Bypass OpenVPN only with certain IPs?

Hello,

I have AR150 with latest GL-inet firmware (2.263) and have OpenVPN enabled through the GL-inet GUI. I need to allow certain IP on the LAN to bypass the VPN and use the WAN directly. What is the simplest way to allow a single IP to bypass the VPN using the official GL firmware, either through GUI or ssh?

note: It would be a great if something like “VPN Bypass” was available ( https://github.com/stangri/openwrt-packages/tree/vpnbypass/net/vpnbypass/files ), though I haven’t any success to get that working with the GL-inet firmware…

If you have fixed IP, you can use iptables rules

Generally openvpn is tun0 interface, you can check this file /usr/bin/setvpnfirewall and add iptables rules after firewall is changed or use this in /etc/init.d/startvpn

 

Thank you very much for your reply. I was able to achieve similar by downloading latest generic LEDE for ar150 (https://downloads.lede-project.org/releases) and installing openvpn per various online tutorials (e.g. https://nordvpn.com/tutorials/openwrt/openvpn/ ), then installing “VPN Bypass” ( https://github.com/stangri/openwrt-packages/tree/vpnbypass/net/vpnbypass/files ), which adds a GUI to LUCI for setting ip ranges, ports, and domains to bypass VPN.

It is all working great but I miss the elegant gl-inet front-end. Thus, I would like to request that gl-inet consider adding a feature like “VPN Bypass” to the official GL firmware support of openvpn. I could not get “VPN Bypass” to work with the GL firmware, but I think it would be an addition very highly valued by your users, so a good idea to integrate into your official releases.

2 Likes

I second that thought. I use PIA/OpenVPN but I need to bypass that for at least two IP addresses when I work from home. Right now, I have to turn off PIA when I have to connect to my work VPN. I have been looking all over for a solution to that but my coding skills are not developed to the point where I can just roll a few lines of code out to modify firewall rules or routing tables to allow a few IP addresses to go to my actual ISP, or to use another VPN server. I have been looking for days trying to find out even what files might need to be modified, let alone now writing a few lines of code that will work reliably. I have already bricked one router to the point where I am now waiting for a serial interface in the hope of resurrecting it. I will continue to investigate this, and I will eventually find an answer, but I think this would be a good feature for future versions of firmware.

1 Like

Okay. There is a lot to do in openvpn. Will consider to add these features.

Yes, option to have a simple list of clients to bypass active VPN would be great, in default GL firmware.

My previous router (TP-Link AC9) worked with the Policy Based Routing available on DD-WRT, but that router tended to operate intermittently with the beta versions of DD-WRT that were available. Hence, I was rebooting it almost daily to keep it up and running.

The policy based routing was pretty straight forward. It required a few lines of code that was easily modified to add IP’s that bypassed OpenVPN. The default for this approach was that unlisted IP’s used the OpenVPN tunnel:

ip route add default dev tun1 table 200
ip rule add from 192.168.8.135 table 200
ip…
ip…
ip route flush cache

I could list IP’s like that or use CIDR notation to include subnets. I could add a comment delimiter “#” to any line that I wanted to use OpenVPN.

I tried loading DD-WRT (the buffalo router version recommended for the GL-MT300N V1) onto the GL-MT300N V2 but I couldn’t get access to the router despite setting my local IP to 192.168.1.2. So I reverted back to GL version 2.64 firmware. Is there a DD-WRT version that should work on the V2 router?

I have been looking for a similar “Policy Based Routing” solution but nothing has even given me a hint of working. What I have most recently tried is a compilation from a couple of websites:

https://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

What I have done is add a couple of lines at the end of an individual *.ovpn file:

script-security 2
up /etc/openvpn/up.sh

Supposedly, that calls for up.sh to run when the OpenVPN server connection is established.

I made a file called up.sh that contained just the following script:

ip route add default dev tun1 table 200
ip rule add from 192.168.8.135 table 200
ip route flush cache

I added the up.sh file to the etc/openvpn directory and ran “chmod 755 up.sh” to make it executable. I then rebooted the router and selected the modified *.ovpn file to connect with a server. 192.168.8.135 is the IP I am testing this configuration with. It should have bypassed the VPN if I got it right, but it still goes through the OpenVPN tunnel.

I am hoping that someone else may have clear eyes to tell me where I have gone off the rails. Perhaps this is the totally wrong path to go down. Or maybe I have just made a simple syntax error. I hope somebody can add something here.

MT300N-V2 may not have a valid ddwrt firmware.

If you want to use ip or iptables commands, you can modify /etc/init.d/startvpn which you will see that it restart firewall.

This works perfectly as far as selectively routing IP’s.

ip rule add from 192.168.8.135/32 table 200
ip rule add to 69.196.175.157 table 200
ip route add default via 192.168.217.1 dev eth0.2 table 200
ip route flush cache

This is loaded at the end of the startup script located at the bottom of the page at Advanced Settings, System, Startup. It is loaded just above the “exit 0” statement.

This script assumes the VPN tunnel to be the default, so it specifies which IP’s are routed directly to the local ISP. It can be modified to cover any individual IP or range of IP’s.

192.168.8.135/32 is the IP address assigned to my PC by the GL-MT300N-V2 so I made it static for this exercise. Static IP addressing is a necessity to keep this working over time.

The second line is a route to my ISP’s email server. My VPN provider (PIA) blocks port 25 and my ISP doesn’t use ports 465 or 587 on their SMTP server so my only other option is to turn off PIA to send email. I intend to modify this asap with a more selective routing command that will only pass port 25. I haven’t got that working yet, but this at least allows me to communicate with the SMTP server while I am working on the script.

I tested line one by manually switching my PC’s private IP address while verifying my public IP directly from Private Internet Access:

I tested the second line by sending test emails from another PC connected to the wireless LAN of the GL-MT300N-V2.

You can modify and repeat the first and second lines as many times as you want in order to cover all the IP’s you need.

eth0.2 is the WAN port on the GL-MT300N-V2

192.168.217.1 is the LAN IP address of the router that is directly connected to the WAN port of the GL-MT300N-V2.

After these scripts were added, I did a leak test at:

https://www.privateinternetaccess.com/forum/discussion/2114/ipv6-leak-dns-leak-e-mail-ip-leak

Their was one detected leak that was unrelated to this script. I had to disable IPv6 settings at Advanced Settings, Network, Interfaces, WAN6. I disabled “Request IPv6-address” and “Request IPv6-prefix of length”. That eliminated the detected IPv6 DNS leak.

I will update this when I get the selective port routing completed.

2 Likes

Or you can just delete the WAN6 interface under network>Interfaces

This worked pretty well for me, using the latest “test” 2.27 on an ar750 (also using PIA for VPN). I’m using a WISP WAN connection, and using the generic “wlan-sta” as the default route device worked fine. The only extra step for me is that I had to NOT check the “No Internet if VPN is not connected.”, which I normally check – otherwise, it blocked Internet for the system(s) specified via ip rules, which in retrospect, makes sense.

Seemed to also work fairly seamlessly adding/removing ip rules on-the-fly, without having to restart anything.

Thanks!

If you don’t need the Web UI, both vpnbypass and vpn-policy-routing should work on stock GL-Inet firmware.

UPDATE: new URL for vpnbypass

this feature should be in GL.inet user interface or GL.inet repo

If you don’t need the Web UI, both vpnbypass and vpn-policy-routing should work on stock GL-Inet firmware.

Does not work on current firmware (2.27) if “Force VPN” is enabled in OpenVPN menu. This is why vpnbypass GUI should be integrated with GL.inet web interface, to eliminate the possibility of invisible routing conflicts.

I 2nd rk47’s request to have the vpnbypass function within the GL.inet web interface, as a matter of fact, there are lots of simple basic functions that are within the advance setting interface should be in the GL.inet web interface as well, like static ip assignment, LAN ip address setting, AP isolation and others. I just don’t have the confidence in myself to set things correctly in the advance section, let alone running scripts.

With the current limited GL.inet web interface, the high power B1300 is way overkill if most average users don’t become geeks and venture into the advance setting interface. The B1300 with its quad core CPU can out perform most, if not all high price dual core CPU routers, GL.inet need to uncage this beast !!

Trying our hard to develop the UI, especially for VPN and firewall etc.

Thanks for your suggestions.