How to setup guest network to bypass VPN?

Magenta7602 · February 25, 2025, 4:46pm

I am considering having my home network traffic route through Proton VPN using this guide from Proton. Currently most of the devices on the home network already use the VPN client anyway, so this will free up the amount of concurrent connections and will make using things like netbird or tailscale easier.

I would like my guest network, which is on a seperate VLAN, to not be routed through the VPN. Mostly because the guest network is mainly used for work devices and IoT devices that do not play nicely when connected through a VPN.

I know there is a vpnbypass package which is seemingly for this situation but I was hoping to get guidance on

1 - how to use the package.
2 - the changes I would need to make from the original proton guide.
3 - help understanding the firewall zone setup for this.

Thanks!

egc · February 25, 2025, 5:07pm

The magic word is Policy Based Routing PBR:

https://openwrt.org/docs/guide-user/network/routing/pbr

My own notes how to setup a WireGuard Client, (you need the Client setup guide, make sure to download it as Github only shows the first five pages):

Magenta7602 · February 25, 2025, 6:47pm

Just to check if I understand correctly. I am thinking something like this?

config pbr 'config'
    option enabled '1'
    option verbosity '2'
    option strict_enforcement '1'
    option resolver_set 'dnsmasq.nftset'

config policy
    option name 'Guest Network Bypass VPN'
    option interface 'wan'
    option src_addr '192.168.10.0/24'
    option description 'Route guest network traffic directly through WAN'

and then change my firewall settings from what protonVPN tells you to do to something like

config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'vpn'
    list network 'wg0'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'guest'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'vpn'

config forwarding
    option src 'lan'
    option dest 'vpn'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'tcp'
    option dest_port '1194'

config include 'pbr'
    option path '/usr/share/pbr/firewall.include'
    option fw4_compatible '1'
    option type 'script'

egc · February 25, 2025, 7:09pm

Probably remove the following as you want to only allow from guest to vpn

Otherwise it looks good at first glance

If you have openvpn server you also need to route the openvpn port via the wan

Magenta7602 · February 25, 2025, 7:20pm

Sorry if I am being silly about this...

Wouldn't I want to keep that since I am trying to have guest bypass the VPN?

egc · February 25, 2025, 7:34pm

You are absolutely right.

You can remove from guest to vpn

system · March 8, 2025, 2:13pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.