Are those local devices, which need to communicate via LAN?
A bit of background information would be helpful to understand what you are trying to achieve.

Thank you for your answer. I subscribed to the AirVPN service and set up the router so that all LAN traffic passes through the VPN. I also subscribed to Sky TV via the internet. This last service does not work if it is not directly connected to the internet. So I would like to exclude the Sky decoder from the VPN.

Create such rules in network configuration for each host that shouldn't exit via vpn

config rule
        option in     'lan'
	option src   'X.X.X.X/32'
	option lookup '100'

Then add a route for them

config 'route' 'not_vpn'
        option 'interface' 'wan'
        option 'target' '0.0.0.0'
        option 'netmask' '0.0.0.0'
        option 'table' '100'
1 Like

Excuse my ignorance. But where do I put those strings? In the file /etc/config/firewall? Can you give me a complete example with a random address like 192.168.1.184 for the host?

It goes into /etc/config/network and for your example one rule would be:

config rule
        option in     'lan'
	option src   '192.168.1.184/32'
	option lookup '100'

I tried, but without success. Then I took another path. Through LuCI I created a VLAN always on the first processor and created on that another interface called lan_novpn. And through the firewall I routed this secondary LAN to the wan. But it still doesn't work. I don't know what I'm wrong. Seems to want to do something impossible.

install ip-full?

It doesn't work like this.
Please add what I mentioned in my previous posts and if it doesn't work, post the following

cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix '2a03:8600:1001:40ea::/64'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option peerdns '0'
option dns '91.231.153.2'

config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
option dns '2001:67c:15ec:1337::2'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'

config interface 'wg'
option proto 'wireguard'
option private_key 'qK2VFV1aprGf5A4KNs8hIVaKKV1xPM7SR6vM3vkOFVk='
list addresses '10.10.0.236/19'
list addresses '2a03:8600:1001:4000::ed/64'

config wireguard_wg
option public_key 'T28Qn5VFzT4wiwEPd7DscwcP3Rsmq23QcnjH1N5G/wc='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '1'
option endpoint_host 'se1.wg.azirevpn.net'
option endpoint_port '51820'

config rule
option in 'lan'
option src '192.168.1.128/32'
option lookup '100'

config 'route' 'not_vpn'
option 'interface' 'wan'
option 'target' '0.0.0.0'
option 'netmask' '0.0.0.0'
option 'table' '100'

config defaults
option syn_flood '1'
option drop_invalid '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'DROP'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config zone
option input 'DROP'
option forward 'DROP'
option name 'wgzone'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wg'

config forwarding
option dest 'wgzone'
option src 'lan'

config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'FR'
option legacy_rates '1'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Piscitelli-5GHz'
option encryption 'psk2+ccmp'
option key '5oIjIAZ!rXxTX4'

config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'FR'
option legacy_rates '1'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Piscitelli'
option encryption 'psk2+ccmp'
option key '7q%X9B33JbE^%m'

config wifi-device 'radio2'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option htmode 'VHT80'
option disabled '1'

config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config host
option name 'Samsung_S9'
option dns '1'
option mac '6C:C7:EC:A1:98:20'
option ip '192.168.1.128'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1.2
valid_lft forever preferred_lft forever
11: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.10.0.236/19 brd 10.10.31.255 scope global wg
valid_lft forever preferred_lft forever
default dev wg proto static scope link
10.10.0.0/19 dev wg proto kernel scope link src 10.10.0.236
192.168.0.0/24 dev eth1.2 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
193.180.164.58 via 192.168.0.1 dev eth1.2 proto static
0: from all lookup local
1: from 192.168.1.128 iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default

Above is the output of the commands you wrote to me.

Please use the </> icon to paste output and configs!

grafik

2 Likes