VPN Bypass (split tunneling) Service + Luci UI

Where can I download that version?

Found it... Sorry... After I try

I'm not able to edit previous post, so, with version 12, the status is correct and better button.

Do you know when will be available version12 on official repo?

Thanks

PRs were merged recently: master, 18.06, 19.07, so it should be available shortly.

stangri

sir how to fix this error im using gl-ar150

Mon Nov 4 09:28:11 2019 daemon.err modprobe: xt_set is already loaded
Mon Nov 4 09:28:12 2019 daemon.err modprobe: ip_set is already loaded
Mon Nov 4 09:28:12 2019 daemon.err modprobe: ip_set_hash_ip is already loaded

It's not an error per se, you can ignore these entries in the system log.

thanks sir.

Hi @stangri

Thanks for your work on your vpnbypass package. I've recently switched from DD-WRT where I was using a similar setup with dnsmasq, ipset, fwmark and iptables to mark traffic to bypass the VPN/create DNS based bypass rules. I like that on OpenWRT that you can just use opkg to extend the features required and even better you created a GUI in LuCI for this to make a bit more manageable.

Because I'm currently in the tinkering phase and getting comfortable with OpenWRT, I've noticed that depending on the changes made to router e.g. interfaces or high routing stuff, the VPN bypass setup seems to stop working. The ipset ruleset "vpnbypass" still seems to be present, but I believe either the fwmark/iptables rules may get nuked say if the network service is restarted or the firewall is restarted, even when doing a /etc/init.d/vpnbypass restart to apply them again, I noticed all my traffic was going through the VPN, even if an IP of a domain e.g. ifconfig.me was in the ruleset. Rebooting the router entirely brings things back to normal. This might suggest the traffic marking rules were lost.

I'm looking at ensuring that the vpnbypass fwmark and iptables rules are persistent and more resistant to such changes, would there be ways of accomplishing this? I've been reading some docs and Hotplug might be the answer to hook into various events with scripts.

https://openwrt.org/docs/guide-user/base-system/hotplug

Thanks in advance for your thoughts on this!

Edit: Looking at your VPN Policy routing package, it may be better to use that instead for "enforcement" purposes and more control.

I haven't encountered anything like that, if you ever go back to vpnbypass from VPR, let me know so I'll send you some diagnostics to run if that ever happens again.

Thanks for your reply. At a guess, I'm going to assume it was the fwmark or routing table changes that got wiped out somehow, given the ipset ruleset vpnbypass was still present and populated, the mangle table had the bypass rules present also. I will probably use your VPR implementation going forward, because of the more extensive control, but maybe someone else might have experienced the same problem.

Hi stangri,
I installed the vpnbypass package and seems to be installed correctly.

My problem I have I get a TLS handshake error when attempting to open a website.

I've added a vlan (192.168.10.1/24) to bypass the vpn tunnel. I'm able to ping but pages won't open, stuck on TLS handshake.

Also running dnscrypt-proxy. Could that be causing problems?

/etc/config/vpnbypass

config vpnbypass 'config'
	option enabled '1'
	list localsubnet '192.168.10.1/24'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list address '/router.linksys/192.168.5.1'
	option resolvfile '/etc/resolv-crypt.conf'
	option allservers '0'
	list server '127.0.0.1#5353'
	list server '/pool.ntp.org/8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'DROP'

config zone 'gst'
	option output 'ACCEPT'
	option network 'guest'
	option name 'gst'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option network 'wan wan6'
	option input 'DROP'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option input 'DROP'
	option forward 'DROP'
	option network 'ovpn'
	option masq '1'
	option mtu_fix '1'

config rule 'gst_dhcp'
	option name 'gst-DHCP'
	option src 'gst'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'gst_dns'
	option name 'gst-DNS'
	option src 'gst'
	option target 'ACCEPT'
	option proto 'tcpudp'
	option dest_port '53'

config forwarding
	option dest 'wan'
	option src 'gst'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

I'd remove that or try vpn-policy-routing which has better support for VLANs.

So today I discovered luci-app-vpnbypass was not working, Netflix (and other domains defined in /etc/config/dhcp) traffic is being sent over the Wireguard VPN.

I reinstalled luci-app-vpnbypass just to be sure, I do have dnsmsaq-full + ipset installed and the appropriate domain entries in /etc/dhcp.

As expected I get a LAN IP from my Wireguard server and it shows up under Status --> Overview for wan.
DHCP config and vpnbypass restart logs - https://git.io/Je6lX

How do I troubleshoot this?

See if ipset save shows the vpnbypass ipset being filled with resolved IPs.

Getting Netflix to work reliably may require you set vpnbypass for your streaming device's IP.

Yes, the vpnbypass ipset is created and filled with resolved IPs and the DNS server IPs too.

I added the phones and notebooks to Local IP Addresses to Bypass too but the phone's/PCs still can't play Netflix as it detects the VPN IP and thinks it's a proxy.

I'd try disabling dnscrypt then. If routing is fixed, it's probably DNS servers which are throwing Netflix off.

I'm not running DNScrypt, it was banIP that created the Firehol ipsets.

What are these changes then?

Those changes were added when dnscrypt proxy was added.

Tried 'vpn-policy-routing' and the same issue is happening. Stuck on TLS handshake when attempting to open a webpage.

I'd clean up everything DNS-resolution related and restore those settings to defaults, then set the DNS servers thru dhcp.dnsmasq[0] setting and try again.

You have way too many changed settings for me to even try to make sense of your setup.

Hi,
I have installed VPN bypass and it works fine adding domains. But how can I exclude a subdomain? For example vpn bypass does not bypass www.showmyipaddress.eu by adding /showmyipaddress.eu/vpnbypass. I guess it is because it is a subdomain (www).
This is just an example. I am trying to add all subdomains of amazonaws.com, but it does not work. I tried:
/.showmyipaddress.eu/vpnbypass
And
/*.showmyipaddress.eu/vpnbypass

It still displays my VPN ip address. I am sure that dnsmasq-full is installed, because when I add /whatismyipaddress.com/vpnbypass, it works without problem.
Can anyone help me solve my issue?
Thank you