NordVPN on router - selective bypass routing for specific services not working after reboot

Installing and Using OpenWrt
1

Hello OpenWrt community,

Since I don't have enough knowledge in the field of network technology, my attempts with ChatGPT or Claude were unsuccessful.

I'm running OpenWrt 24.10.3 on a Netgear Nighthawk X4S R7800 with NordVPN configured via OpenVPN. The VPN works well and routes all traffic correctly, but I need to create bypass routes for specific services (Melcloud IoT app and Riot Games) that block VPN connections.

Current Setup:

  • OpenVPN client connects successfully to NordVPN
  • Interface: pppoe-wan
  • VPN interface: tun0
  • VPN creates routes: 0.0.0.0/1 via 10.100.0.1 dev tun0 and 128.0.0.0/1 via 10.100.0.1 dev tun0

Goal: Route specific IPs/subnets directly via WAN (bypassing VPN):

  • Melcloud: 20.90.134.31, 54.228.217.214, 54.220.153.200, 52.31.101.249
  • Riot Games: 104.16.0.0/12, 172.64.0.0/13, 184.86.103.214, 184.86.103.206, 185.40.64.65

Problem: When I add bypass routes manually, they work:

ip route add 20.90.134.31 via 62.155.245.134 dev pppoe-wan

However, after reboot these routes are lost. I've tried:

Attempt 1: Hotplug script /etc/hotplug.d/iface/40-bypass-routing

#!/bin/sh
[ "$ACTION" = "ifup" ] || exit 0
[ "$INTERFACE" = "pppoe-wan" ] || exit 0
sleep 5
ip route add 20.90.134.31 via 62.155.245.134 dev pppoe-wan 2>/dev/null

... more routes

Result: Script not executed on boot (no log entries)

Attempt 2: /etc/rc.local

#!/bin/sh
sleep 30
ip route add 20.90.134.31 via 62.155.245.134 dev pppoe-wan 2>/dev/null

... more routes

exit 0

Result: Routes are added BUT default route via WAN takes priority over VPN routes, causing ALL traffic to bypass VPN

**Current routing table after rc.local:**

0.0.0.0/1 via 10.100.0.1 dev tun0
default via 62.155.245.134 dev pppoe-wan proto static
20.90.134.31 via 62.155.245.134 dev pppoe-wan
104.16.0.0/12 via 62.155.245.134 dev pppoe-wan

Question: What's the correct way to create persistent selective bypass routes in OpenWrt that:

  1. Survive reboots
  2. Don't interfere with VPN default routing
  3. Only apply to specific destination IPs/subnets

Should I use ip rules with routing tables instead? Or modify the OpenVPN configuration?

Thank you for any guidance!

2

The easiest solution for selective bypasses (that will survive reboots and is simple to configure) is to use Policy Based Routing.

1 Like
3

Please remove all AI generated content. That IP subnet is GLOBALLY UNROUTEABLE