Allowing certain domains to bypass VPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Wed May 29, 2019 23:46    Post subject: Allowing certain domains to bypass VPN Reply with quote
I have VPN setup in my dd-wrt router so all network traffic in that router is going through the VPN. Some websites (ex. some of the banks) don't allow visiting their site through VPN.

Is there anyway to allow a select number of domains to bypass the VPN?

Thanks
Sponsor
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1249
Location: Indiana

PostPosted: Thu May 30, 2019 0:13    Post subject: Reply with quote
There are a couple methods outlined in this excellent post from @egc.

Simple script for Policy Based OpenVPN Routing [WORKING]

_________________
SUPPORTED DEVICES -- DON'T USE ROUTER DATABASE!
--IMPORTANT UPGRADE INFORMATION--STUBBY install guide
Qualcomm-Atheros:
R7800 x2 kongat & BS WDS AP & Sta-- R7500V2 BS std WDS STA-- WZR-HP-AG300H BS std WDS STA
WNDR3700v4 BS std WDS STA-- Nanostation M2 AirOS-- LocoM2 AirOS
Broadcom:
R6200v2 41491std using R6250.chk WLAN Repeater Archer C9 v1 OEM WAP

DDWRT Policy Based Routing Guide by egc
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 30, 2019 0:23    Post subject: Reply with quote
You can simply define static routes in the OpenVPN client for those domains.

Code:
route amazon.com 255.255.255.255 net_gateway
route cnn.com 255.255.255.255 net_gateway

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Thu May 30, 2019 14:51    Post subject: Reply with quote
eibgrad wrote:
You can simply define static routes in the OpenVPN client for those domains.

Code:
route amazon.com 255.255.255.255 net_gateway
route cnn.com 255.255.255.255 net_gateway



Thanks. I put the following code in the "Addtiional Config" section in the VPN tab. Clicked Save and then Apply Setting but when I go to the bank's website its still not loading.

Quote:
route somebank.com 255.255.255.255 net_gateway
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 30, 2019 15:13    Post subject: Reply with quote
Well not loading is a different issue then which route is used, WAN vs. VPN.

Do you perhaps have a kill switch that's blocking the WAN?

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Thu May 30, 2019 15:17    Post subject: Reply with quote
eibgrad wrote:
Well not loading is a different issue then which route is used, WAN vs. VPN.

Do you perhaps have a kill switch that's blocking the WAN?


To my knowledge I dont have a kill switch. All the other sites are loading. Just this bank and few other sites don't load through VPN. Once I disable VPN, they do load. I was hoping the above command would route the traffic to those domains outside of the VPN.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 30, 2019 15:23    Post subject: Reply with quote
The only thing those route directives in Additional Config do is create static routes that point to the WAN as the gateway to those domains. Once the OpenVPN client is active, you should be able to see those routes in the routing table. Go to a shell (telnet/ssh) and issue the following command.

Code:
route


If you do an nslookup w/ those same domain names, you'll see one or more public IPs reported, which should show up in the routing table, and w/ a gateway IP that points to the WAN.

So it's just a matter of which network interface gets used, VPN or WAN. But it's not obvious to me why whichever choice you make, the website should refuse to load. Something else must be going on there, like are you also using PBR (policy based routing) in the GUI?

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
nima2019
DD-WRT Novice


Joined: 13 Apr 2019
Posts: 16

PostPosted: Thu May 30, 2019 15:34    Post subject: Reply with quote
I'm not using any 'policy based routing'. Does it matter whether I put the line of code on top of the 'Additional Config' section or bottom? The VPN required me to put the following code in there already

Quote:
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

#Delete `#` in the line below if your router does not have credentials fields and you followed the 3.1 step:
#auth-user-pass /tmp/openvpncl/user.conf
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 30, 2019 15:50    Post subject: Reply with quote
Doesn't matter.

Although frankly, you shouldn't need any of those other directives. Either the router is already using them, or they're irrelevant, or in the worst case, because adding directives which the router is already using acts as an override, you can sometimes break things.

What I tell users is to resist the temptation to add things to Additional Config and just see if the VPN works without it. If it does, then anything the VPN provider is suggesting be added is little more than a tweak. And in some cases, an irrelevant tweak (e.g., remote-random is meaningless unless you're specifying multiple remote directives).

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum