VPN Policy-Based Routing + Web UI -- Discussion


@Kherby Yes I know that you want it working inside VPR, that's what I'd like to have too.
But just in case you missed my point: you can just leave the firewall rule there that I added, no need to remove it or anything. If VPR works the firewall rule will do nothing. If VPR fails to route the VPN traffic of certain clients through the VPN interface, the clients will not be able to have internet through the WAN interface.

But of course you need fixed IP addresses for the VPN clients then - either set them as static on the clients or have fixed IPs for those clients in the DHCP server.


I'm now using your suggested Firewall rule with strict enforcement disabled and it's working very well!

config rule
	option name 'Killswitch'
	option src '*'
	option target 'DROP'
	option src_ip ''
	option proto 'all'
	option dest 'wan'

Thanks again! :slight_smile:


I can only select WAN interface in the Policy section but my WAN is actually called WWAN as I am using one of my wireless adapters as a client to connect to my main router downstairs. How can I get this to work with my config?

I'm using WireGuard as my VPN, I have some wired clients and some other wireless clients that connect to the 2.4GHz radio. My 5GHz radio is in client mode to the other router. All works well but I cannot access Netflix from my VPN protected devices which is why I wanted to use your package. :slight_smile:

Thanks in advance...


You should be able to add your WWAN interface at the advanced settings tab or via config file...

Luci: Services > VPN Policy Routing > Adanced > Supported Interfaces
Config (etc/config/vpn-policy-routing): add list supported_interface 'wwan' under config vpn-policy-routing 'config'


@stangri Just compiled from trunk; luci vpn policy routing is missing from luci applications in make menuconfig, does this need an update?

Edit: never-mind, was an issue on my end :slight_smile:


I have this setup as follows:

LAN ( -> over vpn
Guest ( - > no vpn (direct to wan)

Its working great, the only problem is that I have a hosted webservice on which needs to be accessible from my public (non vpn) IP address

I have a port forwarding rule setup in openwrt to forward all traffic on 443 to

When VPN policy based routing is disabled, I can access the webservice, but when I enable it, my port forwarding rules stop working

Is there something additional I need to do to allow INCOMING traffic to the subnet outside of the VPN tunnel - i.e. via my public IP address, but continue to route traffic originating OUT from my network to the VPN?



I have been trying to use VPR to get some devices on my network to bypass my VPN (specifically a set-top box and and a Chromecast). It does work for the most part.

The set-top box provides TV via a digital aerial and also has apps for Amazon Prime Video, Netflix, BBC iPlayer etc. all of which are prevented from working due to my VPN. If I try to play something on Amazon Video with VPR disabled it rightly complains of me using a VPN and won't play. If I enable VPR it then plays which suggests to me that VPR is working as it should. I even used the built-in web browser to check my IP address at ipaddress.net and it sees my IP address not the VPN's one.

The problem is Netflix.

When I disable VPR I can run the Netflix app and browse the library fine but when I play something it detects the VPN and won't play (as expected). However when I enable VPR the app complains that it can't connect to the Netflix servers but it can connect to the internet. Strangely I can play stuff on Netflix on my PC which doesn't bypass the VPN. I can also play stuff with the Netflix app on my Android phone but I cannot cast it to my Chromecast.

For some reason unlike BBC iPlayer or Amazon Video Netflix seems inconsistent but I can't seem to figure out why.

Has anyone encountered this before?



I have successfully created VPN setup for myself on the router. I can use the vpn connection and it also changes the wan IP. Then I put route-nopull into the VPN config so I can selectively choose what sites go through the VPN. But it doesn't work for me. I think i have followed everything as it was written and entered the required websites into the LuCI config but those sites still route through my normal wan connection. They dont get routed from the vpn as i have put the config in VPN policy routing. Can someone help how do I fix it? If you need any config to see, I'll be happy to provide.


It would be really good if there were some expanded how tos and recipes for configuring openwrt with these packages(I realise that you can't put everything into a readme). This topic is really to long for every new user to read (I have read all of this topic and the preceding topic, but my brain went numb somewhere along the way). Is there a wiki for these packages? maybe I missed it.

What I want to do (and several others have previously asked with varying answers and degrees of success) is to set up a router with a VPN client where the wan remains the default route, but selected clients or subnets (and perhaps destinations) are routed through the VPN. I would prefer that the VPN route use the routing data pushed by the VPN server. I have tried a couple of times, but end up locking myself out of the router.

Even better would be if someone would write a complete how-to for setting up a router with 2 radio interfaces, one defaulting to WAN routing and the other defaulting to VPN, with the ability to add routing exceptions as required.


Any luck with this? I have subscribed to windscribe as well and would basically like only my AppleTV routed through windscribe .


Is it possible that apps installed on the router, like i2pd and TOR, will not use VPN tunnel but rest of Lan will use VPN?
Do you know how to do this?



An option to load domains from file would be nice to have. For example in countries with state-wide censorship.
But there is also a concern about how will dnsmasq/iptables/ipsets behave when loaded with thousands of domains/ips. :thinking:


Hi guys, according to the readme, by using dnsmasq-full I can use wildcard domain names (or top level domain names ie *.domain-com) What I have found is, if I add a domain name that does not have an A record but does have A records at 3rd level only, I get an error on start. Wondering if anyone has a solution to this. Seems to me what happens is when I add a domain, it does an nslookup, grabs all the ip addresses then adds them to IPtables.

error I get:

ERROR: ipt -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x020000/0xff0000 -s -d nflximg.net

(where nflximg-net doesn't resolve, but there are 10 or so subdomains that do resolve)

What I am trying to achieve is, route all netflix traffic through my VPN tunnel, and route all other traffic through the WAN. The purpose of this is I want to get USA netflix at the same time as be able to use a local streaming tv service that also uses geo blocking. As part of the universes plan to make my life difficult, my local tv streaming service also uses AWS for content hosting, so trying to whitelist the entire aws AS does not help me. (Adding just netflix-com and does not let me see the USA content). I could list all the domains one by one, but some of them look dynamic eg: netflix-990.vo.llnwd-net

These are the list of top level domains I believe I need:
llnwd-net nflximg-com nflxvideo-net netflix-com nflxext-com nflxso-net btstatic-com

Any suggestions on how to do a clean solution of adding all the TLD only?



Never mind I re-read the manual carefully " Policies with only remote IP address or a domain name are created as dnsmasq 's ipset or an ipset (if enabled)."

Remove the source subnet and left only the destination TLD's and it created correctly as ipset rather than tried to resolve the domains