VPN Bypass (split tunneling) Service + Luci UI

I don't know if anyone here can help but here goes:

I have vpnbypass set to route traffic from three static IP addresses outside of the VPN. When my VPN isn't on (which is most of the time), I need one of those IP addresses to be able to administrate a device in a separate VLAN. However, the VPN bypass ip address devices are unable to access the device in the other VLAN (whilst other devices can). I tried setting a static route and whilst this worked initially, it stopped working after a reboot.

Anyone got any suggestions? Keep in mind I'm a bit of a novice.

You need to also install luci-app-vpnbypass. Because some people may not have Web UI installed on their router at all (due to the routers storage restrictions), usually the principal packages are separate from Web UI packages for OpenWrt.

vpn-policy-routing should support VLANs better than vpnbypass, you should try that.

1 Like

Thanks will try that.

ERROR: iptables -t mangle -D PREROUTING -m mark --mark 0x00/0xff0000 -g VPNBYPASS

I get this error when I add an IP of my lan to bypass the vpn.

I have OpenWrt SNAPSHOT r15068 on WRT1900ACS.
Vpnbypass 1.3.1-10 and luci-app-vpnbypass 20.265.66831-053e395

Thanks for support and great package

I was not able to modify the post...

Solved... (In configuration after modified ip/32 in ip/29 and now it works...)

@stangri What's the difference between this and VPN Policy-Based Routing?

I'm trying to get VPN Bypass to work with a running OpenVPN client (also Luci UI) + port forwarding. It works in so far that my server with the ip specified doesn't get the vpn-ip but the regular isp one. However I can't manage to get it to work with port forwarding on 80+443 to a local http server (which works when I'm not running the VPN service). Any solutions to this?

VPN Policy Routing is more comprehensive and designed to route traffic through a variety of different interfaces, with more complex configurations and rule sets.

VPN Bypass primarily focuses on basically preventing traffic from using your VPN and fallback to your WAN.

Depending on your requirements, if you are looking to stop a handful of sites or services using a VPN tunnel, then VPN Bypass is a much simpler method to achieve it. If however you want to route traffic in different ways i.e. multiple VPNs, different interfaces etc then VPN Policy Routing is better because you have much more control.

If you are looking to do multi WAN configurations, then mwan3 is what you need. VPN Policy Routing and mwan3 both rely on the Linux kernel concept of policy based routing to function, the difference is that mwan3 is designed for multiple WAN interfaces in additional to policy based routing. VPR isn't multi WAN aware i.e. load balancing/failover, but can create policies that target different network interfaces.


@jamesmacwhite Thanks a lot, that really clears things up.

I won't have very complex policies, a few to force Netflix/Prime traffic outside the VPN and a few for the separate office VPN.
I do have 2-3 wan uplinks and I use mwan3 to manage these.

Can VPR co-exist with mwan3?
Or were you suggesting to let mwan3 play the role of VPR here?

Without doing @stangri a disservice for the packages he has created. If you have multi WANs then mwan3 will do the same job as VPN Policy Routing. Technically they can co-exist providing they don't use the same fwmark value, however in my opinion, there is little point to running both in your scenario.

You can achieve the same routing rules with mwan3 as both are designed around the policy based routing concept. The benefit of mwan3 is the load balancing and failover possibilities with policies which VPR is not designed for.

Essentially VPR is designed for policies that target a specific network interface.

mwan3 allows you to define policies that can include one or more network interfaces, so you can do load balancing or failover. So you'd be better off having mwan3 control all routing so it is consistent. The configuration is a little different and possibly a little bit more advanced for mwan3, but it is well documented here: https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3#mwan3_configuration


Evening all, relatively new to OpenWRT. Been using it since last year and most recently looked at split tunnelling. I have successfully installed vpn-bypass-luci-app and set up specific device (Apple TV) for bypass by adding its local IP without error, however whenever I try to use the ATV it loses it connection to the internet (all other devices unaffected). I saw in one of the replies it looks like it’s to do with Firewall settings however the details on how to fix this were using SSH and being quite new I don’t know how to complete these actions as I have set up everything using Web UI. Would anyone be able to steer me in the right directions using Web UI? Any help is much appreciated. Thanks in advance

Without you being able to use SSH to get some data/files from your router it will be extremely difficult to troubleshoot.

Is it OpenVPN or Wireguard that you use? If former, if you stop an OpenVPN client, do you still have internet access or has it been set up as a killswitch?

Depending on the answers above it may or may not be possible to make vpnbypass work.

@stangri thanks for getting back to me. I use OpenVPN, and if I stop the client I still have internet access. If I have to use SSH to do it, I'll just have to learn, just never used it before. Thanks again for help, look forward to hearing from you.

Run on the SSH command-line: iptables-save | grep VPNBYPASS and post the output.

I hope this is right...

root@OpenWrt:~# iptables-save

# Generated by iptables-save v1.8.3 on Sat Feb 20 23:30:58 2021


:PREROUTING ACCEPT [40888:7505624]

:INPUT ACCEPT [11879:1142291]

:OUTPUT ACCEPT [10304:750015]


:postrouting_lan_rule - [0:0]

:postrouting_rule - [0:0]

:postrouting_wan_rule - [0:0]

:prerouting_lan_rule - [0:0]

:prerouting_rule - [0:0]

:prerouting_wan_rule - [0:0]

:zone_lan_postrouting - [0:0]

:zone_lan_prerouting - [0:0]

:zone_wan_postrouting - [0:0]

:zone_wan_prerouting - [0:0]

-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule

-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting

-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting

-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting

-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule

-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting

-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting

-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting

-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule

-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule

-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule

-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE

-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule


# Completed on Sat Feb 20 23:30:58 2021

# Generated by iptables-save v1.8.3 on Sat Feb 20 23:30:58 2021


:PREROUTING ACCEPT [618441:692303587]

:INPUT ACCEPT [267357:348766119]

:FORWARD ACCEPT [349295:343049398]

:OUTPUT ACCEPT [90764:14756449]

:POSTROUTING ACCEPT [439837:357794748]

-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

-A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu


# Completed on Sat Feb 20 23:30:58 2021

# Generated by iptables-save v1.8.3 on Sat Feb 20 23:30:58 2021





:forwarding_lan_rule - [0:0]

:forwarding_rule - [0:0]

:forwarding_wan_rule - [0:0]

:input_lan_rule - [0:0]

:input_rule - [0:0]

:input_wan_rule - [0:0]

:output_lan_rule - [0:0]

:output_rule - [0:0]

:output_wan_rule - [0:0]

:reject - [0:0]

:syn_flood - [0:0]

:zone_lan_dest_ACCEPT - [0:0]

:zone_lan_forward - [0:0]

:zone_lan_input - [0:0]

:zone_lan_output - [0:0]

:zone_lan_src_ACCEPT - [0:0]

:zone_wan_dest_ACCEPT - [0:0]

:zone_wan_dest_REJECT - [0:0]

:zone_wan_forward - [0:0]

:zone_wan_input - [0:0]

:zone_wan_output - [0:0]

:zone_wan_src_REJECT - [0:0]

-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT

-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood

-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input

-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input

-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input

-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward

-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward

-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward

-A FORWARD -m comment --comment "!fw3" -j reject

-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT

-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule

-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output

-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output

-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output

-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset

-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable

-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN

-A syn_flood -m comment --comment "!fw3" -j DROP

-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT

-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule

-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT

-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT

-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule

-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT

-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule

-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT

-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT

-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT

-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP

-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT

-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject

-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject

-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule

-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT

-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT

-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT

-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT

-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule

-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT

-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT

-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT

-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT

-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT

-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule

-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT

-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject

-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject


# Completed on Sat Feb 20 23:30:58 2021

I typed iptables-save | grep VPNBYPASS in the command line which did not produce an output... apologies if I haven't completed this correctly

That means that VPNBYPASS is not running.

1 Like

Morning, well, silly me, :flushed: that would have helped...

root@OpenWrt:~# iptables-save | grep VPNBYPASS

:VPNBYPASS - [0:0]

-A PREROUTING -m mark --mark 0x0/0xff0000 -g VPNBYPASS

-A VPNBYPASS -s -j MARK --set-xmark 0x10000/0xff0000

-A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000

Thanks again

And iptables -v -t mangle -L | grepVPNBYPASS ?

Evening Stan

root@OpenWrt:~# iptables -v -t mangle -L | grep VPNBYPASS
 682K  743M VPNBYPASS  all  --  any    any     anywhere             anywhere            [goto]  mark match 0x0/0xff0000
Chain VPNBYPASS (1 references)