Is it possible to bypass VPN for some IPs or IP ranges?

[Dominik-1980]

I was using a raspberry pi as second router with openWRT as VPN Router. In openWRT it is possible to bypass IPs which shouldn’t use the VPN. Is this possible in gluetun, too? If it is, gluetun could fully replace this raspberry.

[bnhf]

@Dominik-1980

Gluetun is fantastic for routing traffic from other containers via a VPN. For what you're talking about though, having a 2nd gateway on your LAN that's connected via a VPN, and having an IP bypass list for that second gateway -- OpenWRT is the way to go.

If you really want to get rid of the Raspberry Pi, and you have a 24/7 server running on your network, you could likely run OpenWRT in a VM (with a bridged network interface) in the same fashion as the RPi.

[Dominik-1980]

Hey, thanks for the answer.

The Problem is, that the OpenVPN Speed (I have to use OpenVPN. Wireguard on Router is not supported by VyprVPN) on the raspberry is 25MBit/s Download. On my Core i5-6600 Homeserver with gluetun I'm getting the full speed of 100MBit/s Download from my ISP, even with OpenVPN.

So I think I'll stick to gluetun and get the full speed... OpenWRT in a VM is producing too much overhead on CPU usage I think. I would like to use these resources for other VMs (Windows 10 etc...).

Or I could buy a cheap router without wifi, but enough power for full openVPN speed, but I couldn't find one, yet. Mikrotik is very good and cheap, but they don't really support openVPN very well in routerOS.

Any suggestions which router could work?

[bnhf]

@Dominik-1980

Gluetun is great as far as OpenVPN performance is concerned -- and will be the answer for anything you can containerize. But it sounds like you have VPN needs that can't be handled using Docker, and for those your 2nd gateway approach makes sense.

However, I think you'll find that the Raspberry Pi (particularly the RPi 4B), is quite a bit more powerful than any cheap router. You didn't mention which RPi model you have, but I think you're going to want either a 3B+ or 4B to get the performance you're looking for if you stick with a Raspberry Pi.

Other options would include repurposing an older x86 computer, and run OpenWRT directly on it, or get a high end Asus router secondhand and run AsusWRT-Merlin on it.

[bnhf]

@Dominik-1980

I thought of another option that might work for you, using the hardware you already have. The idea would be to enable Shadowsocks on your gluetun container, and then setup your OpenWRT Raspberry Pi to use this Shadowsocks proxy.

https://github.com/qdm12/gluetun/wiki/Shadowsocks-options

I tested something similar on my LAN via a gluetun container (with Shadowsocks enabled) running on an RPi 4B (Raspberry Pi OS 64bit). In my case, to test, I used the Shadowsocks Windows client on a laptop. Speedtest.net results showed the endpoint of my gluetun VPN, and performance was good at about 150Mbps on the download.

YMMV of course, but it's not difficult to configure, and since you have the pieces already it might be an interesting setup to try.

https://forum.openwrt.org/t/guide-shadowsocks-setup-on-openwrt-for-beginners/77026

[qdm12]

Side note, you can use WIREGUARD_ALLOWED_IPS

see https://github.com/qdm12/gluetun-wiki/blob/main/setup/options/wireguard.md#files