VPN Bypass (split tunneling) Service + Luci UI

Just out of curiosity would you mind providing the applicable firewall rules you use that are compatible with this package? Might help me see where I've gone wrong.

This is the code I've used in the past to set up a client VPN on OpenWrt:

uci set openvpn.vpnc='openvpn'
uci set openvpn.vpnc.enabled='1'
uci set openvpn.vpnc.client='1'
uci set openvpn.vpnc.dev_type='tun'
uci set openvpn.vpnc.dev='ovpnc0'
uci set openvpn.vpnc.resolv_retry='infinite'
uci set openvpn.vpnc.nobind='1'
uci set openvpn.vpnc.persist_key='1'
uci set openvpn.vpnc.persist_tun='1'
uci set openvpn.vpnc.tls_client='1'
uci set openvpn.vpnc.remote_cert_tls='server'
uci set openvpn.vpnc.ca='CA.CRT'
uci set openvpn.vpnc.crl_verify='CRL.PEM'
uci set openvpn.vpnc.auth_user_pass='LOGIN-PASS.txt'
uci set openvpn.vpnc.auth_nocache='1'
uci set openvpn.vpnc.auth_retry='interact'
uci add_list openvpn.vpnc.pull_filter='ignore "auth-token"'
#uci add_list openvpn.vpnc.pull_filter='ingore "redirect-gateway"'
uci set openvpn.vpnc.route_nopull='1'
uci set openvpn.vpnc.comp_lzo='yes'
uci set openvpn.vpnc.compress='lz4'
uci set openvpn.vpnc.verb='1'
uci set openvpn.vpnc.reneg_sec='0'
uci set openvpn.vpnc.keepalive='10 60'
uci set openvpn.vpnc.float='1'
uci set openvpn.vpnc.auth='SHA1'
uci set openvpn.vpnc.cipher='AES-128-CBC'
uci set openvpn.vpnc.disable_occ='1'
uci set openvpn.vpnc.proto='udp'
uci add_list openvpn.vpnc.remote='SERVER'
uci set openvpn.vpnc.mute_replay_warnings='1'

uci commit openvpn
uci set network.vpnc='interface'
uci set network.vpnc.proto='none'
uci set network.vpnc.ifname='ovpnc0'
uci commit network
uci add firewall zone
uci set firewall.@zone[-1].name='vpnc'
uci set firewall.@zone[-1].network='vpnc'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnc'
if uci -q get network.guest.proto; then
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='guest'
uci set firewall.@forwarding[-1].dest='vpnc'
if uci -q get network.vpnserver.proto; then
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='vpnserver'
uci set firewall.@forwarding[-1].dest='vpnc'
uci commit firewall

Hi @stangri,

I've been trying out both vpnbypass and vpn-policy-routing packages on OpenWRT 18.06.4. My network has a main lan as well as two vlans (vlan10 and vlan20). I have successfully setup the routing policy so that lan and vlan10 bypass the vpn tunnel and vlan20 traffic goes through it (based on IP address -- each network has its own subnet). However, I had some firewall rules in place to allow certain traffic to pass between the vlans (allowing ports 80/443 from lan/vlan20 to vlan10) -- these seemed to stop working with vpnbypass/vpn-policy-routing running....any ideas? I'm not that familiar with iptables and don't really know how to start diagnosing.


Thanks @stangri, I found the problem, it was the custom firewall rules added as part of the NordVPN setup tutorial that were the culprit:

# /etc/firewall.user

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT

These are added to prevent traffic leakage in case VPN-tunnel drops so I guess I should leave them, which means I can't use your package :frowning_face:

Stopping the OpenVPN service and commenting out these lines allow me to bypass the VPN.

Check the VPR thread, someone has recently had the same issue, it can be fixed with an extra setting in VPR config.

Or you can set strict enforcement and put rules in place for your LAN clients to route via VPN and if the VPN is down, it will report network unreachable.

For those still struggling with Netflix, Amazon, etc, I've found (other than bypassing all known domain names utilized using vpnbypass) that bypassing your vpn services DNS (which you may have entered as the WAN 'Use custom DNS servers') definitely helps.

Under DHCP and DNS in Luci, you can use "DNS forwardings" to supply, say a Google DNS, for specific domain requests (like amazon, netflix, etc).

Just a heads up. I've got my system setup pretty dang reliably between the two. Rarely do I encounter an issue.

Hi guys!
So after setting up my VPN connection on openwrt (Thanks to stangri) I moved onto setup split tunneling (vpnbypass), I installed all the dependencies listed in the readme file (except dnsmasq full, somehow it does not work correctly on my router) and the LuCi interface plugin, now I can setup the ports I want to offload from the VPN however if I try to start the service I get this message:

404 Not Found

Sorry, the object you requested was not found.

Unable to dispatch: /cgi-bin/luci/admin/services/vpnbypass

I tried to start the service via cli and that seems to return no error but the service is not listed as running anyway. Any Idea of what I should do?

What version of OpenWrt are you running?

It was the latest snapshot for the Xiaomi R3P, but nevermind, the build was too unstable for daily use, so I had to revert back to stock.

Thanks anyway =)

Thanks, submitted PR with the fix.

No problems, thanks for the amazing support.

Hey Stangri, your package is exactly what I'm looking for. Please forgive me, I've only just started with OpenWRT and this is my first post.

I'm running a Netgear Nighthawk X4S R7800 on OpenWrt 19.07-SNAPSHOT r10575-28d3afc8d6 / LuCI openwrt-19.07 branch (git-19.272.21960-7a7a56a) by hnyman. I've managed to get the OpenVPN connection going and installed VPNbypass and all the dependencies mentioned in your readme.

When in the WebUI I click on Enable/Start nothing happens. If I click Save & Apply I get the following error:

Failed to execute cbi dispatcher target for entry '/admin/services/vpnbypass'.
The called action terminated with an exception:
/usr/lib/lua/luci/model/cbi/vpnbypass.lua:79: attempt to call field 'restart' (a nil value)
stack traceback:
	/usr/lib/lua/luci/model/cbi/vpnbypass.lua:79: in function '?'
	/usr/lib/lua/luci/cbi.lua:226: in function '_run_hooks'
	/usr/lib/lua/luci/cbi.lua:403: in function 'parse'
	/usr/lib/lua/luci/dispatcher.lua:881: in function </usr/lib/lua/luci/dispatcher.lua:860

What am I doing wrong?

Welcome to the community.

This is not an expected behaviour. I'll have to look into it.

Yeah, this is a bug, I have fix ready, but I need to look into the other issue before I can submit the fix to the official repo.

As an update, the service does actually work. The button just doesn't change.

Implemented better service controls as in my other packages, PRs sent.

If you're on 18.06.x, you may want to install updated luci app from my repo, as I'm not sure that the feature (not a bugfix) will be accepted into 18.06.x now.

Same issue on button with 19.07 snapshot

what's the version of the luci-app-vpnbypass?





There's better buttons control in version -12. Please try that.