Set default route to WAN (not VPN) and tunnel traffic based on policies

Currently, all traffic is going through my VPN by default. I want it to go through WAN by default (I will route certain traffic through VPN based on policies). I am very new to this. Is there a simple instruction that I can follow that affects this change that all traffic goes to WAN by default? This should make my policy based routing much simpler...

1 Like

You can disregard the default route from the vpn server. Add route-noexec or route-nopull in the OpenVPN or don't route allowed IPs in Wireguard.

I don't know... Is this really something for the OpenVPN? I was thinking there should be a way to direct all internet bound traffic to WAN directly and bypass the VPN tunnel altogether and only direct certain internet traffic through the tunnel, based on policies... Am wrong?

Are wrong.

1 Like

I keep missing comments on this forum... Weird... Sorry about that... Anyway... I caught the sarcasm of "Are Wrong" as a response to my typo-ed "Am wrong?" Sorry, I tend to make a mistake every now and then. I try not to but it keeps happening for some reason....

Anyway, I tried the route-nopull (Stan suggested it too) in every which way I could think of, but adding it actually resulted in the OpenVPN instance not even wanting to start. Go Figure. I am sure I am making a mistake again, so if you can maybe tell me exactly where to put that command, it would be greatly appreciated.

At the same time I would like to ask the following:

Does every VPN server push a redirect-gateway?
I am using NordVPN and I followed their instructions to the letter in setting it up. I copied a part of the instructions below: Do these instructions not point all traffic to the VPN tunnel?
If so, then did I then not manually do that, as opposed to it being pushed by the server, and isn't this then where I need to fix it?

Create a new network interface. Note that these are two ways to do it, and we do not recommend doing both at the same time. Yet we recommend the following interface method:

    uci set network.nordvpntun=interface
    uci set network.nordvpntun.proto='none'
    uci set network.nordvpntun.ifname='tun0'
    uci commit network

Create a new firewall zone and add forwarding rule from LAN to VPN:

    uci add firewall zone
    uci set firewall.@zone[-1].name='vpnfirewall'
    uci set firewall.@zone[-1].input='REJECT'
    uci set firewall.@zone[-1].output='ACCEPT'
    uci set firewall.@zone[-1].forward='REJECT'
    uci set firewall.@zone[-1].masq='1'
    uci set firewall.@zone[-1].mtu_fix='1'
    uci add_list firewall.@zone[-1].network='nordvpntun'
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='lan'
    uci set firewall.@forwarding[-1].dest='vpnfirewall'
    uci commit firewall

This should work. I put route no-exec and route no-pull in my openvpn config and the tunnel comes up with no explicit routes defined. All routing is then controlled by vpn-policy-routing policies.

Did you try both statements?

I think in Luci is the easiest:

Only if it is configured to do so. They usually do however for simplicity.

If you mean the creation of the interface, the zone, and the forwarding, no they don't. They allow lan traffic to the vpn, but don't have anything to do with routing.

Thanks for that Trendy! I appreciate it! I will give it a shot!

1 Like

I am starting to feel a bit stupid.. I cannot for the life of me find that window.... Where should I look for it??

This one?

Before I asked, I literally clicked on every single thing I could find. Of course I am familiar with the OpenVPN and VPN POlicy Routing Apps. Unfortunately I do not see these options anywhere....

I did, they both have the same effect, which is the VPN instance not wanting to start, until I remove the line. Is there maybe a specific section in the file where I have to add it?

Just add the option in the config file of the Nordvpn and restart.
Monitor the log for errors when the vpn doesn't start.

:disappointed_relieved: :cry: I was so excited... I added them again and this time the instance did startup. I thought I was finally there... Unfortunately the effect was no different. I turned off all policies to see where the traffic is going and it is still going through the VPN tunnel...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.* ; \
cat /etc/config/vpn-policy-routing; /etc/init.d/vpn-policy-routing support```

I've got those two lines right near the top of my config file.

Try setting verb 5 or higher to get more logging

Thanks, I will do that tonight and revert!

RESOLVED!! Guys I finally found it. Your suggestions were really close and it was probably my lack of skill in not knowing how to make it work. So thanks for your input! However, just in case somebody else that is as stupid as I am, ever runs into this problem, here is what finally worked for me:

The exact line that I added to the bottom of NordVPN config file (for example) /etc/openvpn/NordUSAxxxxUDP.ovpn is:
--pull-filter ignore redirect-gateway

As you can see, it is a little bit different from what Stan has in his notes (which is list pull_filter 'ignore "redirect-gateway"') I don't have the skill to really understand what the difference is, but it worked for me. I am not saying that Stan's is incorrect. I am sure I did it wrong, but this worked for me.
By the way, I ended up finding this on an interesting page on ignoring redirect-gateway:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.