Exception to VPN domain policy

I am trying to route request to XXX.com to my wireguard VPN EXCEPT for a subset of YYY.XXX.com.

I notice that there are multiple ipsets, including a “via_vpn” and “bypass_vpn”, but it seems the gl-vpn-policy script will allow only “via” or “bypass”.

Is there any way I request VPN routing for XXX.com AND bypass it for a more tightly defined YYY.XXX.com?

Either by playing with the gl-inet script, or adding a script to run after the gl-inet VPN policy script runs? I worked my way through the script, but can’t quite figure out exactly how it works, or just what files it creates for dnsmasq. I would love to add some “bypass” files/entries to the current “via” entries and restart dnsmasq.

Does anyone have any ideas, documentation or suggestions?

I looked at the openwrt vpn policy modules outside the gl-inet version, but when I tried them 6 months ago I couldn’t quite get them to work.

Any help is greatly appreciated.


This feature is not currently supported.
If you change the script yourself, depending on the order of the rules, you can try changing the reload_firewall function in the script.