[SOLVED]Route single IP outside openvpn

Hi all,
I have Nordvpn setup on my HH5 router using the tutorial from nordvpn site and works fine with one issue.
I'm trying to direct a singular wireless device that. Is used for Netflix to bypass the VPN.
Is there an easy way to do this please?

@toonage, welcome to the community!

Sure, use policy-based routing to only permit the IP to use it.

# in /etc/config/network

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway 'xxx.xxx.xxx.xxx'
	option table '2'

config rule                                    
	option src '192.168.1.x/32'
	option priority '2'
	option lookup '2'
2 Likes

He wants to bypass the vpn and use regular ISP, so the route should use the wan interface rather than vpn.

2 Likes

@trendy, thanks!

Edit made.

Wan interface not lan.
And the gateway can be omitted in case it is not the same each time the wan reconnects.

Cannot omit gateway on an Ethernet-based route.

The OP may have to reverse the bypass if that's an issue.

(Also, apologies on the confusion I had to fix above, I mixed up this thread and another one I was responding to.)

https://openwrt.org/docs/guide-user/network/routes_configuration
Network gateway. If omitted, the gateway from the parent interface is taken

2 Likes

Thanks.
So just to be clear on this if the static IP I want to route outside of vpn if 192.168.1.100 would be as follows and no need to add line around gateway?

# in /etc/config/network

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule                                    
	option src '192.168.1.100/32'
	option priority '2'
	option lookup '2'

Yes, looks good. Just adapt the interface name in case you are not using the default wan.

Great stuff. I'll give this a go this evening and let you know how I get on. Do I need to install anything or is it simply just add to network section and it will understand the lookup rule?

Install package ip-full if it doesn't work and it is not already there.

Hi. Unfortunately that didn't work. Below is what is in /etc/config/network. Any suggestions please?

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdce:fb0b:73e0::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'a'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '34:8a:ae:d5:7c:ac'

config interface 'wan'
	option ifname 'dsl0.101'
	option proto 'dhcp'
	option ipv6 '1'
	option peerdns '0'
	list dns '4.4.4.4'
	list dns '8.8.8.8'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr '34:8a:ae:d5:7c:ad'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule                                    
	option src '192.168.1.100/32'
	option priority '2'
	option lookup '2'

Can you try renumbering LAN instead (as first suggested)?

I changed option interface from wan to 'lan' and retried but this when rebooted stopped all devices from working and I had to factory reset router to get back up and running.

Was this incorrect to change the config route to lan and referring to something other?

Please try to follow.

  • You want to access your device on WAN at 192.168.1.254
  • Your LAN is 192.168.1.0/24
  • You made a static route to 192.168.1.254/32 (Mask 255.255.255.255), or whatever IP on WAN - it didn't work

So now:

  • You will remove that route and rule
  • Consider re-attempting renumbering your LAN

To renumber your LAN edit the IP under LAN on /etc/config/network THEN JUST REBOOT.

(Again, these were TWO separate suggestions. Since the route didn't work, try renumbering your LAN again.)

Please post the output of the following, all in one line.
cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
What is the IP address of the host that you watch Netflix and want to exclude from vpn?
Does it have static IP or have you reserved a static DHCP lease?

IP of wireless device is set to static via DHCP lease of 192.168.1.100
below is the output. Appreciate everyones help on this so far:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:d479:4517::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'a'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '34:8a:ae:d5:7c:ac'

config interface 'wan'
        option ifname 'dsl0.101'
        option proto 'dhcp'
        option ipv6 '1'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '34:8a:ae:d5:7c:ad'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'



config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'F8:04:2E:B4:9A:E8'
        option ip '192.168.1.100'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 88.105.54.8/20 brd 88.105.63.255 scope global dsl0.101
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.7.1.2/24 brd 10.7.1.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.7.1.1 dev tun0
default via 88.105.48.1 dev dsl0.101 proto static src 88.105.54.8
10.7.1.0/24 dev tun0 proto kernel scope link src 10.7.1.2
88.105.48.0/20 dev dsl0.101 proto kernel scope link src 88.105.54.8
128.0.0.0/1 via 10.7.1.1 dev tun0
192.145.126.157 via 88.105.48.1 dev dsl0.101
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

I don't see the rule and route in network config.

I had removed it as it did not work. I have readded and posted log below:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd49:d479:4517::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'a'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '34:8a:ae:d5:7c:ac'

config interface 'wan'
        option ifname 'dsl0.101'
        option proto 'dhcp'
        option ipv6 '1'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '34:8a:ae:d5:7c:ad'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '2'

config rule
        option src '192.168.1.100/32'
        option priority '2'
        option lookup '2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'



config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'


config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac 'F8:04:2E:B4:9A:E8'
        option ip '192.168.1.100'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 88.105.54.8/20 brd 88.105.63.255 scope global dsl0.101
       valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.7.1.3/24 brd 10.7.1.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.7.1.1 dev tun0
default via 88.105.48.1 dev dsl0.101 proto static src 88.105.54.8
10.7.1.0/24 dev tun0 proto kernel scope link src 10.7.1.3
88.105.48.0/20 dev dsl0.101 proto kernel scope link src 88.105.54.8
128.0.0.0/1 via 10.7.1.1 dev tun0
192.145.126.157 via 88.105.48.1 dev dsl0.101
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0:      from all lookup local
2:      from 192.168.1.100 lookup 2
32766:  from all lookup main
32767:  from all lookup default

Hmmm. What is strange is that when i go to check ip address on the TV i use for netflix this is showing the ip outside of the vpn but for whatever reason Netflix can still detect it a VPN