VPN Bypass (split tunneling) Service + Luci UI


hi @stangri,

First things first: thank you for this amazing tool!!! I'been trying to make selective routing work for ages without success. However, I cannot get VPN Bypass to work just yet.

My goal is to have all traffic go through the VPN at all times but for specified domains. At the minute Netflix is the only one I would like/need to work.

Now, I can traceroute and see that the traffic toward Netflix is correctly going out of the VPN tunnel BUT Netflix somehow still complains about proxy error when I try to play something. I'm not sure what Netflix catches to see my traffic still as a VPN when it is actually going via my ISP. I'd be grateful if you could help me :slight_smile:

Here's my config:

Luci App VPN Bypass is basically emtpy but for the domain field:

Screenshot from 2017-09-17 18-38-55

Here's DNSMasq config. External DNS per domain was setup just in case Netflix would complain about the VPN just because of the Mullvad DNS IP. No luck; the other two sites are to check data of the traffic. I'll remove them eventually.

root@lede-wyn:config# cat dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option nonwildcard '0'
	option localservice '1'
	option dnssec '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	list ipset '/ipleak.net/ipx.ac/netflix.com/vpnbypass'
        list server '/ipleak.net/'
        list server '/ipx.ac/'
        list server '/netflix.com/'
        list server '/ipleak.net/'
        list server '/ipx.ac/'
        list server '/netflix.com/'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

I use Mullvad VPN and it forces the DNS to be the one provided by them within their VPN network/tunnel. The way it does this, is by a vpn.up script that moves /tmp/resolv.con.auto and replaces it with one containing their DNS only:

root@lede-wyn:config# for i in $(ls /tmp/resolv.conf*); do echo $i; cat $i; echo; done

# Interface wan

Also, firewall routing is: lan -->> vpn -->> wan.

I tried to solve this mystery by myself without luck. I hope the forum would enlighten me

Please and thank you :vulcan_salute:


Maybe that's how Netflix is figuring you're using VPN. If the ipx.ac reports you real WAN IP address instead of the public VPN IP address, the vpnbypass service is working. As to why it's still not fooling Netflix, I have no idea.


@stangri Vpnbypass is wonderful, works exactly as advertised. Thank you.

Is it possible to have port forwarding from my public (ISP) ip address to a device with static local ip on the vpnbypass subnet?

Device's static local ip is

This is my /etc/config/vpnbypass:

config vpnbypass 'config'
list localsubnet ''
option enabled '1'

This is in my /etc/config/firewall:

config 'redirect'
option 'name' 'ssh port forwarding'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_dport' '22'
option 'dest_ip' ''
option 'dest_port' '22'
option 'target' 'DNAT'
option 'dest' 'lan'

The port forwarding works fine when openvpn and vpnbypass are off, but not when they are on. Things I've already tried: Configuring the port forwarding a different way (using iptables entries in /etc/firewall.user), adding port 22 to vpnbypass's list of local and remote trigger ports. No joy yet.

Please, how does one setup port forwarding from ISP's public IP to a device on vpnbypass subnet?

Many thanks in advance for any guidance.


Try adding local port 22.


I tried adding port 22 to local, remote, and both. No luck.


Weird, that's how I make the Plex Server working over wan -- by having local port routed thru WAN.

Plex requests port forward from router via UPnP, not the static firewall rule tho, so maybe there's something there.


Weird indeed. Oh, well, thanks for the input. I'll keep tinkering and will post here if I figure it out.


I discovered something new: While I cannot connect to the laptop at from any machine in my home network (regardless of whether the machine is on vpnbypass or not), I am able connect to that laptop from an outside network. I hadn't tried connecting remotely because I usually test things out at home first.

I'm a total networking noob, but shouldn't port forwarding work regardless of where the ssh client is connecting from? Maybe this is a routing issue, which at this point is way beyond my ability diagnose and troubleshoot.


How would you specify a (different) DNS server for the bypassed domains?


DNSMASQ (included by default) allows you to indicate specific dns servers for domains, look up OpenWrt/LEDE dnsmasq documention.


Ah I see, vpnbypass works with list ipset, but you can still set the DNS server as usual with list server.

Unfortunately, vpnbypass doesn't seem to work at all with wireguard.


There's some preliminary wg support code in VPNBypass'es older brother -- OpenVPN Policy Routing. If you set your wg routing correctly so that it doesn't become the default route (and hence OPR unable to tell what the true WAN is), it should work.


hey @stangri,

I've been using vpnbypass for a few months and have really liked it, but for some reason I have never been able to get domain based rules working. I followed some of the advice in this thread and I think for some reason the "ipset save" command isn't behaving how it's supposed to. Here is a relevant excerpt from /etc/config/dhcp:

option port '54'
option nonwildcard '0'
list ipset '/whatsmyip.org/www.whatsmyip.org/vpnbypass'

config dhcp 'lan'

And the output from ipset save:

root@LEDE:/etc/config# ipset save
create vpnbypass hash:ip family inet hashsize 1024 maxelem 65536

Other users reported some output such as "add vpnbypass ipaddr" should follow that command but I'm not seeing it. Additionally the IP isn't appended in /etc/config/dhcp.

The only thing I can think of that makes my system unique is that I have unbound running on port 53 and dnsmasq on port 54, with dnsmasq forwarding DNS lookups to unbound. dnsmasq is mainly there to provide dhcp while unbound handles domain name resolution. Could this cause issues with the domain routing functionality?



Yes, that's the reason. If you want domain-based rules to work properly, you need dnsmasq-full working as name resolver.

PS. vpn-policy-routing has finer settings and you can set it to create ipsets without dnsmasq, however it will only resolve the domain provided at run time and it won't then (without dnsmasq) work on the sub-domains.


Thanks a lot for the quick response. I'm fairly new to dnsmasq and unbound--could I skirt this issue by letting dnsmasq resolve domain names and just setting an unbound instance as the upstream DNS server? Or would that not work for some reason? If that'd work, I'm not really sure why I'm not doing that presently.


Yes, if dnsmasq-full (yes, you need the dnsmasq-full and not just dnsmasq) is resolving domain names, it should be adding domain names to ipsets on first use/when idle. The scenario you described above should work.


Thanks so much for your help @stangri! I reconfigured dnsmasq and unbound so that dnsmasq handles queries from the LAN and forwards external domain queries to unbound, rather than having unbound handle queries and then pass local domain names back to dnsmasq. This fixed the issue.



I upgraded to the latest LEDE firmware for my Linksys 1900ACS and I'm having troubles adding your repo to my router with this command. Do you know what might be going on? Thanks,

opkg update; opkg install uclient-fetch libustream-mbedtls
echo -e -n 'untrusted comment: public key 7ffc7517c4cc0c56\nRWR//HUXxMwMVnx7fESOKO7x8XoW4/dRidJPjt91hAAU2L59mYvHy0Fa\n' > /tmp/stangri-repo.pub && opkg-key add /tmp/stangri-repo.pub
! grep -q 'stangri_repo' /etc/opkg/customfeeds.conf && echo 'src/gz stangri_repo https://raw.githubusercontent.com/stangri/openwrt-repo/master' >> /etc/opkg/customfeeds.conf
opkg update


Not without any details.



I just had the same problem.

Try removing wget - it worked for me