How to setup guest network to bypass VPN?

Magenta7602 · February 25, 2025, 4:46pm

I am considering having my home network traffic route through Proton VPN using this guide from Proton. Currently most of the devices on the home network already use the VPN client anyway, so this will free up the amount of concurrent connections and will make using things like netbird or tailscale easier.

I would like my guest network, which is on a seperate VLAN, to not be routed through the VPN. Mostly because the guest network is mainly used for work devices and IoT devices that do not play nicely when connected through a VPN.

I know there is a vpnbypass package which is seemingly for this situation but I was hoping to get guidance on

1 - how to use the package.
2 - the changes I would need to make from the original proton guide.
3 - help understanding the firewall zone setup for this.

Thanks!

egc · February 25, 2025, 5:07pm

The magic word is Policy Based Routing PBR:

https://openwrt.org/docs/guide-user/network/routing/pbr

My own notes how to setup a WireGuard Client, (you need the Client setup guide, make sure to download it as Github only shows the first five pages):

Magenta7602 · February 25, 2025, 6:47pm

Just to check if I understand correctly. I am thinking something like this?

config pbr 'config'
    option enabled '1'
    option verbosity '2'
    option strict_enforcement '1'
    option resolver_set 'dnsmasq.nftset'

config policy
    option name 'Guest Network Bypass VPN'
    option interface 'wan'
    option src_addr '192.168.10.0/24'
    option description 'Route guest network traffic directly through WAN'

and then change my firewall settings from what protonVPN tells you to do to something like

config zone
    option name 'guest'
    list network 'guest'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'vpn'
    list network 'wg0'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'guest'
    option dest 'wan'

config forwarding
    option src 'guest'
    option dest 'vpn'

config forwarding
    option src 'lan'
    option dest 'vpn'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'tcp'
    option dest_port '1194'

config include 'pbr'
    option path '/usr/share/pbr/firewall.include'
    option fw4_compatible '1'
    option type 'script'

egc · February 25, 2025, 7:09pm

Probably remove the following as you want to only allow from guest to vpn

Otherwise it looks good at first glance

If you have openvpn server you also need to route the openvpn port via the wan

Magenta7602 · February 25, 2025, 7:20pm

Sorry if I am being silly about this...

Wouldn't I want to keep that since I am trying to have guest bypass the VPN?

egc · February 25, 2025, 7:34pm

You are absolutely right.

You can remove from guest to vpn

Summit48 · February 25, 2025, 11:10pm

Tailscale has an integrated Mullvad Exit node see here
Tailscale clients are not location bound, so the Mullvad Exit Node can be accessed from a remote location with no special "Road Warrior" configuration.

This is pretty much standard requirement.
Guest and IoT are usually on separate VLAN/SSIDs.
Guest VLAN is normally configured for device isolation and only provide Internet access.

Magenta7602 · February 25, 2025, 11:18pm

I have read this integration is particular to Mullvad and does not work nearly as reliable with other VPN providers.

Please correct me if I am wrong. I am a noob at all this stuff.

Summit48 · February 25, 2025, 11:49pm

Tailscale currently only offers an integrated VPN Provider Exit Node with Mullvad.

There are benefits to using an integrated VPN Provider Exit Node in mobile environments.

If you are happy using Proton VPN, then continue to use it.

Magenta7602 · February 26, 2025, 1:18am

I will stick with Proton for now. I know Mullvad is amazing but being integrated into the Proton ecosystem provides me with other benefits.

I did a test run and was able to get Proton setup for the home network while having the Guest network bypass it relatively easily thanks to @egc will probably wait to fully implement when I can test a bit more without causing issues to my partner.

One thing I am not sure is how to handle the ephemeral port forwarding when its setup over the router, if anyone has any suggestions.

egc · February 26, 2025, 7:16am

The PBR package also can take care of that.

With Port forwarding usually you use the WAN to enter your router, return traffic must also use the WAN.
But as your default route is via the VPN you have to use PBR to route the appropriate traffic back.

If you are ready to test just make another thread with the specifications of the port forward.

An example, lets say your have transmission running on port 51413 on a server in your LAN with IP address 192.168.1.98 then you make a PBR rule to route that traffic via the WAN.
The PBR rule will use local source: 192.168.1.98, local port: 51413, interface: WAN. As simple as that

Magenta7602 · February 26, 2025, 1:58pm

Thanks! will do that!

That makes sense. I am a bit confused about exactly how I find which port is open though as proton isn't super clear on it.

I can just make a separate thread and tag you when I am actually testing as well.

egc · February 26, 2025, 2:12pm

That is fine.
Proton also allows to port forward via the VPN that can be useful if you do not have a public IP address on your wan otherwise I would just use the wan to access your home

system · March 8, 2025, 2:13pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.