Hi, I have been trying to create a static route to bypass openvpn for specific destination addresses (e.g. 8.8.8.8). My laptop is on 192.168.2.255 and outside global (though not actually global) is 192.168.1.1.
First I tried adding this entry in /etc/config/network :
That just doesn't seem to work. Traceroute stops at the inside global interface (192.168.1.208). Eventually I got to this:
8.8.8.8 via 192.168.1.1 dev eth0.2 src 192.168.2.1
This seems to do what I want, but only based on traceroute from the OpenWRT router. Traceroute passing through the router (from 192.168.2.255) behaves the same as before, landing on outside local (192.168.2.1) twice then terminating.
I'm not sure what to try next. Specifying scope global explicitly doesn't help. I will continue trying to figure this out, but any insight would be appreciated.
This means 8.8.8.8 is directly reachable on the local network without using a gateway, which isn't the case. (You also don't need a gateway on peer to peer interfaces such as wireguard.)
It seems to use wrong src address in the route, that will only affect traffic from the openwrt router itself but indicates something is wrong. We probably need morw information about the network configuration and routing table.
0.0.0.0/1 via 10.7.7.1 dev tun0
default via 192.168.1.1 dev eth0.2 src 192.168.1.208
10.7.7.0/24 dev tun0 scope link src 10.7.7.8
95.174.67.84 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 10.7.7.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.208
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
In /etc/config/firewall I just commented out forwarding from lan to wan and added a forwarding entry from lan to vpn. Now that I think about it, this might be part of the problem. I will try to figure out how to do this with ip routes, but I'm not confident that I will know if it is working properly.
It seems like that was the cause, sorry for troubling you. This is what I have set up instead (hopefully it works):
ip route show:
0.0.0.0/1 via 10.7.7.1 dev tun0
default via 10.7.7.1 dev tun0
10.7.7.0/24 dev tun0 scope link src 10.7.7.8
95.174.67.84 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 10.7.7.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.208
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
8.8.8.8 via 192.168.1.1 dev eth0.2
In /etc/config/firewall:
config rule
option target 'ACCEPT'
option src 'lan'
option name 'VPN Bypass 1'
option dest 'wan'
option dest_ip '8.8.8.8'
config rule
option enabled '1'
option src 'lan'
option name 'VPN Block'
option dest 'wan'
option target 'DROP'
The only problem I see with this is that I will have to manually edit the static route if my outside global address (192.168.1.1) changes... Or so I was going to say, but Vgaetera beat me to it! This looks perfect. Now I just need to figure out where to install it.
There's probably a better way of doing this but I put that into a script in my root directory and call it from /etc/rc.local . if [ $(uci get network.autoroute) ]; then ... to prevent duplicates. Seems to be working well so far.