This thread is no longer monitored. Please ask any questions at https://forum.lede-project.org/t/vpn-by … i-ui/1106.

This was created out of necessity -- my internet traffic is routed thru VPN tunnel (my router is VPN client) and I needed split tunnelling to route some traffic outside of the VPN tunnel.

Started with connections to local Plex Media Server then I wanted to access some domains and IP ranges outside of the VPN tunnel and then I wanted some local network IPs/ranges to access internet outside of VPN tunnel. All of that is supported in the service.

For more details/information, check out the README.

If you're using trunk/master/snapshot images, these packages are in the official repo. Otherwise, you can install them from my own repo.

NOTES:
1. Domains have to be defined in dhcp config, not in the vpnbypass config.
2. More discussion on this is happening on LEDE forum, please check (and maybe post) there: https://forum.lede-project.org/t/vpn-by … i-ui/1106.

(Last edited by stangri on 10 May 2017, 05:15)

when i use  opkg install "github URL cant paste URLS"

I get the following

Collected errors:
* wfopen: "github URL " No such file or directory.
* pkg_init_from_file: Failed to extract control file from "github URL "

if i download them and ssh them onto my router i get

check_data_file_clashes: Package ip-full wants to install file /usr/sbin/ip
    But that file is already provided by package  * ip
* opkg_install_cmd: Cannot install package vpnbypass.

i think you also missed out  config_get domains        'config' 'domain'

the domains are not being looped

I don't think opkg supports installing from URL.

Requirements are listed on github and ip-full is one of them. Try:

opkg update; opkg remove ip; opkg install ip-full;

Please post if it works for you on OpenWrt, I've compiled the package using LEDE SDK, not sure if it would install on OpenWrt properly.

Did you read the original post?

sorry i did read the original post and forget that, on the original post (where i asked for help) i have added a script i use for domains, sorry got engrossed in the script and forgot the post after reading it

Was going to have a stab at writing firewall rules but this package sounds like I can bypass that, thanks for writing and sharing it.

Installing on Chaos Calmer with the packages you've kindly provided works fine...

opkg remove dnsmasq ip; opkg install ip-full ipset iptables dnsmasq-full
cd /tmp
wget https://github.com/stangri/Files/raw/master/vpnbypass_1.0.0-5_all.ipk
wget https://github.com/stangri/Files/raw/master/luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
opkg install vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk
rm vpnbypass_1.0.0-5_all.ipk luci-app-vpnbypass_git-17.027.48745-f546166-1_all.ipk

Process starts on install and Luci interface is available after logging out and back in.

Not had a chance to test it yet though but will report back when I have.

(Last edited by slack---line on 28 Jan 2017, 17:36)

The 1.0.0-5 is slightly ahead of what's available in OpenWrt/LEDE feed, I've introduced a "reverse local subnet" option -- it's for testing by people who only want a single IP/subnet to go thru VPN and *everything else* outside of VPN tunnel.

(Last edited by stangri on 28 Jan 2017, 18:24)

Up early so have had an opportunity to test this as no one else is using the network.

Added my phones IP address on my local network to "Local IP Subnets to Bypass" and to check whether its traffic was routed through the VPN (which I'd started) or bypassed it as it should do pointed the phones browser to https://www.whatismyip.com/.

Unfortunately get the IP address of my VPN exit node on the phone (and all other devices) so it looks like my traffic isn't by pass with the current (simple) configuration of...

# cat /etc/config/vpnbypass 

config vpnbypass 'config'
    option enabled '1'
    list localsubnet '192.168.1.32'

The IP address is definitely that assigned to my phone, triple checked ;-)

I might try the Domain bypass approach as that is what I ultimately wish to do, route traffic for Netflix/iPlayer/4OD outside the VPN so I can use the services (which are geo-restricted).  Don't see anything in the systemlogs, would anything show up here where would 'ip' which based on my reading of the init script is doing all the work setting things up, log things (if at all)?

One thought, that might be causing problems after reading the init script is that I'm currently configuring OpenVPN outside of UCI using a custom /etc/openvpn/MyVPN.ovpn file that UCI is pointed at...

config openvpn 'SlickVPN'
    option config '/etc/openvpn/MyVPN.ovpn'
    option log '/var/log/openvpn.log'
    option enabled '1'

Would this prevent vpnbypass from obtaining key parameters?  Reading the init script I think these lines are obtaining configuration settings from UCI...

    config_get lports   'config' 'localport'
    config_get rports   'config' 'remoteport'
    config_get routes   'config' 'remotesubnet'
    config_get ranges   'config' 'localsubnet'
    config_get domains 'config' 'domain'

...which suggests I'll have to translate my /etc/openvpn/MyVPN.ovpn to be defined in UCI within /etc/config/openvpn .

(Last edited by slack---line on 2 Feb 2017, 07:47)

I definitely need to do a better readme and I'll get to it soon, but subnet != IP.

For a single IP you can use IP/32 (192.168.1.101/32). For the range, use online netmask calculators (or this: https://kthx.at/subnetmask/) but with /30 you get 4 IPs in the range, with /29 you'll get 8 and so on.

So, please try list localsubnet '192.168.1.32/32'

No, nothing should come up in the logs, if you wish to check vpnbypass rules took, you can run iptables-save | grep "vpnbypass" and you should see the iptables rules corresponding to the vpnbypass settings.

However you run openvpn (from uci, from a conf linked from uci or from an ovpn file) should not affect vpnbypass. The code you quoted has to do with the vpnbypass settings (which you set thru the Services/VPN Bypass), not the openvpn settings.

Good luck!

(Last edited by stangri on 2 Feb 2017, 13:58)

There's no reason I couldn't check if the user just put an IP into configs instead of subnet and add the missing "/32"! I'll get it implemented in 1.0.0-7 build.

I don't think that was the reason for the issue, the reload on uci changes was not properly implemented. Try the 1.0.0-7 build.

(Last edited by stangri on 2 Feb 2017, 14:26)

Thanks for the advice and update, will try out the 1.0.0-7 build, see how I go and feedback.

Cheers.

I am trying to do something similar, but I only want to forward DSCP 16 to tun0.
I looked at your script and it confirmed the method I should use, but I'm still a little wary of making this change myself.
Actually first, I would like to implement only pushing one host (by source IP) to the tun0. 

I guess there's two parts, some kind of mark, and a separate routing table.
I'm afraid my understanding of this is very hazy.
I actually have this working on a pi to split tunnel certain traffic based on user, but I am sort of apprehensive there's so much more going on on openwrt that I'm confused about how to make sure I am not stepping on other needed configurations. 

Would you mind giving me some pointers to do this manually?

thanks

This only allows to route traffic thru WAN instead of the OpenVPN tunnel (hence the name). If you want more control over what traffic goes to which tunnel/gateway, there's openvpn-policy-routing (and its luci app).

Hi there and sorry for the noobish question:
When I try to install vpnbypass on the current davidc LEDE built for the WRT1900ACS I get the following error:

Installing vpnbypass (1.3.0-1) to root...
Collected errors:
 * check_conflicts_for: The following packages conflict with vpnbypass:
 * check_conflicts_for:     dnsmasq * 
 * opkg_install_cmd: Cannot install package vpnbypass.

Do you know why these two would conflict?

And as a further question: Could I also bypass VPN traffic for a single IP/MAC address using a firewall traffic rule?

@kkowrt there used to be a dependency on dnsmasq-full which does conflict with dnsmasq, I've removed it a while ago. The current version is 1.3.0-5, please install that one (from my repo).

Thank you for the help. Now that I've looked at your repo, I'm inclined to go for openvpn-policy-routing instead. It looks very neat and I imagine it has superseded vpnbypass.

Yes, OPR does supersede VPN Bypass, but I figured there's a base of users for which vpnbypass might be a simpler solution.

Also a correction for an earlier statement -- while dnsmasq-full is not a dependency per se as it is not required for people who don't want domain-based policies, it's highly recommended if you do want to utilize domain-based policies. OPR README has more information.

(Last edited by stangri on 5 Apr 2017, 02:14)

Thank you for your support. Indeed I installed policy-routing with just dnsmasq & then ran into a problem when I tried a domain rule (dnsmasq started crashing). However, I could fix this by removing the rule from the dnsmasq config.

Now I'm wondering: should I expect any troubles when upgrading from dnsmasq to dnsmasq-full? I would really like to use policy-routing in all its beauty.

I am also wondering how the dns server is managed. Right now I've got a script which is run after succesful OpenVPN connect to put the VPN dns server into the resolv.conf.auto. (Because it is not done automatically by the OpenVPN client.)
If I were now to try multiple vpn tunnels (or just a rule for lan->wan, bypassing the vpn altogether) using policy routing I don't understand how these different dns servers would be managed using the resolv.conf.auto. Would you be able to shed some light into this?

Please excuse me if I'm hijacking your thread, I am still pretty new to OpenWRT/LEDE and I am trying to get my head wrapped a few things. Thank you for your helpful answers!

EDIT: Just saw you've a different thread on here for policy-routing, will post there from now on. Or since I am using LEDE should I go over there?

(Last edited by kkowrt on 5 Apr 2017, 15:58)

If you have questions relevant to OPR, then please post in the OPR thread. You might get help from other users there as well. With a few very notable exceptions a lot of devs/gurus have migrated to LEDE forum as well.

PS. If you only have a handful of domain names and/or are not using dnsmasq for name resolution, OPR has built-in support for domain name-based policies.

Alright, thank you. I've moved to the lede policy routing thread now.

This thread is no longer monitored. Please ask any questions at https://forum.lede-project.org/t/vpn-by … i-ui/1106.