Rule to exclude IP from OpenVPN (nord) breaks WAN connecion

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

This is my first post here, so hi everyone.

I own a Linksys WRT1900ACS, and a NordVPN subscription. I used the instruction from here to set it up on my router, and it works without any issue.

For several reasons (Neflix on SmartTV, work comouter that does not connect correctly through VPN etc.) I need to route some of my devices outside of the VPN. I've assigned one of them a static IP, which also seems to work OK. Then, I've used this topic to set up the rule. Unfortunately, after adding the two additional sections to the /etc/config/network, the device does not connect to the outside network anymore for this device (but it does connect to the router). Other devices seem to still work fine, and go through VPN. Unfortunately, the thread is closed, so I cannot reply to it. Below is my /etc/config/network . Please let me know if there is any useful information I've missed to provide.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddf:c9aa:3666::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '103.86.96.100'
	list dns '103.86.99.100'
	option macaddr '00:16:D3:B2:3F:7A'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
#        option gateway '0.0.0.0'
        option table '2'

config rule
        option src '192.168.1.100/32'
#        option priority '2'
        option lookup '2'
2

Hello and welcome Andy!
I don't think priority is needed in the rule. It will be assigned automatically.
In the static route you should use some gateway. If the gateway is not the same each time you connect, you can try to omit it. But gateway 0.0.0.0 means no gateway.

1 Like
3

Hi trendy!

I've comnented out the lines (also edited my original post), and rebooted the router. Unfortunately, no improvement. :frowning:

4

Could you then post the output of the following commands?
`ip -4 addr; ip -4 ro list table all ; ip -4 ru

1 Like
5

Sure!

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1.2
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.7.3.4/24 brd 10.7.3.255 scope global tun0
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro list table all
default dev eth1.2 table 2 proto static scope link
0.0.0.0/1 via 10.7.3.1 dev tun0
default via 192.168.0.1 dev eth1.2 proto static src 192.168.0.100
10.7.3.0/24 dev tun0 proto kernel scope link src 10.7.3.4
128.0.0.0/1 via 10.7.3.1 dev tun0
192.168.0.0/24 dev eth1.2 proto kernel scope link src 192.168.0.100
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
212.7.222.61 via 192.168.0.1 dev eth1.2
broadcast 10.7.3.0 dev tun0 table local proto kernel scope link src 10.7.3.4
local 10.7.3.4 dev tun0 table local proto kernel scope host src 10.7.3.4broadcast 10.7.3.255 dev tun0 table local proto kernel scope link src 10.7.3.4
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1.2 table local proto kernel scope link src 192.168.0.100
local 192.168.0.100 dev eth1.2 table local proto kernel scope host src 192.168.0.100
broadcast 192.168.0.255 dev eth1.2 table local proto kernel scope link src 192.168.0.100
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
root@OpenWrt:~# ip -4 ru
0:      from all lookup local
1:      from 192.168.1.100 lookup 2
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#
6

Use

option gateway 192.168.0.1

for the route. It doesn't look like it will change, so you'll be fine.

1 Like
7

trendy,

Actually, this is an IP of another router, which I've used to connect without VPN until now. I've just got rid of it, and connected directly through my OpenWRT router instead. Now, the device (Smart TV) is able to connect to the internet, and it is outside of VPN (as nordvpn.com confirms).

However, I'm still not able to connect to Netflix, as I'm able to when going with the factory settings. I suspect still something is overwritten for that IP (192.168.1.100) by the VPN settings (DNS?). Here's the new output from the commands you provided earlier:

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 213.5.45.46/26 brd 213.5.45.63 scope global eth1.2
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.7.0.7/24 brd 10.7.0.255 scope global tun0
       valid_lft forever preferred_lft forever
root@OpenWrt:~# ip -4 ro list table all
default dev eth1.2 table 2 proto static scope link 
0.0.0.0/1 via 10.7.0.1 dev tun0 
default via 213.5.45.1 dev eth1.2 proto static src 213.5.45.46 
10.7.0.0/24 dev tun0 proto kernel scope link src 10.7.0.7 
128.0.0.0/1 via 10.7.0.1 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
212.7.222.61 via 213.5.45.1 dev eth1.2 
213.5.45.0/26 dev eth1.2 proto kernel scope link src 213.5.45.46 
broadcast 10.7.0.0 dev tun0 table local proto kernel scope link src 10.7.0.7 
local 10.7.0.7 dev tun0 table local proto kernel scope host src 10.7.0.7 
broadcast 10.7.0.255 dev tun0 table local proto kernel scope link src 10.7.0.7 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 213.5.45.0 dev eth1.2 table local proto kernel scope link src 213.5.45.46 
local 213.5.45.46 dev eth1.2 table local proto kernel scope host src 213.5.45.46 
broadcast 213.5.45.63 dev eth1.2 table local proto kernel scope link src 213.5.45.46 
root@OpenWrt:~# ip -4 ru
0:	from all lookup local 
1:	from 192.168.1.100 lookup 2 
32766:	from all lookup main 
32767:	from all lookup default
8

Did you update the command to:

option gateway 213.5.45.1

???

Also make sure that the TV is using DNS from your provider, not VPN. (read the network settings page on your tv)
In case this is against the global setting, which is the default, you'll need to create a tag in dhcp config file.
https://openwrt.org/docs/guide-user/base-system/dhcp#classifying_clients_and_assigning_individual_options

1 Like
9

It looks like you've already resolved this. But there is a package that makes this very easy: vpnbypass (https://github.com/stangri/openwrt_packages/blob/master/vpnbypass/files/README.md)

If you need more configurability: vpn-policy-routing (https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md)

I used vpnbypass for the same problem that you ran into.

1 Like
10

trendy,

No, i have the whole option gateway comented out now, as in my first post - so this is the ISP gateway then, i guess.

For the DNS, i've set the static IPs using LUCI, and it seems to have added an unnecessary option:

option dns '1'

I've commented it out just now and rebooted, the /etc/config/DHCP looks like the below. But it's still not working. Would sending the output of your three commands help? My TV is using the correct IP, but both automatically obtained gateway and DNS server are 192.168.1.1 (so my router). I would like to avoid changing the config on TV, instead I would like the router to push the correct DNS and gateway to the TV.

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'TV-CABLE'
#       option dns '1'
        option mac '50:56:BF:A7:EF:46'
        option ip '192.168.1.100'
        option leasetime '1d'

config host
#       option dns '1'
        option mac '50:EB:71:59:C1:53'
        option ip '192.168.0.101'
        option leasetime '1d'
        option name 'abcd'

nunyabidnes,

Thanks, I'll try that if manual config fails.

11

Remove the hash, this needs to be activated.

Gateway is pushed the router itself.
DNS is also pushed the router itself.
For that you need to add a tag. The dns option in the host config is irrelevant with what we want to do, you can leave it.

config host
        option name 'TV-CABLE'
        option dns '1'
        option mac '50:56:BF:A7:EF:46'
        option ip '192.168.1.100'
        option leasetime '1d'
        option tag 'novpn'

config tag 'novpn'
        option dhcp_option '6,8.8.8.8,8.8.4.4'

You can use different DNS than the Google ones I used there. Basically you need to add the tag option and then define that this tag will provide the custom DNS. I think you cannot add that in Luci, so careful how you'll edit, or use uci.

1 Like
12

trendy,

That solved it! The TV is working fine outside of VPN, and can connect to Netflix, the rest of the devices are behind VPN.

Thank you very much!

1 Like
13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.