How to turn off openvpn route for router?

I am running transmission on openwrt router that is also running an openvpn client.

I would like to bypass openvpn for the router itself, so I can use transmission without openvpn

The router is on 192.168.1.1 connected to another router having the gateway 192.168.0.1

I would prefer to not use additional packages like pbr to achieve this, if possible

These routing/rule settings below don't seem to work

nano /etc/config/network

config rule
	option lookup '100'
	option src '192.168.1.1/32'
	option in 'lan'

config route
	option metric '200'
	option table '100'
	option gateway '192.168.0.1'
	option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'

The above was help I got from @trendy for another use case https://forum.openwrt.org/t/transmission-port-bypass-openvpn-client/141613/9

Appreciate any help, thanks

Edit:
I've used these instructions to setup my openvpn client https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

If trasmission is running from a specific user, use the uidrange option to match. You cannot match locally generated traffic the way you try.

Thank you.

I run transmission as 'root' user (I don't know how wise that is, from a security standpoint, or if I should run it as 'transmission' user)

root@OpenWrt:~# cat /etc/passwd says UID of 'root' user is '0'

tried the following but it didn't work

config rule
	option lookup '100'
	option uidrange '0'
	option in 'lan'

config route
	option metric '200'
	option table '100'
	option gateway '192.168.0.1'
	option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'

Thanks

Edit:
Seeing this post https://forum.openwrt.org/t/transmission-bypassing-openvpn/64319/11?u=redchilis

I tried,

config rule
	option lookup '100'
	option uidrange '0'
	option in 'lan'
	option action 'ignore'

config route
	option metric '200'
	option table '100'
	option gateway '192.168.0.1'
	option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'

but it didn't work

  1. Assign a specific user to transmission. Otherwise it will match other traffic as well.
  2. Remove option in 'lan' and option action 'ignore'

I am using transmission user and transmission group!

root@OpenWrt:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false
transmission:x:224:224:transmission:/var/run/transmission:/bin/false
minidlna:x:65536:65536:minidlna:/var/run/minidlna:/bin/false
config rule
        option lookup '100'
        option uidrange '224'

config route
        option metric '200'
        option table '100'
        option gateway '192.168.0.1'
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'

When I stop openvpn, it downloads fine(only mentioning it because it was harrowing getting all the permissions working for for 'transmission' user, had to manually create 'resume' and 'torrents' folder within the settings of transmission folder, the folders were not getting created for some reason even after giving permission to transmission user for config folder) when openvpn starts, it keeps trying to get trackers(checked in system log).

I'm sure I'm missing something, I haven't added any port forwarding since torrents downloads fine when openvpn is stopped.

Thank you.

Can you first verify with tcpdump or remote wireshark
ssh root@openwrt.lan tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
that the packets are going out of the vpn interface when the vpn is enabled?

I couldn't comprehend the wireshark output, but after giving it some time and stopping wireshark and it did not seem like '192.168.1.1'(the router) was giving out any packets, I am completely out of my depth here so I could be wrong.

I ran on 'wlan0' not 'eth1' as I have no 'eth1' interface, just 'br-lan' and 'wlan0'.

ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Wireshark output https://pastebin.com/raw/4kZ4WwPi

Edit:
Also,
while I try downloading a torrent,
since the openvpn client does not allow P2P traffic,
it chokes off all traffic to normal browsing/using of internet,
I have to pause the torrent to restore internet via the openvpn client.

So, even if the torrent connection seems to be going through it is in fact going through the openvpn client and not bypassing, until, of course the openvpn server catches the traffic and blocks all connection.

Edit:
This is the output with openvpn stopped (I have no killswitch for openvpn enabled)

ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Wireshark output https://pastebin.com/raw/RZn0edec

You should use the interface name of the wan network. Or is everything on br-lan?
Better post the following to have a better understanding.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* 
/tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "TP-Link TL-MR3020 v3",
	"board_name": "tplink,tl-mr3020-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:cd27:e283::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option igmp_snooping '1'
	option ipaddr '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 6t'

config interface 'wwan'
	option proto 'dhcp'
	option device 'wlan0'
	option hostname 'TP-Link'
	option peerdns '0'
	list dns '1.1.1.1'

config rule
	option lookup '100'
	option uidrange '224'

config route
	option metric '200'
	option table '100'
	option gateway '192.168.0.1'
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option band '2g'
	option cell_density '0'
	option htmode 'HT40'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'redacted'
	option ssid 'raspberry'
	option ieee80211w '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'strawberry'
	option encryption 'psk2'
	option key 'redacted'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wwan'
	option interface 'wwan'
	option ignore '1'

config host
	option name 'android'
	option ip '192.168.1.200'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wwan'
	list device 'tun0'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'REJECT'
	option src 'lan'
	option dest 'wan'
	option name 'roku'
	list proto 'all'
	list src_mac 'redacted'
	list src_mac 'redacted'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.0.100/24 brd 192.168.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.36.0.8/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.36.0.1 dev tun0 
default via 192.168.0.1 dev wlan0  src 192.168.0.100 
10.36.0.0/16 dev tun0 scope link  src 10.36.0.8 
103.125.235.18 via 192.168.0.1 dev wlan0 
103.125.235.18 via 192.168.0.1 dev wlan0 
128.0.0.0/1 via 10.36.0.1 dev tun0 
192.168.0.0/24 dev wlan0 scope link  src 192.168.0.100 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
broadcast 10.36.0.0 dev tun0 table local scope link  src 10.36.0.8 
local 10.36.0.8 dev tun0 table local scope host  src 10.36.0.8 
broadcast 10.36.255.255 dev tun0 table local scope link  src 10.36.0.8 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.0.0 dev wlan0 table local scope link  src 192.168.0.100 
local 192.168.0.100 dev wlan0 table local scope host  src 192.168.0.100 
broadcast 192.168.0.255 dev wlan0 table local scope link  src 192.168.0.100 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
0:	from all lookup local 
1:	from all lookup 100 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Oct 15 04:14 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Nov  7 00:36 /tmp/resolv.conf
-rw-r--r--    1 root     root            36 Nov  7 12:59 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            36 Nov  7 12:59 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wwan
nameserver 1.1.1.1

Thank you

I ran on 'wlan0' not 'eth1' as I have no 'eth1' interface, just 'br-lan' and 'wlan0'.

ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Wireshark output https://pastebin.com/raw/4kZ4WwPi

This is the output with openvpn stopped (I have no killswitch for openvpn enabled)

ssh root@192.168.1.1 tcpdump -i wlan0 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Wireshark output https://pastebin.com/raw/RZn0edec

Yeah, you should use wlan0 as it is the wan interface in you router.
You also need to exclude the openvpn traffic from the capture. Change the filter from 'not port 22' to 'not port 22 or not port 1194'. Change the 1194 to the port of OpenVPN.
One last thing, better run the tcpdump directly on the router or post the pcap, because the wireshark output you upload is too poor in details.

thank you, I later realized I needed to use wlan0 and updated that post.

I uploaded the pcap file after excluding 22 and 1194 - https://ufile.io/xc8d5b3j

Are you sure?
image

I'm on linux. Sorry for the trouble :confused:

I tried adding the filter to tcpdump on openwrt but it wouldn't take it so I let it go to wireshark and saved the pcap file there.

I directly tried in openwrt

root@OpenWrt:~# tcpdump -i wlan0 -U -s0 -w /overlay/samba/downloads/ocap.pcap - 'not port 22 or not port 1194' tcpdump: can't parse filter expression: syntax error '
this works

tcpdump -i wlan0 -U -s0 -w /overlay/samba/downloads/ocap.pcap

Edit:
I tried reading/understanding this https://danielmiessler.com/study/tcpdump/ but it didn't help :frowning:

Try this one:
tcpdump -i wlan0 -nv 'not port 22 or not port 1194'

Thank you, that worked.

tcpdump - https://ufile.io/1k5r9dhs

There is only wireguard traffic (udp 51820) in there. Are you certain that you are running only OpenVPN?

Ya, I mean, running openvpn and trying to download via transmission :confused:

I don't follow.
What is the traffic sent from/to 51820?
OpenVPN is supposed to be on 1194.

Edit
What I meant is, after I start to capture, while openvpn is running, I go to transmission and resume a torrent, so it can try to download and the packet capture can see what transmission is trying to do.

Oh, could it be samba or minidlna, I have those running. I am not actively using them though.

Edit
samba