Simplest way to bypass a VPN

I read a lot of messages about bypass a VPN. I need only to get regional netflix again. I read about vpn bypass, VPN Policy-Based Routing, Static Routes and so on. I'm confused what is the simplest way to got my netflix working. Please, coul you help me in do a more easy way to do that? My openVPN is working very nice.

Thank you so much!

VPN Policy-Based Routing > Netflix Domains

1 Like

Thank you so much!

I have been installed vpn-policy-routing and all dependencies. All are working fine. :smiling_face_with_three_hearts:

I only edited the config file /etc/config/vpn-policy-routing, but, it is not routing netflix. I have a Test section to test it. Not work too.

This config is the minimal necessary to get netflix working? I don't do any things in others files.

[UPDATE]
I will update the post with recommendations found here.

  • content of /etc/config/dhcp
config dnsmasq
        option domainneeded     1
        option boguspriv        1
        option filterwin2k      0  # enable for dial on demand
        option localise_queries 1
        option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
        option rebind_localhost 1  # enable for RBL checking and similar services
        #list rebind_domain example.lan  # whitelist RFC1918 responses for domains
        option local    '/lan/'
        option domain   'lan'
        option expandhosts      1
        option nonegcache       0
        option authoritative    1
        option readethers       1
        option leasefile        '/tmp/dhcp.leases'
        option resolvfile       '/tmp/resolv.conf.auto'
        #list server            '/mycompany.local/1.2.3.4'
        option nonwildcard      1 # bind to & keep track of interfaces
        #list interface         br-lan
        #list notinterface      lo
        #list bogusnxdomain     '64.94.110.11'
        option localservice     1  # disable to allow DNS requests from non-local subnets

config dhcp lan
        option interface        lan
        option start    100
        option limit    150
        option leasetime        12h

config dhcp wan
        option interface        wan
        option ignore   1
  • content of /etc/config/firewall
config defaults                                                                                                                                         
        option syn_flood '1'                                                                                                                            
        option input 'ACCEPT'                                                                                                                           
        option output 'ACCEPT'                                                                                                                          
        option forward 'REJECT'                                                                                                                         
        option drop_invalid '1'                                                                                                                         
                                                                                                                                                        
config zone                                                                                                                                             
        option name 'lan'                                                                                                                               
        list network 'lan'                                                                                                                              
        option input 'ACCEPT'                                                                                                                           
        option output 'ACCEPT'                                                                                                                          
        option forward 'ACCEPT'                                                                                                                         
                                                                                                                                                        
config zone                                                                                                                                             
        option name 'wan'                                                                                                                               
        list network 'wan'                                                                                                                              
        list network 'wan6'                                                                                                                             
        option input 'DROP'                                                                                                                             
        option output 'ACCEPT'                                                                                                                          
        option forward 'DROP'                                                                                                                           
        option mtu_fix '1'                                                                                                                              
        option masq '0'                                                                                                                                 
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-DHCP-Renew'                                                                                                                  
        option src 'wan'                                                                                                                                
        option proto 'udp'                                                                                                                              
        option dest_port '68'                                                                                                                           
        option target 'ACCEPT'                                                                                                                          
        option family 'ipv4'                                                                                                                            
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-Ping'                                                                                                                        
        option src 'wan'                                                                                                                                
        option proto 'icmp'                                                                                                                             
        option icmp_type 'echo-request'                                                                                                                 
        option family 'ipv4'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-IGMP'                                                                                                                        
        option src 'wan'                                                                                                                                
        option proto 'igmp'                                                                                                                             
        option family 'ipv4'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                 
config rule                                                                                                                                             
        option name 'Allow-DHCPv6'                                                                                                                      
        option src 'wan'                                                                                                                                
        option proto 'udp'                                                                                                                              
        option src_ip 'fc00::/6'                                                                                                                        
        option dest_ip 'fc00::/6'                                                                                                                       
        option dest_port '546'                                                                                                                          
        option family 'ipv6'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-MLD'                                                                                                                         
        option src 'wan'                                                                                                                                
        option proto 'icmp'                                                                                                                             
        option src_ip 'fe80::/10'                                                                                                                       
        list icmp_type '130/0'                                                                                                                          
        list icmp_type '131/0'                                                                                                                          
        list icmp_type '132/0'                                                                                                                          
        list icmp_type '143/0'                                                                                                                          
        option family 'ipv6'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-ICMPv6-Input'                                                                                                                
        option src 'wan'                                                                                                                                
        option proto 'icmp'                                                                                                                             
        list icmp_type 'echo-request'                                                                                                                   
        list icmp_type 'echo-reply'                                                                                                                     
        list icmp_type 'destination-unreachable'                                                                                                        
        list icmp_type 'packet-too-big'                                                                                                                 
        list icmp_type 'time-exceeded'                                                                                                                  
        list icmp_type 'bad-header'                                                                                                                     
        list icmp_type 'unknown-header-type'                                                                                                            
        list icmp_type 'router-solicitation'                                                                                                            
        list icmp_type 'neighbour-solicitation'                                                                                                         
        list icmp_type 'router-advertisement'                                                                                                           
        list icmp_type 'neighbour-advertisement'                                                                                                        
        option limit '1000/sec'                                                                                                                         
        option family 'ipv6'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                        
config rule                                                                                                                                             
        option name 'Allow-ICMPv6-Forward'                                                                                                              
        option src 'wan'                                                                                                                                
        option dest '*'                                                                                                                                 
        option proto 'icmp'                                                                                                                             
        list icmp_type 'echo-request'                                                                                                                   
        list icmp_type 'echo-reply'                                                                                                                     
        list icmp_type 'destination-unreachable'                                                                                                        
        list icmp_type 'packet-too-big'                                                                                                                 
        list icmp_type 'time-exceeded'                                                                                                                  
        list icmp_type 'bad-header'                                                                                                                     
        list icmp_type 'unknown-header-type'                                                                                                            
        option limit '1000/sec'                                                                                                                         
        option family 'ipv6'                                                                                                                            
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-IPSec-ESP'                                                                                                                   
        option src 'wan'                                                                                                                                
        option dest 'lan'                                                                                                                               
        option proto 'esp'                                                                                                                              
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config rule                                                                                                                                             
        option name 'Allow-ISAKMP'                                                                                                                      
        option src 'wan'                                                                                                                                
        option dest 'lan'                                                                                                                               
        option dest_port '500'                                                                                                                          
        option proto 'udp'                                                                                                                              
        option target 'ACCEPT'                                                                                                                          
                                                                                                                                                        
config include                                                                                                                                          
        option path '/etc/firewall.user'                                                                                                                
                                                                                                                                                        
config zone                                                                                                                                             
        option name 'expressvpn'                                                                                                                        
        option network 'openvpn'                                                                                                                        
        option output 'ACCEPT'                                                                                                                          
        option input 'REJECT'                                                                                                                           
        option forward 'REJECT'                                                                                                                         
        option masq '1'                                                                                                                                 
        option mtu_fix '1'                                                                                                                              
                                                                                                                                                        
config forwarding                                                                                                                                       
        option dest 'expressvpn'                                                                                                                        
        option src 'lan'
  • content of /etc/config/network
 config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd50:47ca:da83::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
#       list dns '8.8.8.8'
#       list dns '8.8.4.4'
        option peerdns '1'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
#       list dns '2001:4860:4860::8888'
#       list dns '2001:4860:4860::8844'
        option peerdns '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'openvpn'
        option ifname 'tun0'
        option proto 'none'
  • content of /etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option enabled '1'
        list supported_interface 'wan'
        list supported_interface 'openvpn'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name 'Netflix Domains'
        option interface 'wan'
        option src_addr '192.168.1.1/26'
        option dest_addr 'amazonaws.com netflix.com nflxext.com nflxvideo.net dvd.netflix.com nflximg.com nflxsearch.net'

config policy
        option interface 'wan'
        option src_addr '192.168.1.1/26'
        option name 'Test'
        option dest_addr 'myip.com'
  • the output of /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.3. WAN (IPv4): wan/dev/192.168.0.254.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.169.0.113    128.0.0.0       UG    0      0        0 tun0
default         192.168.0.254   0.0.0.0         UG    0      0        0 eth1.2
IPv4 Table 201: default via 192.168.0.254 dev eth1.2
IPv4 Table 201 Rules:
32727:	from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 10.169.0.114 dev tun0
IPv4 Table 202 Rules:
32726:	from all fwmark 0x20000/0xff0000 lookup 202
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.0/26 -d 104.31.66.68/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 104.31.67.68/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 172.67.208.45/32 -m comment --comment Test -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 50.17.247.9/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 204.236.236.127/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.20.175.192/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 52.31.48.193/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.252.74.1/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 46.137.171.215/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 18.236.7.30/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 44.226.113.145/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.218.19.240/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.45.72.215/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.45.72.201/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 52.87.87.3/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.174.34.188/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.21.49.97/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 34.198.43.9/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 107.23.174.29/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.209.108.109/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.210.65.253/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 54.156.193.108/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 72.21.206.80/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 207.171.166.22/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.1.0/26 -d 72.21.210.29/32 -m comment --comment Netflix_Domains -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
  • the output of /etc/init.d/vpn-policy-routing reload with verbosity setting set to 2
Creating table 'wan/eth1.2/192.168.0.254' [✓]
Creating table 'openvpn/tun0/10.169.0.114' [✓]
Routing 'Netflix Domains' via wan [✓]
Routing 'Test' via wan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1.2/192.168.0.254
openvpn/tun0/10.169.0.114 [✓]
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan openvpn .
1 Like
uci set vpn-policy-routing.@include[0].enabled="1"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart
ipset list wan | head