How to route LAN traffic through VPN or WAN depending on destination IP?

I'm living in China and I've successfully set up a VPN on my OpenWrt router and it's all going very well. Currently my firewall zone only allows all LAN to forward to VPN.

However this makes Chinese sites and apps load slowly or not at all, so I have to switch network to use them.

I have an idea that I should be able to change my zone to allow forwarding to VPN and WAN and have 2 firewall rules. One makes all LAN traffic forward to VPN, and then a second rule that fires first uses ipset to reference a list of Chinese IPs and forwards all LAN traffic with a Chinese destination IP to the WAN zone, skipping the VPN. (I guess this could be one rule using NOT but idk if that's supported).

Is my idea possible? Should I be using another way to achieve it?

I've downloaded a list of Chinese IPs from https://www.ipdeny.com/ipblocks/data/countries/cn.zone but I'm stumped as to what to do next. Can someone talk me though the process? I can use Luci or SSH.

PBR or some such.

1 Like