OpenVPN and excluding IP/MAC address from VPN routing

madj42 · May 6, 2017, 9:33am

I just received my GL-AR300M and I’m getting acquainted with OpenWRT. I’m fairly familiar with DD-WRT and was able to do this with it. I have OpenVPN setup to use PIA in the GL interface and I have the box checked to disable all internet traffic if the VPN goes down. I’m going to use this as a travel router and I’d like to be able to exclude an IP address or MAC address from this rule and have it’s traffic go out the normal WAN connection (bypass VPN). The bypass would be for a chromecast so that I can use Hulu and Netflix. Has anyone done this or know how this can be done in OpenWRT? I’ve looked around in the LuCI interface and in the UCI interface to see if there was a way but I’m not finding anything.

Thanks for any help.

alzhao · May 6, 2017, 9:37am

This can be done, maybe easier to do using IP. I am asking someone to help.

hansome · May 6, 2017, 10:57am

Add a policy routing by:

ip rule add from 192.168.8.172 lookup 2

ip route add table 2 default via 192.168.199.1 dev eth0

192.168.8.172 is your local ip to exlude.

192.168.199.1 is your wan gateway.

madj42 · May 6, 2017, 11:57am

Did everything you mentioned and changed the options. Getting RTNETLINK answers: File Exists for a response. I changed it to something like this:
ip rule add from 192.168.8.172 lookup 2
ip route add table 2 default via 192.168.11.1 dev wlan-sta

EDIT: Was able to get the command to work by doing ip route replace instead of add. Only issue is that streaming from the chromecast still goes through the VPN.

hansome · May 6, 2017, 3:25pm

Oh, I forget Mwan3 is interfering wtih with this policy routing. try to change to:
ip rule add from 192.168.8.172 lookup 20 pref 2
ip route add table 20 default via 192.168.199.1 dev eth0
20 is a custom routing table number, if it’s 2 causing conflict with mwan’s.

you can see rules by:
ip rule
ip route show table 20

madj42 · May 6, 2017, 11:37pm

I hate to be a pest. Still not working for whatever reason. The chromecast comes back and states that it is connected to the wifi network but cannot connect to the internet.

ip route

0.0.0.0/1 via 10.63.10.5 dev tun0
default via 192.168.42.1 dev wlan-sta proto static src 192.168.42.138 metric 20
10.63.10.1 via 10.63.10.5 dev tun0
10.63.10.5 dev tun0 proto kernel scope link src 10.63.10.6
104.207.136.111 via 192.168.42.1 dev wlan-sta
128.0.0.0/1 via 10.63.10.5 dev tun0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.42.0/24 dev wlan-sta proto static scope link metric 20
192.168.42.1 dev wlan-sta proto static scope link src 192.168.42.138 metric 20

ip route show table 20

default via 192.168.42.1 dev wlan-sta

ip rule

0: from all lookup 128
1: from all lookup local
2: from 192.168.8.200 lookup 20
1002: from all iif wlan-sta lookup main
2002: from all fwmark 0x200/0xff00 lookup 2
2253: from all fwmark 0xfd00/0xff00 blackhole
2254: from all fwmark 0xfe00/0xff00 unreachable
32766: from all lookup main
32767: from all lookup default

hansome · May 8, 2017, 11:44am

goto http://192.168.8.1. openvpn Settings, turn off force VPN.
Force VPN means only traffic of TUN inferface is allowed, so ethernet WAN interface traffic is blocked. This do sometimes brings puzzles.

You brillant guy almost made it by add:
iptables -I FORWARD -i br-lan -o wlan-sta -s <src_ip> -j ACCEPT
but some script may flush your manully added iptables rule.

zimo · May 8, 2017, 7:13pm

@hansome could we just customise /vpnfirewall and keep force VPN?

Thinking it may be problematic (insecure) to disable force VPN?

hansome · May 8, 2017, 11:24pm

In current design, force vpn means the traffic to Internet only go through tun0 inferface even when you lost openvpn connetion. But as long as the default route via tun0 (which has metric 0) exists, you Internet traffic go through tun0 by default except traffic to wlan-sta subnet. In my test result, the tun0 and conresponding route do NOT disappear when I cut openvpn. So the worst case is openvpn process aborted, that’s when the tun0 goes down and Force VPN take effect.

As you pointed it, Force vpn option is buggy to some extend. We are considering to make some tweak.
So you are secure as long as openvpn process running.

kennypowers · May 28, 2017, 3:40am

Hi All,

Looking to do this now myself I have one device I don’t want traffic to go over VPN, could someone tell me where you enter these settings?

Thank you.

kennypowers · May 28, 2017, 5:51pm

Would it also be possible to just have one device/ip use the VPN all all other traffic routed as normal?

alzhao · May 29, 2017, 9:58am

Yes. It is possible. Need to use iptables.

@hansome can give you some command.

hansome · May 29, 2017, 8:21pm

First disable forcevpn at web UI, then SSH to device and run:

IP address not go vpn:
iptables -I PREROUTING -t mangle -i br-lan -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

Only IP address go vpn:
iptables -I PREROUTING -t mangle -i br-lan ! -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done

glitch · May 29, 2017, 9:47pm

Where does the router store this info (ie. what directory/file)?

taoiseach · March 24, 2018, 8:28pm

Hello,

Thats exactly what I need, but the commands dont work on my router. I have installed the 2.264 firmware. I get a message that it couldnt fount a file or directory when I enter these commands…
I will get the error when I hit the done command

alzhao · March 25, 2018, 4:49am

Can you post the error message?

tomei · June 3, 2018, 10:01am

I entered those commands in ssh in router and got these error messages

grep: ]: No such file or directory
-ash: missing ]

I am trying to exclude my laptop from vpn.

EDIT: I am using a GL-AR 750 will this affect the commands?

alzhao · June 4, 2018, 4:55am

Pls check then double quota. It is changed by html.

Fenestra · March 13, 2019, 6:17am

Hi,

I have a GL iNet MiFi on the latest firmware and I need to route a single IP through OpenVPN to get VoIP to work over my mobile broadband ISP’s network. I’ve assigned the phone a static lease and it is connected through the ethernet LAN port on the MiFi. Would this code still work on this device?

There is no longer an option to disable force VPN in the GL iNet GUI. Does this still need to be done and how do I do it?

Can I just add the code to the end of the startup script through the Luci GUI, so I could just hash it out whenever I need all traffic to go over the VPN? Do I just need to remove the quotation marks around echo $rule | grep tun0 as previously mentioned?

I’ve tried using vpn-policy-routing and vpn-bypass but neither worked. It’d be nice to have a GUI option to do this if possible.

glitch · March 13, 2019, 8:15am

Try testing firmware V3, as I believe that has policy routing.

In V3, “force VPN” is (rather clumsily) enforced automatically (ie. once you have clicked “connect”).