VPN Bypass (split tunneling) Service + Luci UI


Linksys wrt 1900 acs. openwrt 15.05.1 r49389


Missing xt_set, ip_set and ip_set_hash_ip modules are probably from the package missing from your install.
Can you please do:

opkg update
opkg install kmod-ipt-ipset
/etc/init.d/vpnbypass reload

I did a fresh install of OpenWRT 15.05.1 and I think I found out the source of the problem. I run into an error when I try to install ipset. See below. Any idea on how to rectify? Thanks, I get same error message when I try to install kmod-ipt-ipset as well.

root@OpenWrt:/etc/openvpn# opkg install ipset
Installing ipset (6.24-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/packages/base/ipset_6.24-1_mvebu.ipk.
Multiple packages (kmod-ipt-core and kmod-ipt-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies for ipset:
 *      kernel (= 3.18.23-1-81be0e40bf30c51dba2c46c84dd50f29) *         kernel (= 3.18.23-1-81be0e40bf30c51dba2c46c84dd50f29) *
 * opkg_install_cmd: Cannot install package ipset.

ipset is a dependency of the vpnbypass package and should have been installed automatically.

The kernel version collision may be indicative that you didn't use the official OpenWrt 15.05.1 build and used some custom or self-compiled builds, in which case I can't help you.

Please elaborate on:

  1. Which specific 15.05.1 image did you use?
  2. Which steps did you take to install vpnbypass?
  3. What messages/errors did you get during vpnbypass install?

I suggest you install current release of LEDE project (17.01.2 as of now) instead.

I'm almost certain I used the official OpenWrt version 15.05.1 https://downloads.openwrt.org/chaos_calmer/15.05.1/mvebu/generic/openwrt-15.05.1-mvebu-armada-385-linksys-shelby-squashfs-factory.img

I will try using LEDE 17.01.2 when I get home from work tonight.

I appreciate your help on this.


I uploaded firmware LEDE 17.01.2 on my router and vpnbypass worked flawlessly. Much thanks for this powerful functionality.

1 Like

First, excellent project! But it seems by being able to bypass the VPN I'm getting DNS leaks on the devices using the VPN. Unfortunately the OpenVPN package is 2.3.4 has no block option yet (as of version 2.3.9 it should have). I am not setting any DNS myself on the router and I'm using a PPPoE ISP which pushes obviously their own DNS. The OpenVPN connection is using PULL so I am assuming it get the VPN providers DNS. (I'm using ExpressVPN).

I tried with a static IP and static DNS setting on my device (tried iPad and Windows Laptop) but that doesn't seem to help. Any suggestions?

That's unexpected behaviour. Is the router correctly pulling VPN DNS from the tunnel? If it is, short of explicitly setting up ISP DNS (either hard-coding or advertising them thru DHCP option), I don't have an idea why it might be happening.

@stangri thank you very much for this script. It's running almost perfectly on my router. There is only one problem I'm having. Every time my LTE connection goes down for a few seconds (24h forced disconnect by ISP) my OpenVPN setup (I followed ulmwind's guide for this) reconnects automatically via script. Unfortunately the bypass seems to break afterwards. Disabling and enabling VPN bypass solves the problem. I'm sure there is a simple way to just restart VPN bypass together with the reconnect script?!? My Linux kung-fu is just not good enough to figure it out.

Can you help?

Thanks in advance!

Apologies for delay in replying. There was a bug in vpnbypass 1.3.0-6 which resulted in service not being reloaded on external triggers (like WAN/VPN connections up/down).

Please upgrade to 1.3.0-7 where I have hopefully fixed that. If you've added my repo to your router, you can run: opkg update; opkg upgrade vpnbypass

Thank you. I've upgraded to 1.3.0-7 and will monitor if it's reloading properly now. Thanks a lot!

@stangri Great concept, thank you for creating and sharing this.

Your README does not mention what vpn-related settings are expected to be in place (or removed) before using vpnbypass. I suspect something in my configuration is causing problems.

I have used my Netgear WNDR3800 as a VPN router for years, but now I need a device (Roku stick at to bypass VPN. Therefore, I installed the requirements, added your repository, then installed vpnbypass and luci-app-vpnbypass. Via Luci, I added the Roku stick's local IP address and deleted the other example rules. There were no errors at any step.

Unfortunately, enabling vpnbypass causes the Roku stick to lose internet connectivity altogether. Other devices on my network are fine--still connect to internet via VPN as expected.

My guess is that my manually-added vpn-related settings in /etc/config/firewall (https://pastebin.com/JnM4wqSz - vpn stuff is at the bottom) and /etc/config/network (https://pastebin.com/8exV7Mc9) are conflicting with your script.

Would you please give me a hand? I have no idea what needs to be changed/removed in these config files in order for vpnbypass to work as intended.

1 Like

I think it's because you're missing this in /etc/config/firewall:

config forwarding
	option src 'lan'
	option dest 'wan'

Thank you. Should I keep this in there as well, or remove it?

config forwarding
option src 'lan'
option dest 'VPN'

If I should keep it, do you want me to put the lan->wan forwarding before or after the lan->VPN forwarding (or doesn't matter)?

Thanks a lot, and please pardon the extreme noob-ness.

AFAIK you need both (at least I have both in my firewall config).

In default config this lan-wan forwarding rule immediately follows the definition of the wan zone. You can check /rom/etc/config/firewall as it contains the original config before you've made any changes.

PS. I hope this will solve your problem. :wink: If in doubt -- reboot the router.

Sounds good. Thank you very much. I will report back later once I've had a chance to give it a shot.

@stangri Indeed, that's all that was required.

I added the lan->wan forwarding right after the wan zone definition (as shown in /rom/etc/config/firewall), then rebooted the router and the stick. Now everything works as expected.

This script is an absolute marvel. You're the man!

P.S. For the sake of completion and documentation, my firmware is LibreCMC 1.3.4 (Elegant Eleanor). LibreCMC is a free software fork of OpenWRT (i.e., no proprietary blobs, no proprietary packages in repository).

1 Like

@stangri Since adding the lan -> wan forwarding to /etc/config/firewall for vpnbypass to work, I've noticed something alarming: If VPN service is down for some reason, all devices on my network can connect to the internet without VPN (i.e., directly through ISP). This is bad for privacy.

EDIT: I figured it out. Adding this to /etc/firewall.user fixed the problem: Now, devices in the subnet bypass VPN, but other devices can only connect to the internet through VPN (VPN down = no internet access for those devices):

# my interfaces: br-lan (lan), eth1 (wan) [note: your router's interface names may be different]
# block all lan <-> wan traffic...
iptables -I FORWARD -i br-lan -o eth1 -j REJECT
iptables -I FORWARD -i eth1 -o br-lan -j REJECT
# ...except for traffic between vpnbypass's subnet and wan
iptables -I FORWARD -i br-lan -o eth1 -s -j ACCEPT
iptables -I FORWARD -i eth1 -o br-lan -d -j ACCEPT

Hey guys, i have trouble to install vpnbypass, got all requirements and custom repo but still no success...

  • 17.01.2 r3435-65eec8bd5f
  • TP-Link TL-WDR4300 v1

root@LEDE:/tmp# opkg install vpnbypass luci-app-vpnbypass
Installing vpnbypass (1.3.0-9) to root...
Installing luci-app-vpnbypass (git-17.228.56579-209deb5-2) to root...
Downloading https://raw.githubusercontent.com/stangri/openwrt-repo/master/luci-app-vpnbypass_git-17.228.56579-209deb5-2_all.ipk
Installing vpnbypass (1.3.0-9) to root...
Collected errors:

  • check_conflicts_for: The following packages conflict with vpnbypass:
  • check_conflicts_for: vpnbypass *
  • opkg_install_cmd: Cannot install package vpnbypass.
  • check_conflicts_for: The following packages conflict with vpnbypass:
  • check_conflicts_for: vpnbypass *
  • opkg_install_cmd: Cannot install package luci-app-vpnbypass.

I did a update before.

Thanks for any help.

@Unreachable -- my bad, fixed in 1.3.0-10. Run opkg update again before trying to install to fetch information about the newer build from repo.