You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

5.6 KiB

VPN Bypass

A simple procd-based vpnbypass service for OpenWrt/LEDE Project. This is useful if your router accesses Internet through a VPN client/tunnel, but you want specific traffic (ports, IP ranges, domains or local IP ranges) to be routed outside of this tunnel.

Features

  • Define local ports so traffic to them is routed outside of the VPN tunnel (by default it routes Plex Media Server traffic (port 32400) outside of the VPN tunnel).
  • Define IPs/subnets in local networks so their traffic is routed outside the VPN tunnel (by default it routes traffic from 192.168.1.81-192.168.1.87 outside the VPN tunnel).
  • Define remote IP ranges that are accessed outside the VPN tunnel (by default, LogmeIn Hamachi traffic (25.0.0.0/8) is routed outside the VPN tunnel).
  • Creates list of domain names which should be accessed outside the VPN tunnel (useful for Netflix, Hulu, etc).
  • Does not reside in RAM -- creates iptables rules which are automatically updated on WAN up/down events.
  • A companion package (luci-app-vpnbypass) is provided so all features may be configured from the Web UI.
  • Proudly made in Canada, using locally-sourced electrons.

Screenshot (luci-app-vpnbypass)

screenshot

Requirements

This service requires the following packages to be installed on your router: ipset and iptables. Additionally, if you want to use the Domain Bypass feature, you need to install dnsmasq-full (dnsmasq-full requires you uninstall dnsmasq first).

To fully satisfy the requirements for both IP/Port VPN Bypass and Domain Bypass features connect via ssh to your router and run the following commands:

opkg update; opkg remove dnsmasq; opkg install ipset iptables dnsmasq-full

To satisfy the requirements for just IP/Port VPN Bypass connect to your router via ssh and run the following commands:

opkg update; opkg install ipset iptables

Unmet dependencies

If you are running a development (trunk/snapshot) build of OpenWrt/LEDE Project on your router and your build is outdated (meaning that packages of the same revision/commit hash are no longer available and when you try to satisfy the requirements you get errors), please flash either current LEDE release image or current development/snapshot image.

How to install

Please ensure that the requirements are satisfied and install vpnbypass and luci-app-vpnbypass from the Web UI or connect to your router via ssh and run the following commands:

opkg update
opkg install vpnbypass luci-app-vpnbypass

If these packages are not found in the official feed/repo for your version of OpenWrt/LEDE Project, you will need to add a custom repo to your router first.

Default Settings

The default configuration ships with the service disabled, use the Web UI to enable/start the service or run uci set vpnbypass.config.enabled=1; uci commit vpnbypass;. It routes Plex Media Server traffic (port 32400) and LogmeIn Hamachi traffic (25.0.0.0/8) outside of the VPN tunnel. Internet traffic from local IPs 192.168.1.81-192.168.1.87 is also routed outside the VPN tunnel. You can safely delete these example rules if they do not apply to you.

Documentation / Discussion

Please head to OpenWrt Forum for discussions of this service.

Bypass Domains Format/Syntax

Domain lists should be in the following format/syntax: /domain1.com/domain2.com/vpnbypass. Please do not forget the leading / and trailing /vpnbypass. There is no validation if you enter something incorrectly -- it simply will not work. Please see Notes/Known Issues if you wish to edit this setting manually, without using the Web UI.

What's New

1.3.0:

  • No longer depends on hardcoded WAN interface name (wan) works with other interface names (like wwan).
  • Table ID, IPSET name and FW_MARK as well as FW_MASK can be defined in config file.
  • Uses iptables, not ip rules for handling local IPs/ranges.
  • More reliable creation/destruction of VPNBYPASS iptables chain.
  • Updated Web UI enables, starts and stops the service.

Notes/Known Issues

  1. Domains to be accessed outside of VPN tunnel are handled by dnsmasq and thus are not defined in /etc/config/vpnpass, but rather in /etc/config/dhcp. To add/delete/edit domains you can use VPN Bypass Web UI or you can edit /etc/config/dhcp manually or run the following commands:
uci add_list dhcp.@dnsmasq[-1].ipset='/github.com/plex.tv/google.com/vpnbypass'
uci add_list dhcp.@dnsmasq[-1].ipset='/hulu.com/netflix.com/nhl.com/vpnbypass'
uci commit dhcp
/etc/init.d/dnsmasq restart

This feature requires dnsmasq-full to work. See the Requirements section for more details.