DEV Community

How to Selectively Route OpenVPN Traffic Using PassWall2 on OpenWRT

If you run OpenVPN directly on your OpenWRT router, it usually hijacks your entire internet connection. But what if you only want specific apps, websites, or devices to use the VPN? By combining OpenVPN with PassWall2 and Sing-Box, you can convert your VPN connection into a flexible proxy node.

Why do this? (Use Cases)

  • Smart Routing: Route only specific traffic (like foreign streaming sites or blocked services) through the VPN, while keeping your local traffic on your fast, regular ISP connection.
  • Local SOCKS Proxy: Expose the OpenVPN connection as a SOCKS proxy that anyone on your local Wi-Fi network can manually connect to.
  • Multi-VPN Setup: Run multiple VPN locations at the same time (e.g., US on tun0, UK on tun1) and assign different devices to different countries.

Step 1: Install & Configure OpenVPN

First, we need to set up OpenVPN so that it connects but doesn't take over your entire network.

  • Install luci-app-openvpn and openvpn-openssl on your router.
  • Add your OpenVPN profile (if you are using a provider like ProtonVPN, follow their setup guide, but skip any steps regarding firewall rules).
  • To prevent the VPN from pulling the default gateway, add these two lines to your OpenVPN configuration text:
route-nopull
pull-filter ignore "redirect-gateway"

Step 2: Create a Network Interface

Next, we need to give OpenWRT a way to talk to this specific VPN tunnel.

  • Go to Network > Interfaces in LuCI and click Add New Interface.
  • Name it something recognizable (like openvpn).
  • Set the Protocol to Unmanaged and select tun0 as the device.
  • Save, apply, and start your OpenVPN client. Note that the interface may not appear in the list before you connect to OpenVPN.

Step 3: Link to PassWall via Sing-Box

Now, we will turn that tunnel interface into a standard proxy node inside PassWall2.

  • Make sure you have PassWall2 and sing-box installed on your OpenWRT router.
  • Open PassWall, add a new node, and select sing-box as the type.
  • Choose custom interface for the connection type, and input tun0.

Step 4: Route Your Traffic

You're all set! This OpenVPN connection is now a regular proxy node inside PassWall. You can now use PassWall2's powerful rules to selectively route your network traffic through it, or configure PassWall2 to expose it as a SOCKS proxy for your local network.

Tip: If you want to add more VPN locations, just repeat the steps using tun1, tun2, etc., and create a separate PassWall node for each!

Comments

No comments yet. Start the discussion.