I am trying to configure just one of my VLANs to be routed through NordVPN and in the settings I do not see a place to select the interface, I figure this is going to have to be setup through cli if its possible? Currently it just applies the VPN to the LAN interface. I have left my OVPN configuration out of the attached photo.
I do not know about ROOTer, but it should suffice to separate by IP range. See also common approach with vpn-bypass package, policy-based-routing package by @stangri
You need local ports, if you run both client, and server on the same device simultaneously.
I believe that is the same package ROOTer is using. I'm sorry but I am new to this and not sure what you mean on the ports. Everything on my OpenWRT setup is stock with the exception of the VLANs and they are all tagged together on the LAN firewall. I can post a screenshot later of the VPN bypass page to show how I currently have it setup in luci
Use "policy based routing" to route to the vlan of your choice. Remove nord as the default gateway by adding this to your ovpn file. pull-filter ignore "redirect-gateway"
Also added to this, there are some communication issues going on between all the subnets after I enable the VPN bypass. A specific example is I cannot access my local Plex server on 192.168.1.190:32400 with VPN bypass on VPN on locally. But if I turn VPN bypass off but VPN on it works fine locally.
root@ROOter:~# ip rule list
0: from all lookup local
32765: from all fwmark 0x10000 lookup 200
32766: from all lookup main
32767: from all lookup default
root@ROOter:~# ip route show table all
default via 192.168.2.1 dev eth0.2 table 200
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.108 metric 1
10.8.2.0/24 dev tun0 proto kernel scope link src 10.8.2.14
10.10.10.0/24 dev eth0.10 proto kernel scope link src 10.10.10.1
10.10.20.0/24 dev eth0.20 proto kernel scope link src 10.10.20.1
10.10.30.0/24 dev eth0.30 proto kernel scope link src 10.10.30.1
10.10.40.0/24 dev eth0.40 proto kernel scope link src 10.10.40.1
128.0.0.0/1 via 10.8.2.1 dev tun0
172.xx.0.0/16 dev zt44xdiic2 proto kernel scope link src 172.xx.151.xxx
185.xxx.70.xxx via 192.168.2.1 dev eth0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto static scope link metric 1
broadcast 10.8.2.0 dev tun0 table local proto kernel scope link src 10.8.2.14
local 10.8.2.14 dev tun0 table local proto kernel scope host src 10.8.2.14
broadcast 10.8.2.255 dev tun0 table local proto kernel scope link src 10.8.2.14
broadcast 10.10.10.0 dev eth0.10 table local proto kernel scope link src 10.10.10.1
local 10.10.10.1 dev eth0.10 table local proto kernel scope host src 10.10.10.1
broadcast 10.10.10.255 dev eth0.10 table local proto kernel scope link src 10.10.10.1
broadcast 10.10.20.0 dev eth0.20 table local proto kernel scope link src 10.10.20.1
local 10.10.20.1 dev eth0.20 table local proto kernel scope host src 10.10.20.1
broadcast 10.10.20.255 dev eth0.20 table local proto kernel scope link src 10.10.20.1
broadcast 10.10.30.0 dev eth0.30 table local proto kernel scope link src 10.10.30.1
local 10.10.30.1 dev eth0.30 table local proto kernel scope host src 10.10.30.1
broadcast 10.10.30.255 dev eth0.30 table local proto kernel scope link src 10.10.30.1
broadcast 10.10.40.0 dev eth0.40 table local proto kernel scope link src 10.10.40.1
local 10.10.40.1 dev eth0.40 table local proto kernel scope host src 10.10.40.1
broadcast 10.10.40.255 dev eth0.40 table local proto kernel scope link src 10.10.40.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.xx.0.0 dev zt44xdiic2 table local proto kernel scope link src 172.xx.151.xx
local 172.xx.151.xxx dev zt44xdiic2 table local proto kernel scope host src 172.xx.151.xxx
broadcast 172.xx.255.xxx dev zt44xdiic2 table local proto kernel scope link src 172.xx.151.xxx
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.108
local 192.168.2.108 dev eth0.2 table local proto kernel scope host src 192.168.2.108
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.108
fd48:1b54:296::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd48:1b54:296::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.40 proto kernel metric 256 pref medium
fe80::/64 dev eth0.20 proto kernel metric 256 pref medium
fe80::/64 dev eth0.30 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev zt44xdiic2 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd48:1b54:296:: dev br-lan table local proto kernel metric 0 pref medium
local fd48:1b54:296::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.10 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.20 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.30 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.40 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev zt44xdiic2 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::7091:20ff:fe20:9d9f dev zt44xdiic2 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.10 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.20 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.30 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev eth0.40 table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e8 dev br-lan table local proto kernel metric 0 pref medium
local fe80::7a24:afff:fe7d:3e9 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::d2d9:a63b:1801:4868 dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.40 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.20 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.30 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.10 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev zt44xdiic2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
I did add pull-filter ignore "redirect-gateway" to my opvn file and it seems to let everything communicate locally now. I am not able to check to see if the VPN subnet is working as it should remotely. But my speeds are still less than half with the VPN turn on vs off no matter if VPN bypass is on or off.
What I am wanting is the 10.10.20.1/24 subnet to be routed through the VPN and everything else be normal. I'd still like to be able to communicate with that subnet locally even though it will be directed through the VPN
Under PBR (policies) You fill out the "Name", add subnet in "local address" field. Choose "tun" (or whatever the tun device is named) for "interface". to route chosen subnet through Nord. And save and apply.