How to Configure a “Not Use VPN” Policy on Firmware v4.9

How to Configure a "Not Use VPN" Policy on Firmware v4.9

Introduction

In firmware v4.8, the VPN Policy page allowed users to create rules with the routing method set to Not Use VPN. This was useful when you wanted most traffic to go through a VPN tunnel while allowing specific devices, domains, interfaces, or IP ranges to access the Internet directly through the WAN connection.

Starting from firmware v4.9, the VPN subsystem has been redesigned. The previous Not Use VPN mode conflicts with the VPN design logic introduced in v4.9. As a result, this mode was removed from the GUI.

This guide introduces several practical methods to achieve similar behavior on firmware v4.9.


Note: If you already have existing Not Use VPN policies configured on firmware v4.8, they will be preserved after upgrading to firmware v4.9 (when keeping your configuration during the upgrade process). No additional reconfiguration is required.


Method 1 (Recommended): Change the Route Policy to novpn via SSH

This is the recommended method for configuring a Not Use VPN policy on firmware v4.9.

Step 1: Create Your VPN Dashboard Rules

First, create all required VPN Dashboard tunnels and policies in Admin Panel → VPN → VPN Dashboard.

For the tunnel that should behave as Not Use VPN, temporarily select any available VPN profile.

Example scenario:

  • Tunnel 1: One device on the Main LAN network should bypass VPN.

  • Tunnel 2: All remaining devices on the Main LAN network should use VPN.

  • Guest and IoT networks should continue using the WAN connection normally.

Step 2: Connect to the Router via SSH

Follow the guide below to log in to the router using SSH:

Step 3: Modify the Tunnel Route Policy

Run the following commands to change the tunnel with Priority 1 into a Not Use VPN policy:

uci set route_policy.@rule[0].via_type='novpn'
uci commit route_policy

/etc/init.d/vpn-client restart

If your target tunnel uses a different priority, adjust the rule index accordingly:

@rule[0] = Priority 1
@rule[1] = Priority 2
@rule[2] = Priority 3
@rule[3] = Priority 4
@rule[4] = Priority 5

Step 4: Verify the Configuration

Return to the VPN Dashboard and confirm that the tunnel now displays Not Use VPN as its routing method.

Step 5: Test the Result

Verify that:


Method 2: Use a Non-Functional WireGuard Profile as a WAN Fallback

How this works:
This method takes advantage of the fallback behavior that occurs when a WireGuard client cannot establish a connection while:

  • Kill Switch is disabled, and
  • All Other Traffic Policy is set to Allow Non-VPN Traffic.

In this situation, matched traffic will automatically fall back to the WAN connection.

Important Notes

  • This method is only recommended for users who are not comfortable using SSH.

  • Since the WireGuard profile is intentionally invalid, the system log will continuously contain WireGuard connection error messages.


Step 1: Create an Invalid WireGuard Profile

You may create your own invalid WireGuard configuration or use the example below:

[Interface]
Address = 10.255.0.2/24
PrivateKey = sEl23GPd5tIb354D4fPew0Nat/i5a0szYsAH7MbF4Ek=
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = 127.0.0.2:65535
PersistentKeepalive = 25
PublicKey = FcJBtXXGyrBaGUEAIfrruo/HJRPZf2X/DgOefStxWGo=

You may also download and import the attached profile directly:

novpn.conf (256 Bytes)


Step 2: Import the WireGuard Profile

Import the configuration as a WireGuard Client profile by following the guide below:


Step 3: Assign the Profile to the Desired Tunnel

In the VPN Dashboard:

  1. Select the imported invalid WireGuard profile for the tunnel that should behave as Not Use VPN.

  2. Enable the tunnel.

Important: Do not configure any fallback VPN profiles within this tunnel group. Otherwise, the traffic may switch to another VPN profile instead of falling back to WAN.


Step 4: Disable Kill Switch

Open the tunnel settings and disable Kill Switch.

This is required to allow traffic to continue using WAN when the VPN connection fails.


Step 5: Allow Non-VPN Traffic

Navigate to the global VPN settings and ensure:

All Other Traffic Policy = Allow Non-VPN Traffic

When the invalid WireGuard profile fails to connect, matched traffic will automatically use the WAN connection.


Verification

After configuration:

  • Devices assigned to the special tunnel should access the Internet through the WAN connection.

  • Devices assigned to other VPN tunnels should continue using their respective VPN connections.

  • VPN Dashboard status may show the invalid WireGuard profile as Connecting, which is expected behavior for this workaround.

4 Likes

We definitely need this to be added back.

Sometimes you need to avoid VPN for specific domains PLUS for specific devices.

For example, my own setup: Everything will be sent to VPN - excluding my projector (because Amazon Prime Video does not like VPN) and the domain for "Deutsche Post DHL" because they don't like VPN but I want to use the app on my iPhone.

3 Likes

Let's gather some feedback on this request and discuss it further with the product team.

3 Likes

Would having a poll vs a few posts not be a better way to get feedback?

I'm also against this change, and agree with everything @admon posted.

Edit:

Also on my own setup I heavily rely on this feature, since the identity verification on services in GB, alot of CDN threat vpn as their enemy even if you don't reside in GB.

It happens to banks having maintenance pages up (when in fact it is a block), to game services blocking access, some iot brands refuse to function because tuya/aqara block vpn as part of their region system, and indeed quite alot of DRM/streaming services are blocking vpns, you really want this function.

1 Like

On my Flint 3, I have two VPN tunnels - one for NordVPN and another to a VPS server where I run Wireguard. My VPN breakout in both cases is the US. The two tunnels are configured identically in all aspects, with kill-switch enabled

I use PBR in: ALL traffic goes through VPN except some destination domains/IPs which I prefer to be routed via WAN.
This works, but:

  1. There are sites I visit and much as they are accessed via VPN, then present to me data as if they know my country. This bothers me a lot. I wanted to ask where the information is leaking from.
  2. With the same setting, I have also been wondering at what point the 2nd tunnel will ever get used. Is there some way for failover between the tunnels?
  3. Using the Invalid WireGuard Profile as an example, if you create a valid tunnel with it, you cannot edit that tunnel config in v4.9. Why do we have the Edit option then?
1 Like

This is a really poor decision to get rid of this feature. Something that was very straight forward and easy to achieve now requires a lot more work. I don’t understand why this feature was removed. I want to be able to exclude a set of IP addresses that go through the VPN tunnel that I use to be able to type in and it just worked. Now it is not very clear how I can achieve the same outcome, even after reading this post.

Also, why remove something that was already offered and working in the GUI and require the user to dive into SSH to achieve the same thing as before?

Very very poor decision to remove this. Please add this feature back!

3 Likes

“Not Use VPN” was something I found useful on Flint 2 which configuring various VPNs but needing to rule out a couple of devices.

Now on Flint 3 and miss it

I agree this is not a great change. I used the not use VPN a lot and this is just extra steps to have to it via ssh. Reaching out internally to get more clarity on this

2 Likes

I agree. This needs to be done. I have certain situations where not having a VPN makes my life much easier.

1 Like

Yeah, anytime SSH has to be used, it's a fail. It's way too complicated for non-networking people. GL.iNet needs to think more like Apple.

1 Like

Agreed. I have brought it up internally with the devs and they are looking into it.

1 Like

I’m NOT a fan of this latest change, nor of the (for me) overly complicated workaround methods listed above to simply restore having my router give an easy option to assign NO VPN by wifi band or device.

What I’d prefer is an EASY way to assign different VPN profiles to different wifi connections, so I can pick what kind of connection I’ll get (VPN for city 1, VPN for city 2, or NO VPN at all) based on different suitably named wifi connections, which can easily be chosen at the device level.

I kind of cobbled together this kind of approach on my newly installed Flint 2 router as follows:
–set my main VPN tunnel and preferred city on my main router wifi connection, with the connection type set to only the wired LAN and primary wifi connections (NOT to all devices).

–set my secondary VPN tunnel and 2nd VPN city location, and assigned that to only route thru the Guest wifi connection (which can be separately selected 5G and or 2.4G wifi bands)

–and then lastly, set the city where I’m physically located as a VPN connection only for the IOT wifi connection, and assigned a VPN connection for that city to the IOT wifi band.

An easier way would simply be to add a new category under the “Select Client Source” field of “exclude ALL devices”, and then assign that routing to either the Guest or IOT wifi bands as desired to achieve the NO VPN effect on those bands.

I am working on it!

3 Likes

I agree. while I dont mind using ssh. this change was not great from a user perspective and the devs are already looking into a way to get this functionality back without breaking the new features and without funky workarounds.

3 Likes