OpenVPN and excluding IP/MAC address from VPN routing

I just received my GL-AR300M and I’m getting acquainted with OpenWRT. I’m fairly familiar with DD-WRT and was able to do this with it. I have OpenVPN setup to use PIA in the GL interface and I have the box checked to disable all internet traffic if the VPN goes down. I’m going to use this as a travel router and I’d like to be able to exclude an IP address or MAC address from this rule and have it’s traffic go out the normal WAN connection (bypass VPN). The bypass would be for a chromecast so that I can use Hulu and Netflix. Has anyone done this or know how this can be done in OpenWRT? I’ve looked around in the LuCI interface and in the UCI interface to see if there was a way but I’m not finding anything.

Thanks for any help.

This can be done, maybe easier to do using IP. I am asking someone to help.

Add a policy routing by:

ip rule add from lookup 2

ip route add table 2 default via dev eth0 is your local ip to exlude. is your wan gateway.


Did everything you mentioned and changed the options. Getting RTNETLINK answers: File Exists for a response. I changed it to something like this:
ip rule add from lookup 2
ip route add table 2 default via dev wlan-sta

EDIT: Was able to get the command to work by doing ip route replace instead of add. Only issue is that streaming from the chromecast still goes through the VPN.

Oh, I forget Mwan3 is interfering wtih with this policy routing. try to change to:
ip rule add from lookup 20 pref 2
ip route add table 20 default via dev eth0
20 is a custom routing table number, if it’s 2 causing conflict with mwan’s.

you can see rules by:
ip rule
ip route show table 20

I hate to be a pest. Still not working for whatever reason. The chromecast comes back and states that it is connected to the wifi network but cannot connect to the internet.

ip route via dev tun0
default via dev wlan-sta proto static src metric 20 via dev tun0 dev tun0 proto kernel scope link src via dev wlan-sta via dev tun0 dev br-lan proto kernel scope link src dev wlan-sta proto static scope link metric 20 dev wlan-sta proto static scope link src metric 20

ip route show table 20

default via dev wlan-sta

ip rule

0: from all lookup 128
1: from all lookup local
2: from lookup 20
1002: from all iif wlan-sta lookup main
2002: from all fwmark 0x200/0xff00 lookup 2
2253: from all fwmark 0xfd00/0xff00 blackhole
2254: from all fwmark 0xfe00/0xff00 unreachable
32766: from all lookup main
32767: from all lookup default

goto openvpn Settings, turn off force VPN.
Force VPN means only traffic of TUN inferface is allowed, so ethernet WAN interface traffic is blocked. This do sometimes brings puzzles.

You brillant guy almost made it by add:
iptables -I FORWARD -i br-lan -o wlan-sta -s <src_ip> -j ACCEPT
but some script may flush your manully added iptables rule.

@hansome could we just customise /vpnfirewall and keep force VPN?

Thinking it may be problematic (insecure) to disable force VPN?

In current design, force vpn means the traffic to Internet only go through tun0 inferface even when you lost openvpn connetion. But as long as the default route via tun0 (which has metric 0) exists, you Internet traffic go through tun0 by default except traffic to wlan-sta subnet. In my test result, the tun0 and conresponding route do NOT disappear when I cut openvpn. So the worst case is openvpn process aborted, that’s when the tun0 goes down and Force VPN take effect.

As you pointed it, Force vpn option is buggy to some extend. We are considering to make some tweak.
So you are secure as long as openvpn process running.

Hi All,

Looking to do this now myself I have one device I don’t want traffic to go over VPN, could someone tell me where you enter these settings?

Thank you.

Would it also be possible to just have one device/ip use the VPN all all other traffic routed as normal?

Yes. It is possible. Need to use iptables.

@hansome can give you some command.

First disable forcevpn at web UI, then SSH to device and run:

IP address not go vpn:
iptables -I PREROUTING -t mangle -i br-lan -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5

Only IP address go vpn:
iptables -I PREROUTING -t mangle -i br-lan ! -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5

Where does the router store this info (ie. what directory/file)?


Thats exactly what I need, but the commands dont work on my router. I have installed the 2.264 firmware. I get a message that it couldnt fount a file or directory when I enter these commands…
I will get the error when I hit the done command

Can you post the error message?

I entered those commands in ssh in router and got these error messages

grep: ]: No such file or directory
-ash: missing ]

I am trying to exclude my laptop from vpn.

EDIT: I am using a GL-AR 750 will this affect the commands?

Pls check then double quota. It is changed by html.


I have a GL iNet MiFi on the latest firmware and I need to route a single IP through OpenVPN to get VoIP to work over my mobile broadband ISP’s network. I’ve assigned the phone a static lease and it is connected through the ethernet LAN port on the MiFi. Would this code still work on this device?

There is no longer an option to disable force VPN in the GL iNet GUI. Does this still need to be done and how do I do it?

Can I just add the code to the end of the startup script through the Luci GUI, so I could just hash it out whenever I need all traffic to go over the VPN? Do I just need to remove the quotation marks around echo $rule | grep tun0 as previously mentioned?

I’ve tried using vpn-policy-routing and vpn-bypass but neither worked. It’d be nice to have a GUI option to do this if possible.

Try testing firmware V3, as I believe that has policy routing.

In V3, “force VPN” is (rather clumsily) enforced automatically (ie. once you have clicked “connect”).