VPN policy quick guide and feedback

I tried IP based rule works.

Maybe @luochongjun can help on this matter. Before there is setting for guest network but the UI is too complicated already. But this is definitely doable.

One more thing about IP based rule.

You need to flush your DNS or just wait for some time to let it work. This is the behaviour I observed. Because of DNS cache it seems not working so you changed your settings again. So just be a little patient and you should find that it works.

based domain policies need flush DNS cache (use ipconfig /flushdns command on windos ).
For some sites, you need to set a set of policies, not a single policy, because the sites you visit are likely to get data from other sites.
The VPN policies not apply in guest network.

IP-based policy worked for some sites and didn’t work for whatismyip.com! Please give it a try.

Also I wish I could exclude all domains with my country suffix from vpn.

for me no working

hulu.com & netflix no possible to use, they see i use a vpn and lock me if vpn policy it’s active
just if i use vpn full without policy working but i loose contry film in netflix



Is there a plan to increase the available syntax for domain names? Currently dashes eg, gl-net.com are not allowed. This obviously limits the amount of domains that can be put behind a vpn profile.



Hello, I have just installed the very recent openwrt-mv1000-emmc-3.104.img (mostly for Adguard Home) but I bought this router to be able to use Wireguard as a client with policy routing. And it works well once you realize that MAC address works only for source and IP only for destination.

I have a small problem because I have 2 routers (double NAT).
Here’s a simplified view of my network.


Almost all my network clients are in LAN2 and only one does not go into the VPN. But I have a phone blocker device that is in LAN1 and I cannot access it because requests to are sent to the VPN. If I want to access it, I can remote control (RDP) the computer that is not routed through the VPN but it’s not convenient as it’s not my main computer.

Is there a way to disable routing through the VPN for a private address subnet ? Even without the GUI.
In the GUI, I cannot solve this using source MAC address.

alzhao wrote that “We tried to make mixed policy and it will make the logic hard to understand” but it doesn’t have to be complicated to solve this problem on a single screen. Just look how its solved in asuswrt merlin


You can make an exclusion for in vpn policies used in destination ip mode.


I wonder for the IP-Based policy how many rules can I add into the list?

I have an Asus router it only allows 40-44 rules due to the limitation at the nvram storage level.

…can I add 400-500 rules into the list?

Thank you.

No, I cannot because I am in source MAC address mode. This is the only way to have VPN for all but one LAN computer.

I have 500 based ip rules…

1 Like

Then you have to make a static route in the router to force traffic directed to via wan and not via wg0

It’s easier said than done. In Networks, Static Route, there is no wg0 interface.
Although it can be seen under Status, Routes.

Active IPv4-Routes
Network Target IPv4-Gateway Metric Table
wan 0 1
wan 10 51
wg0 - 0 51
wan 0 51
wan - 10 51
lan - 0 51
wan 10 52
wan 0 52
wan - 10 52
lan - 0 52
wg0 - 0 main
wan 10 main
wg0 - 0 main
wg0 - 0 main
wan 0 main
wan - 10 main
lan - 0 main`

I have played with CISCO and Mikrotik routers before but I cannot understand why it appears so complicated here.

Could you be more specific ?

You can try by ssh:
ip route add ‘ipofyourclient’/32 dev wan

After several attempts and several weeks later, I finally won this fight. And this is doable using the GUI. It’s under Advanced, Network, Firewall, Traffic Rules. I added a rule above the last one “glservice” that looks like this :

From IP range in lan
To IP range in wan
Accept forward

That way, even though all my traffic is sent to the VPN, the traffic from the second LAN to the first avoids the VPN. I am in a double NAT configuration because I don’t own the first router / NAT but still needs to acces it from the second LAN behind the Brume.

please add port in vpn policies


Please help me with this.

My problem is that my GL Box has a permanant VPN with my Wireguard private server, and when the VPN is working, whether I activate the option 'Use VPN for all process on the router’ or Not, the DDNS of GLDDNS is always updated with the IP address of the VPN server (of the VPN) and not the real one.

Would you please help me ? I tried to put the WAN IP as an exeption but didn’t work either.

Many thanks,

Pls let me know which model you are using.

Sure, it’s GL-iNet GL-MT300N-V2(Mango),

OS version : 3.203

DDNS needs some time to update.

When you turn on/off vpn policy, pls wait a while so that the ddns is updated. I am having a problem in my test environment and didn’t finish testing. But I think the above is the reason.