I am trying to configure just one of my VLANs to be routed through NordVPN and in the settings I do not see a place to select the interface, I figure this is going to have to be setup through cli if its possible? Currently it just applies the VPN to the LAN interface. I have left my OVPN configuration out of the attached photo.
VLAN I want to have NordVPN is 10.10.20.1/24
ROOTer is OpenWRT snapshot but with some added functionality for LTE modems
So after playing with it a bit more I see the VPN by pass section.
Do I just add:
192.168.1.1/24
10.10.10.1/24
10.10.30.1/24
10.10.40.1/24
To the "Local IP Addresses to Bypass" part and clear everything else? Or do I need to figure out local ports?
I do not know about ROOTer, but it should suffice to separate by IP range. See also common approach with vpn-bypass package, policy-based-routing package by @stangri
You need local ports, if you run both client, and server on the same device simultaneously.
I believe that is the same package ROOTer is using. I'm sorry but I am new to this and not sure what you mean on the ports. Everything on my OpenWRT setup is stock with the exception of the VLANs and they are all tagged together on the LAN firewall. I can post a screenshot later of the VPN bypass page to show how I currently have it setup in luci
See routing table, give output of route command.
Okay, I will post this when I get off of work.
Thank you so much 
PS, I have confirmed that ROOTer uses @stangri package for this
root@ROOter:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.2.1 0.0.0.0 UG 1 0 0 eth0.2
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0.10
10.10.20.0 * 255.255.255.0 U 0 0 0 eth0.20
10.10.30.0 * 255.255.255.0 U 0 0 0 eth0.30
10.10.40.0 * 255.255.255.0 U 0 0 0 eth0.40
172.23.0.0 * 255.255.0.0 U 0 0 0 zt44xdii c2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 * 255.255.255.0 U 1 0 0 eth0.2
root@ROOter:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.3.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.2.1 0.0.0.0 UG 1 0 0 eth0.2
10.8.3.0 * 255.255.255.0 U 0 0 0 tun0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0.10
10.10.20.0 * 255.255.255.0 U 0 0 0 eth0.20
10.10.30.0 * 255.255.255.0 U 0 0 0 eth0.30
10.10.40.0 * 255.255.255.0 U 0 0 0 eth0.40
128.0.0.0 10.8.3.1 128.0.0.0 UG 0 0 0 tun0
172.23.0.0 * 255.255.0.0 U 0 0 0 zt44xdii c2
185.xxx.70.xxx 192.168.2.1 255.255.255.255 UGH 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 * 255.255.255.0 U 1 0 0 eth0.2
Ended up getting it figured out. Cleared the VPN bypass completely and added the subnets and all seems to be working good
NVM its not working correctly.
After I put in the subnets for VPN bypass it seems like it is working but is double routing everything.
It acts like it is routing through the VPN for the entire router and the VPN bypass subnets are routed back normal if this makes sense.
root@ROOter:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.3.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.2.1 0.0.0.0 UG 1 0 0 eth0.2
10.8.3.0 * 255.255.255.0 U 0 0 0 tun0
10.10.10.0 * 255.255.255.0 U 0 0 0 eth0.10
10.10.20.0 * 255.255.255.0 U 0 0 0 eth0.20
10.10.30.0 * 255.255.255.0 U 0 0 0 eth0.30
10.10.40.0 * 255.255.255.0 U 0 0 0 eth0.40
128.0.0.0 10.8.3.1 128.0.0.0 UG 0 0 0 tun0
172.23.0.0 * 255.255.0.0 U 0 0 0 zt44xdiic2
185.XXX.XX.XXX 192.168.2.1 255.255.255.255 UGH 0 0 0 eth0.2
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.2.0 * 255.255.255.0 U 1 0 0 eth0.2
root@ROOter:~#
It is cutting my speeds in half setup like this on the non VPN subnets
Use "policy based routing" to route to the vlan of your choice. Remove nord as the default gateway by adding this to your ovpn file. pull-filter ignore "redirect-gateway"
It marks packets, and redirects them to special routing table. See output of:
ip rule list
ip route show table all
Also added to this, there are some communication issues going on between all the subnets after I enable the VPN bypass. A specific example is I cannot access my local Plex server on 192.168.1.190:32400 with VPN bypass on VPN on locally. But if I turn VPN bypass off but VPN on it works fine locally.
Here are the commands without adding the
root@ROOter:~# ip rule list
0: from all lookup local
32765: from all fwmark 0x10000 lookup 200
32766: from all lookup main
32767: from all lookup default
root@ROOter:~# ip route show table all
default via 192.168.2.1 dev eth0.2 table 200
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.108 metric 1
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.14
10.10.10.0/24 dev eth0.10 proto kernel scope link src 10.10.10.1
10.10.20.0/24 dev eth0.20 proto kernel scope link src 10.10.20.1
10.10.30.0/24 dev eth0.30 proto kernel scope link src 10.10.30.1
10.10.40.0/24 dev eth0.40 proto kernel scope link src 10.10.40.1
128.0.0.0/1 via 10.8.2.1 dev tun0
172.xx.0.0/16 dev zt44xdiic2 proto kernel scope link src 172.xx.151.xxx
185.xxx.70.xxx via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto static scope link metric 1
broadcast 10.8.2.0 dev tun0 table local proto kernel scope link src 10.8.2.14
local 10.8.2.14 dev tun0 table local proto kernel scope host src 10.8.2.14
broadcast 10.8.2.255 dev tun0 table local proto kernel scope link src 10.8.2.14
broadcast 10.10.10.0 dev eth0.10 table local proto kernel scope link src 10.10.10.1
local 10.10.10.1 dev eth0.10 table local proto kernel scope host src 10.10.10.1
broadcast 10.10.10.255 dev eth0.10 table local proto kernel scope link src 10.10.10.1
broadcast 10.10.20.0 dev eth0.20 table local proto kernel scope link src 10.10.20.1
local 10.10.20.1 dev eth0.20 table local proto kernel scope host src 10.10.20.1
broadcast 10.10.20.255 dev eth0.20 table local proto kernel scope link src 10.10.20.1
broadcast 10.10.30.0 dev eth0.30 table local proto kernel scope link src 10.10.30.1
local 10.10.30.1 dev eth0.30 table local proto kernel scope host src 10.10.30.1
broadcast 10.10.30.255 dev eth0.30 table local proto kernel scope link src 10.10.30.1
broadcast 10.10.40.0 dev eth0.40 table local proto kernel scope link src 10.10.40.1
local 10.10.40.1 dev eth0.40 table local proto kernel scope host src 10.10.40.1
broadcast 10.10.40.255 dev eth0.40 table local proto kernel scope link src 10.10.40.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.xx.0.0 dev zt44xdiic2 table local proto kernel scope link src 172.xx.151.xx
local 172.xx.151.xxx dev zt44xdiic2 table local proto kernel scope host src 172.xx.151.xxx
broadcast 172.xx.255.xxx dev zt44xdiic2 table local proto kernel scope link src 172.xx.151.xxx
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.108
local 192.168.2.108 dev eth0.2 table local proto kernel scope host src 192.168.2.108
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.108
fd48:1b54:296::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd48:1b54:296::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.40 proto kernel metric 256 pref medium
fe80::/64 dev eth0.20 proto kernel metric 256 pref medium
fe80::/64 dev eth0.30 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev zt44xdiic2 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd48:1b54:296:: dev br-lan table local proto kernel metric 0 pref medium
local fd48:1b54:296::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.10 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.20 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.30 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.40 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev zt44xdiic2 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::7091:20ff:fe20:9d9f dev zt44xdiic2 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.10 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.20 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.30 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.40 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev br-lan table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e9 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::d2d9:a63b:1801:4868 dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.40 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.20 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.30 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.10 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev zt44xdiic2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
You don't use vpn-bypass with my solution.
"Policy based routing" package
Oh wow, that looks overwhelming
I did add pull-filter ignore "redirect-gateway" to my opvn file and it seems to let everything communicate locally now. I am not able to check to see if the VPN subnet is working as it should remotely. But my speeds are still less than half with the VPN turn on vs off no matter if VPN bypass is on or off.
What I am wanting is the 10.10.20.1/24 subnet to be routed through the VPN and everything else be normal. I'd still like to be able to communicate with that subnet locally even though it will be directed through the VPN
Under PBR (policies) You fill out the "Name", add subnet in "local address" field. Choose "tun" (or whatever the tun device is named) for "interface". to route chosen subnet through Nord. And save and apply.
Oh nice! Do I have to do anything special to get it setup, or will it automatically detect the setting during the install?
On the opvn file is it:
pull-filter ignore "redirect-gateway"
or
pull-filter ignore redirect-gateway
Also does it matter where that line is added?
I am still getting some speed issues with the VPN on vs off with VPN bypass completely disabled.
Works for me.
No, just fill-out on any line.
Make sure vpn-bypass is disabled as it could cause conflicts with PBR.