VPN Bypass (split tunneling) Service + Luci UI

I would also vote for this. Sometimes you only want specific traffic to go inside the tunnel and rest bypass it.

If that's the case then I believe it should be best done with the openvpn config and not using openvpn server routes as defaults.

However as a work-around, you can define as an exclusion range (instead of the default and only assign addresses below 129 to the devices you want to go thru OpenVPN.

@cybrnook, @dziny -- I want to limit the number of changes I make to the code why the pull request for the official repo is open, but I can post a special build for you gentlemen where you could specify select IPs to use the tunnel and everything else to go outside of it, if you are willing to test it. Let me know.

1 Like

Like you even have to ask :slight_smile: Heck yeah man!

Ok, if you grab both the latest vpnbypass and luci-app-vpnbypass from https://github.com/stangri/Files you should be set to go.

What you need to set is an option I temporarily called reverselocalsubnet/Reverse Local IP Subnets.

Things should break if you have more than one of them (only the last one should work AFAIK) and to further complicate things, it's in the format of a subnet, not range of IPs.

For a single IP to have VPN connection you can use IP/32 ( For the range, use online netmask calculators (or this: https://kthx.at/subnetmask/) but with /30 you get 4 IPs in the range, with /29 you'll get 8 and so on.

Any questions -- just ask.

1 Like

So, since @cybrnook made me aware of a more elegant policy-based openvpn routing available on a different firmware, I've decided to abandon the awkwardly-named "reverse local subnet" thingy and pursue the equivalent policy-based routing functionality within vpnbypass.

In the mean time, besides the short-lived build 1.0.0.-5 (which still has that revers local subnet setting), the vpnbypass assumes that default routing rule so to go thru VPN and allows you to make port/local IP/remote IP/domain name-based exceptions, not the other way around.

I'll post here (and you'll see the build number jump beyond 1.0.x) when the policy-based routing is in place.

1 Like

Work your magic sir! This would be awesome to have. Especially for us novice firewall greenies.

Very interested in a version to only put certain things over the tunnel. I'm tagging certain applications with a DSCP value and I want to use that. But I could probably do that modification myself.

This actually only allows you to bypass vpn tunnel for certain things. If you want more control over what goes where, there's openvpn-policy-routing service in development and actively looking for testers.

1 Like

I'm having trouble applying domain based rules.
I know the package is installed because if I put in ports 1-65535 all IP websites (for testing purposes let's say iplocation.net) return my real IP. As soon as I turn the service off, back to VPN IP.
My example domain rule:


Installed Packages:

ip6tables 1.4.21-2
ipset 6.30-1
iptables 1.4.21-2
iptables-mod-conntrack-extra 1.4.21-2
iptables-mod-ipopt 1.4.21-2
dnsmasq-full 2.77test4-1
openvpn-easy-rsa 2013-01-30-ff5bfd1d-2
openvpn-openssl 2.4.0-4
vpnbypass 1.3.0-5

Please post /etc/config/dhcp file as well as an output of ipset save.

ipset save output:

root@LEDE-ROUTER:~# ipset save
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536
add vpnbypass


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server ''
	list server ''
	option nonwildcard '0'
	list ipset '/iplocation.net/vpnbypass'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Interestingly, I ran the CLI config and got the following:

root@LEDE-ROUTER:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.26.2
udhcpc: sending discover
udhcpc: no lease, failing

Weird, on my box:

# resolveip iplocation.net

I'm surprised dnsmasq only added one ip to the ipset for the domain, maybe that's why it's not working. Other than that, your config looks correct. I'd suggest reboot the router and the client device.

stangri, Great work here. I am following the guide on installing VPN Bypass on OpenWRT and ran into some problems. I am hoping you can point me in the right direction. When I start the vpnbypass services I get the following errors in the system log. Regards, eleven

Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: service stopped
Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: 
ERROR: iptables -t mangle -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-mark 0x010000/0xff0000
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named xt_set
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named ip_set
Tue Jul 11 07:04:00 2017 daemon.err modprobe: failed to find a module named ip_set_hash_ip
Tue Jul 11 07:04:00 2017 user.notice vpnbypass [21413]: service started with TID: 200; FW_MARK: 0x010000
1 Like

Which device/OpenWrt version is that?


Linksys wrt 1900 acs. openwrt 15.05.1 r49389


Missing xt_set, ip_set and ip_set_hash_ip modules are probably from the package missing from your install.
Can you please do:

opkg update
opkg install kmod-ipt-ipset
/etc/init.d/vpnbypass reload

I did a fresh install of OpenWRT 15.05.1 and I think I found out the source of the problem. I run into an error when I try to install ipset. See below. Any idea on how to rectify? Thanks, I get same error message when I try to install kmod-ipt-ipset as well.

root@OpenWrt:/etc/openvpn# opkg install ipset
Installing ipset (6.24-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base/ipset_6.24-1_mvebu.ipk.
Multiple packages (kmod-ipt-core and kmod-ipt-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for ipset:
 *      kernel (= 3.18.23-1-81be0e40bf30c51dba2c46c84dd50f29) *         kernel (= 3.18.23-1-81be0e40bf30c51dba2c46c84dd50f29) *
 * opkg_install_cmd: Cannot install package ipset.

ipset is a dependency of the vpnbypass package and should have been installed automatically.

The kernel version collision may be indicative that you didn't use the official OpenWrt 15.05.1 build and used some custom or self-compiled builds, in which case I can't help you.

Please elaborate on:

  1. Which specific 15.05.1 image did you use?
  2. Which steps did you take to install vpnbypass?
  3. What messages/errors did you get during vpnbypass install?

I suggest you install current release of LEDE project (17.01.2 as of now) instead.

I'm almost certain I used the official OpenWrt version 15.05.1 https://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/openwrt-15.05.1-mvebu-armada-385-linksys-shelby-squashfs-factory.img

I will try using LEDE 17.01.2 when I get home from work tonight.

I appreciate your help on this.