VPN Bypass (split tunneling) Service + Luci UI

This was created out of necessity -- my internet traffic is routed thru VPN tunnel (my router is VPN client) and I needed split tunneling to route some traffic outside of the VPN tunnel.

Started with connections to local Plex Media Server then I wanted to access some domains and IP ranges outside of the VPN tunnel and then I wanted some local network IPs/ranges to access internet outside of VPN tunnel. All of that is supported in the service.

Make sure to check out the README for detailed information and instructions.

Both packages can be installed from my repo: https://stangri.github.io/openwrt-repo/.


  1. At least for now, domains have to be defined in dhcp config, not in the vpnbypass config.
  2. Any feedback on functionality or the code or any suggestions are always welcome.

Super cool, will be taking a peek at this. Would be really nice to integrate this. I already added a long list of pia "recipes" into my build, and will be doing some ipvanish ones as well. Would be cool to integrate it into all one package.

Any thought into making a luci page for it?

Yeah, making a luci page won't be much too much work, however I have close to zero experience with Makefiles, so making an ipk is an issue for me.

Woohoo, thanks to @diizzy I've made a proper package for vpnbypass.

1 Like

You think you will work on rules to route particular IP's outside of the tunnel? I know in my case I would like the ability to have a VPN client running on the router, but only have 3 - 4 IP's that actually go over that tunnel, while the rest of the traffic takes the normal WAN route outside of the tunnel.

This is nice for users with faster internet speeds, so really only want to have a few sacrificial lambs so to say to the throttled VPN single core gods, while all else enjoys the exposed fast connection.

I would also vote for this. Sometimes you only want specific traffic to go inside the tunnel and rest bypass it.

If that's the case then I believe it should be best done with the openvpn config and not using openvpn server routes as defaults.

However as a work-around, you can define as an exclusion range (instead of the default and only assign addresses below 129 to the devices you want to go thru OpenVPN.

@cybrnook, @dziny -- I want to limit the number of changes I make to the code why the pull request for the official repo is open, but I can post a special build for you gentlemen where you could specify select IPs to use the tunnel and everything else to go outside of it, if you are willing to test it. Let me know.

1 Like

Like you even have to ask :slight_smile: Heck yeah man!

Ok, if you grab both the latest vpnbypass and luci-app-vpnbypass from https://github.com/stangri/Files you should be set to go.

What you need to set is an option I temporarily called reverselocalsubnet/Reverse Local IP Subnets.

Things should break if you have more than one of them (only the last one should work AFAIK) and to further complicate things, it's in the format of a subnet, not range of IPs.

For a single IP to have VPN connection you can use IP/32 ( For the range, use online netmask calculators (or this: https://kthx.at/subnetmask/) but with /30 you get 4 IPs in the range, with /29 you'll get 8 and so on.

Any questions -- just ask.

1 Like

So, since @cybrnook made me aware of a more elegant policy-based openvpn routing available on a different firmware, I've decided to abandon the awkwardly-named "reverse local subnet" thingy and pursue the equivalent policy-based routing functionality within vpnbypass.

In the mean time, besides the short-lived build 1.0.0.-5 (which still has that revers local subnet setting), the vpnbypass assumes that default routing rule so to go thru VPN and allows you to make port/local IP/remote IP/domain name-based exceptions, not the other way around.

I'll post here (and you'll see the build number jump beyond 1.0.x) when the policy-based routing is in place.

1 Like

Work your magic sir! This would be awesome to have. Especially for us novice firewall greenies.

Very interested in a version to only put certain things over the tunnel. I'm tagging certain applications with a DSCP value and I want to use that. But I could probably do that modification myself.

This actually only allows you to bypass vpn tunnel for certain things. If you want more control over what goes where, there's openvpn-policy-routing service in development and actively looking for testers.

1 Like

I'm having trouble applying domain based rules.
I know the package is installed because if I put in ports 1-65535 all IP websites (for testing purposes let's say iplocation.net) return my real IP. As soon as I turn the service off, back to VPN IP.
My example domain rule:


Installed Packages:

ip6tables 1.4.21-2
ipset 6.30-1
iptables 1.4.21-2
iptables-mod-conntrack-extra 1.4.21-2
iptables-mod-ipopt 1.4.21-2
dnsmasq-full 2.77test4-1
openvpn-easy-rsa 2013-01-30-ff5bfd1d-2
openvpn-openssl 2.4.0-4
vpnbypass 1.3.0-5

Please post /etc/config/dhcp file as well as an output of ipset save.

ipset save output:

root@LEDE-ROUTER:~# ipset save
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536
add vpnbypass


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server ''
	list server ''
	option nonwildcard '0'
	list ipset '/iplocation.net/vpnbypass'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Interestingly, I ran the CLI config and got the following:

root@LEDE-ROUTER:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.26.2
udhcpc: sending discover
udhcpc: no lease, failing
1 Like

Weird, on my box:

# resolveip iplocation.net

I'm surprised dnsmasq only added one ip to the ipset for the domain, maybe that's why it's not working. Other than that, your config looks correct. I'd suggest reboot the router and the client device.

stangri, Great work here. I am following the guide on installing VPN Bypass on OpenWRT and ran into some problems. I am hoping you can point me in the right direction. When I start the vpnbypass services I get the following errors in the system log. Regards, eleven

Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: service stopped
Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: 
ERROR: iptables -t mangle -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-mark 0x010000/0xff0000
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named xt_set
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named ip_set
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named ip_set_hash_ip
Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: service started with TID: 200; FW_MARK: 0x010000
1 Like

Which device/OpenWrt version is that?