I just received my GL-AR300M and I’m getting acquainted with OpenWRT. I’m fairly familiar with DD-WRT and was able to do this with it. I have OpenVPN setup to use PIA in the GL interface and I have the box checked to disable all internet traffic if the VPN goes down. I’m going to use this as a travel router and I’d like to be able to exclude an IP address or MAC address from this rule and have it’s traffic go out the normal WAN connection (bypass VPN). The bypass would be for a chromecast so that I can use Hulu and Netflix. Has anyone done this or know how this can be done in OpenWRT? I’ve looked around in the LuCI interface and in the UCI interface to see if there was a way but I’m not finding anything.
Did everything you mentioned and changed the options. Getting RTNETLINK answers: File Exists for a response. I changed it to something like this:
ip rule add from 192.168.8.172 lookup 2
ip route add table 2 default via 192.168.11.1 dev wlan-sta
EDIT: Was able to get the command to work by doing ip route replace instead of add. Only issue is that streaming from the chromecast still goes through the VPN.
Oh, I forget Mwan3 is interfering wtih with this policy routing. try to change to:
ip rule add from 192.168.8.172 lookup 20 pref 2
ip route add table 20 default via 192.168.199.1 dev eth0
20 is a custom routing table number, if it’s 2 causing conflict with mwan’s.
you can see rules by:
ip rule
ip route show table 20
I hate to be a pest. Still not working for whatever reason. The chromecast comes back and states that it is connected to the wifi network but cannot connect to the internet.
ip route
0.0.0.0/1 via 10.63.10.5 dev tun0
default via 192.168.42.1 dev wlan-sta proto static src 192.168.42.138 metric 20
10.63.10.1 via 10.63.10.5 dev tun0
10.63.10.5 dev tun0 proto kernel scope link src 10.63.10.6
104.207.136.111 via 192.168.42.1 dev wlan-sta
128.0.0.0/1 via 10.63.10.5 dev tun0
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.42.0/24 dev wlan-sta proto static scope link metric 20
192.168.42.1 dev wlan-sta proto static scope link src 192.168.42.138 metric 20
ip route show table 20
default via 192.168.42.1 dev wlan-sta
ip rule
0: from all lookup 128
1: from all lookup local
2: from 192.168.8.200 lookup 20
1002: from all iif wlan-sta lookup main
2002: from all fwmark 0x200/0xff00 lookup 2
2253: from all fwmark 0xfd00/0xff00 blackhole
2254: from all fwmark 0xfe00/0xff00 unreachable
32766: from all lookup main
32767: from all lookup default
goto http://192.168.8.1. openvpn Settings, turn off force VPN.
Force VPN means only traffic of TUN inferface is allowed, so ethernet WAN interface traffic is blocked. This do sometimes brings puzzles.
You brillant guy almost made it by add:
iptables -I FORWARD -i br-lan -o wlan-sta -s <src_ip> -j ACCEPT
but some script may flush your manully added iptables rule.
In current design, force vpn means the traffic to Internet only go through tun0 inferface even when you lost openvpn connetion. But as long as the default route via tun0 (which has metric 0) exists, you Internet traffic go through tun0 by default except traffic to wlan-sta subnet. In my test result, the tun0 and conresponding route do NOT disappear when I cut openvpn. So the worst case is openvpn process aborted, that’s when the tun0 goes down and Force VPN take effect.
As you pointed it, Force vpn option is buggy to some extend. We are considering to make some tweak.
So you are secure as long as openvpn process running.
First disable forcevpn at web UI, then SSH to device and run:
IP address not go vpn:
iptables -I PREROUTING -t mangle -i br-lan -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done
Only IP address go vpn:
iptables -I PREROUTING -t mangle -i br-lan ! -s <ipaddr> -j MARK --set-mark 5
ip rule add fwmark 5 lookup 5 pref 2005
ip route | while read -r rule;do
if [ -z “echo $rule | grep tun0” ]; then
ip route add $rule table 5
fi
done
Thats exactly what I need, but the commands dont work on my router. I have installed the 2.264 firmware. I get a message that it couldnt fount a file or directory when I enter these commands…
I will get the error when I hit the done command
I have a GL iNet MiFi on the latest firmware and I need to route a single IP through OpenVPN to get VoIP to work over my mobile broadband ISP’s network. I’ve assigned the phone a static lease and it is connected through the ethernet LAN port on the MiFi. Would this code still work on this device?
There is no longer an option to disable force VPN in the GL iNet GUI. Does this still need to be done and how do I do it?
Can I just add the code to the end of the startup script through the Luci GUI, so I could just hash it out whenever I need all traffic to go over the VPN? Do I just need to remove the quotation marks around echo $rule | grep tun0 as previously mentioned?
I’ve tried using vpn-policy-routing and vpn-bypass but neither worked. It’d be nice to have a GUI option to do this if possible.