(SOLVED) Problems with VPN Bypass

Dominik-1980 · January 1, 2021, 3:40pm

Hello.

First of all, I wish you a happy and better new year than 2020!

Ok, I have some trouble with configuration and running of VPN Bypass.
If I type in some domains to bypass it works. If I type in a remote IP, it doesn't...
For example, if I bypass /wieistmeineip.de/vpnbypass, it works.
If I do a nslookup wieistmeineip.de it shows me up the address 52.29.79.39.
If I try to bypass with this remote IP, it doesn't work.
For this example it doesn't matter if I bypass by domain or IP address, but sometimes I have to use IP addresses or IP ranges...
So how can I get this to work?
For configuration I use LUCI.

Second problem : If I start VPN Bypass it shows me some errors...

Fri Jan  1 16:30:52 2021 user.notice vpnbypass [21774]:  ERROR: iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS
Fri Jan  1 16:30:52 2021 daemon.err modprobe: xt_set is already loaded
Fri Jan  1 16:30:52 2021 daemon.err modprobe: ip_set is already loaded
Fri Jan  1 16:30:52 2021 daemon.err modprobe: ip_set_hash_ip is already loaded
Fri Jan  1 16:30:52 2021 user.notice vpnbypass [21774]: service started with TID: 200; FW_MARK: 0x010000
Fri Jan  1 16:30:52 2021 user.notice vpnbypass [21774]: service monitoring interfaces: lan VyprVPN

than it doesn't work. I wait one or two hours and like magic... it bypasses the domains...

Could someone of you help me configurating and starting up this thing through without errors?

trendy · January 1, 2021, 4:27pm

Hello and happy new year!

There is a typo, should be -j VPNBYPASS
Other than that, you need to post the configuration of vpnbypass to troubleshoot.

Dominik-1980 · January 1, 2021, 5:13pm

I restarted the router.
On startup there are these two errors showing up:

Fri Jan  1 16:54:29 2021 user.notice vpnbypass [1091]:  ERROR: iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS
Fri Jan  1 16:54:29 2021 user.notice vpnbypass [1091]:  ERROR: iptables -t mangle -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-mark 0x010000/0xff0000

If I ssh the router and copy and paste it, there is no more error.

root@OpenWrt:~# iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS
root@OpenWrt:~# iptables -t mangle -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-mark 0x010000/0xff0000
root@OpenWrt:~#

If I change the flag -g to -j it shows me the following:

root@OpenWrt:~# iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -j VPNBYPASS
iptables: No chain/target/match by that name.
root@OpenWrt:~#

My /etc/config/vpnbypass looks like this:

config vpnbypass 'config'
        option enabled '1'
        list remotesubnet '52.29.79.39'
        list remotesubnet '52.29.79.0/24'

...and my /etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option confdir '/tmp/dnsmasq.d'
        list server '127.0.0.1#5453'
        option noresolv '1'
        option dnssec '1'
        option dnsseccheckunsigned '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

trendy · January 1, 2021, 6:52pm

Ok nevermind the -g, I had never seen it before and a quick search didn't show it.
The remotesubnet needs a subnet mask.
What is the output of iptables-save -c -t mangle ?

Dominik-1980 · January 1, 2021, 7:24pm


root@OpenWrt:~# iptables-save -c -t mangle
# Generated by iptables-save v1.8.3 on Fri Jan  1 20:21:36 2021
*mangle
:PREROUTING ACCEPT [3298912:3652385547]
:INPUT ACCEPT [1509826:1880727949]
:FORWARD ACCEPT [1745548:1742277417]
:OUTPUT ACCEPT [354902:91126961]
:POSTROUTING ACCEPT [2100432:1833403502]
:VPNBYPASS - [0:0]
[1822:117225] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VyprVPN MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1823:108856] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VyprVPN MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A VPNBYPASS -d 52.29.79.0/24 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -d 52.29.79.39/32 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Fri Jan  1 20:21:36 2021
root@OpenWrt:~#

trendy · January 1, 2021, 7:54pm

Something is messed up here, you are missing the line
-A PREROUTING -m mark --mark 0x0/0xff0000 -g VPNBYPASS
Try to restart the service. The errors show up in my log too, but they are not an issue.

Dominik-1980 · January 1, 2021, 8:01pm

Okay. I have restarted the service.

Syslog looks like this:


Fri Jan  1 20:58:29 2021 daemon.err uhttpd[766]: luci: accepted login on / for root from 192.168.1.112
Fri Jan  1 20:59:34 2021 user.notice vpnbypass [5088]:  ERROR: iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS
Fri Jan  1 20:59:34 2021 user.notice vpnbypass [5088]: service stopped
Fri Jan  1 20:59:34 2021 user.notice vpnbypass [5088]:  ERROR: iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS
Fri Jan  1 20:59:34 2021 daemon.err modprobe: xt_set is already loaded
Fri Jan  1 20:59:34 2021 daemon.err modprobe: ip_set is already loaded
Fri Jan  1 20:59:34 2021 daemon.err modprobe: ip_set_hash_ip is already loaded
Fri Jan  1 20:59:34 2021 user.notice vpnbypass [5088]: service started with TID: 200; FW_MARK: 0x010000
Fri Jan  1 20:59:34 2021 user.notice vpnbypass [5088]: service monitoring interfaces: lan VyprVPN

iptables shows this:


root@OpenWrt:~# iptables-save -c -t mangle
# Generated by iptables-save v1.8.3 on Fri Jan  1 21:01:54 2021
*mangle
:PREROUTING ACCEPT [3867:1965189]
:INPUT ACCEPT [1682:811542]
:FORWARD ACCEPT [1411:630369]
:OUTPUT ACCEPT [1837:581285]
:POSTROUTING ACCEPT [3248:1211654]
:VPNBYPASS - [0:0]
[3868:1965517] -A PREROUTING -m mark --mark 0x0/0xff0000 -g VPNBYPASS
[2177:141604] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VyprVPN MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[2183:130500] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VyprVPN MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A VPNBYPASS -d 52.29.79.0/24 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -d 52.29.79.39/32 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Fri Jan  1 21:01:54 2021
root@OpenWrt:~#

trendy · January 1, 2021, 8:04pm

That should work, give it a try.

Dominik-1980 · January 1, 2021, 8:08pm

This leads to my second problem.
For testing I took the domain /wieistmeineip.de/vpnbypass to my config and the bypass worked.
If I try to bypass via IP address, it doesn’t...
I took the IP address showed via nslookup wieistmeineip.de

I need to connect to some streaming services like zattoo.com without VPN.
Therefore I would like to bypass remote IPs instead of domains, because the domain didn’t work and zattoo still recognized the VPN.

trendy · January 1, 2021, 8:10pm

This is not a problem. If you try the IP it will hit the first rule. If you hit the name it will hit the 3rd rule. Does it work or not?

Dominik-1980 · January 1, 2021, 8:12pm

With the IP no, it doesn’t...

Ahhh, okay. You mean if I bypass via IP I have to enter this IP into my browser instead of https://www.wieistmeineip.de

If I try to enter the IP to Safari, the webpage shows:

Forbidden

You don't have permission to access this resource.

trendy · January 1, 2021, 8:20pm

Well, isn't it obvious?

Not every site allows to access it by IP, as the IP might be used by multiple sites.
As long as the counters in the iptables rules are not zero:zero you are good.

Dominik-1980 · January 1, 2021, 8:23pm

Hmmm... okay, thanks again for helping me out. Now I understand how this works.

I think there is no solution for my problem to access Amazon Prime Video and Zattoo without the VPN tunnel with the tool vpnbypass.

My setup now is great, but some services I need to connect without VPN.
I thought this would be easy to manage with vpnbypass.

trendy · January 1, 2021, 10:14pm

Definitely uses many different hostnames to provide its content. I don't know about Zattoo, but why not.
Maybe you will have better chance with vpn-policy-routing package.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Dominik-1980 · January 1, 2021, 11:05pm

Thanks for your reply, I will have a look at the policy routing package tomorrow.
I tried to check my traffic with a http proxy and entered the domains in vpnbypass but didn’t work.

tmomas · January 11, 2021, 11:05pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.