AR-750S, firmware 3.105 OpenVPN split tunneling (policy routing) setup

Hi All,
My goal is to maintain on the router a VPN tunnel to my VPN Provider (PIA). I only need this tunnel for certain sites, the rest traffic should bypass the tunnel.
I tried to use for this purpose the built-in VPN Policies feature, but unfortunately it is not usable for me. With the following settings:
Enable VPN Policy = On
Policy = Domain/IP
Rules = Only allow the following use VPN
Use VPN for = “some-vpnsite”
and OpenVPN configuration file from my vpn provider, the VPN tunnel is successfully established. The traffic to the “some-vpnsite” is indeed routed via the tunnel, the rest traffic bypasses the tunnel, but everything works extremely slow. Whenever I try, the download test starts, but never completes: I get socket error.
Turning off VPN brings things to normal speed. I have been never able to get the VPN Policies feature work with normal speed: the same behavior exists in firmware 3.104 as well.

After I gave up on VPN Policies, I tried to configure selective vpn routing by the means of OpenVPN client configuration file. I do the following:

  1. Add “pull-filter ignore redirect-gateway” to the client configuration file. This prevents the openvpn client from adding the redirection rules to the routing table
  2. Add “route hostname default default”. This instructs openvpn client to add a route to “hostname” via the established tunnel. Openvpn client should manage on its own the hostname resolution and rules adding/removing on tunnel up/down.

Unfortunately this approach still does not work because of the following:

  1. although the openvpn client does not add any redirecting rules, those rules seem to be added by /etc/vpn.user script which is run upon tunnel creation (see the ovpn_main() function)
  2. even if I comment rules adding in the vpn.user script, I only have access to the “vpnsite” routed via the tunnel. Access to all other sites remains blocked (presumably by firewall rules, adjusted on tunnel creation).Attempt to traceroute to a “non-vpn” site, gives the following:

Tracing route to
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms [ar750s-router]
2 [ar750s-router] reports: Destination protocol unreachable.

Things get back to normal if I turn VPN off.

So my question is: is it possible to completely switch off the built-in VPN Policies and configure the router so that

  • it won’t add any redirect rules apart from those that are managed by openvpn client
  • the firewall won’t drop packets targeted to sites, for which VPN tunnel should not be used?

Or alternatively I would be glad to use the built-in VPN Policies feature if only its performance is fixed. (Though I doubt it is possible unless the implementation approach is completely changed)

Thank you in advance for any insights about these problems.

vpn policy has bugs in 3.105.


/etc/init.d/shortcut-fe stop
/etc/init.d/shortcut-fe disable 

Turn vpn on again.

Thanks a lot, alzhao!

This has worked for me. Disabling the shortcut-fe service makes policy routing work as I would expect it, and the Internet speed is back to normal: the speedtest runs flawlessly.

The only minor problem that still exists with this setup is that when VPN is Off, but VPN Policies are On, the dnsmasq internally still tries to resolve domains mentioned in VPN Policies via the DNS servers from the VPN provider, so name resolution for these hosts might not work until I turn VPN tunnel on. I see this in the log: dnsmasq[14892]: using nameserver vpn-dns-ip#53 for domain “vpn-policy-routing-domain” dnsmasq[14892]: using nameserver

Currently, if I turn VPN off, I also have to turn off VPN policies because of this behavior.
I would expect these domains to be resolved according to router DNS settings if VPN tunnel is off.

Another question is what I have to sacrifice if shortcut-fe service is disabled? Does it automatically mean that some (useful) functionality is also turned off?

Does this bug exist in the GL-MV1000W’s 3.105’s firmware?

shortcut-fe improves the NAT speed during heavy use.

I see… So I guess the expected behavior is to have shortcut-fe enabled and working for those connections where is is possible even if “VPN Policy” feature is turned on.
Is there a corresponding bug report I could follow?

Should I also submit a bug report regarding DNS resolution for VPN Policy - affected sites when the VPN tunnel is off?

When vpn policy is on, the shortcut-fe should be turned off.

A separate thread is better.