I don't know if anyone here can help but here goes:
I have vpnbypass set to route traffic from three static IP addresses outside of the VPN. When my VPN isn't on (which is most of the time), I need one of those IP addresses to be able to administrate a device in a separate VLAN. However, the VPN bypass ip address devices are unable to access the device in the other VLAN (whilst other devices can). I tried setting a static route and whilst this worked initially, it stopped working after a reboot.
Anyone got any suggestions? Keep in mind I'm a bit of a novice.
You need to also install luci-app-vpnbypass. Because some people may not have Web UI installed on their router at all (due to the routers storage restrictions), usually the principal packages are separate from Web UI packages for OpenWrt.
I'm trying to get VPN Bypass to work with a running OpenVPN client (also Luci UI) + port forwarding. It works in so far that my server with the ip specified doesn't get the vpn-ip but the regular isp one. However I can't manage to get it to work with port forwarding on 80+443 to a local http server (which works when I'm not running the VPN service). Any solutions to this?
VPN Policy Routing is more comprehensive and designed to route traffic through a variety of different interfaces, with more complex configurations and rule sets.
VPN Bypass primarily focuses on basically preventing traffic from using your VPN and fallback to your WAN.
Depending on your requirements, if you are looking to stop a handful of sites or services using a VPN tunnel, then VPN Bypass is a much simpler method to achieve it. If however you want to route traffic in different ways i.e. multiple VPNs, different interfaces etc then VPN Policy Routing is better because you have much more control.
If you are looking to do multi WAN configurations, then mwan3 is what you need. VPN Policy Routing and mwan3 both rely on the Linux kernel concept of policy based routing to function, the difference is that mwan3 is designed for multiple WAN interfaces in additional to policy based routing. VPR isn't multi WAN aware i.e. load balancing/failover, but can create policies that target different network interfaces.
@jamesmacwhite Thanks a lot, that really clears things up.
I won't have very complex policies, a few to force Netflix/Prime traffic outside the VPN and a few for the separate office VPN.
I do have 2-3 wan uplinks and I use mwan3 to manage these.
Can VPR co-exist with mwan3?
Or were you suggesting to let mwan3 play the role of VPR here?
Without doing @stangri a disservice for the packages he has created. If you have multi WANs then mwan3 will do the same job as VPN Policy Routing. Technically they can co-exist providing they don't use the same fwmark value, however in my opinion, there is little point to running both in your scenario.
You can achieve the same routing rules with mwan3 as both are designed around the policy based routing concept. The benefit of mwan3 is the load balancing and failover possibilities with policies which VPR is not designed for.
Essentially VPR is designed for policies that target a specific network interface.
mwan3 allows you to define policies that can include one or more network interfaces, so you can do load balancing or failover. So you'd be better off having mwan3 control all routing so it is consistent. The configuration is a little different and possibly a little bit more advanced for mwan3, but it is well documented here: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#mwan3_configuration
Evening all, relatively new to OpenWRT. Been using it since last year and most recently looked at split tunnelling. I have successfully installed vpn-bypass-luci-app and set up specific device (Apple TV) for bypass by adding its local IP without error, however whenever I try to use the ATV it loses it connection to the internet (all other devices unaffected). I saw in one of the replies it looks like itβs to do with Firewall settings however the details on how to fix this were using SSH and being quite new I donβt know how to complete these actions as I have set up everything using Web UI. Would anyone be able to steer me in the right directions using Web UI? Any help is much appreciated. Thanks in advance
Without you being able to use SSH to get some data/files from your router it will be extremely difficult to troubleshoot.
Is it OpenVPN or Wireguard that you use? If former, if you stop an OpenVPN client, do you still have internet access or has it been set up as a killswitch?
Depending on the answers above it may or may not be possible to make vpnbypass work.
@stangri thanks for getting back to me. I use OpenVPN, and if I stop the client I still have internet access. If I have to use SSH to do it, I'll just have to learn, just never used it before. Thanks again for help, look forward to hearing from you.
Morning, well, silly me, that would have helped...
root@OpenWrt:~# iptables-save | grep VPNBYPASS
:VPNBYPASS - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -g VPNBYPASS
-A VPNBYPASS -s 192.168.1.237/32 -j MARK --set-xmark 0x10000/0xff0000
-A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000