Prominently identify key feature differences between `vpn-policy-routing` and `vpnbypass` in documentation where newcomers are likely to land and benefit from guidance

[posita]

It's how much overlap there is between vpn-policy-routing and vpnbypass. At first blush, they seem to solve similar problems, but it's not clear which use cases would be better served by which packages.

Is vpn-policy-routing for identifying small slices of traffic for use with a VPN, where not routing through the VPN is the default (i.e., opt-in to the VPN), where vpnbypass is for identifying small slices of traffic to bypass a VPN, where traffic is routed through the VPN is the default (i.e., opt-out of the VPN)?

Perhaps this can be documented in each respective READMEs?

Something like:

vpn-policy-routing is good when you're [insert use cases here]. If you're looking for something to do [other use cases here], check out vpnbypass instead.

And vice versa for vpnbypass.

[posita]

Oh, shoot. You may have already done this (at least in one spot). I just now found this:

This service supersedes the VPN Bypass available on GitHub/jsDelivr service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.

But that was only present here (as far as I can tell).

Consider prominently featuring that sentiment in the first post here. Consider also surfacing vpn-policy-routing as a better alternative in the documentation here and in the first post here, and in the summaries here, since those are all part of your active documentation surfaces.

[posita]

If you can confirm my understanding of the packages and their utility, I can submit a PR adjusting your documentation here, if you like.

[stangri]

Consider also surfacing vpn-policy-routing as a better alternative

It's very subjective which one is better.

Descriptions (one paragraph for each service at the very top of the READMEs for each package) clearly describes which package does what. I do not want to overload the general repo README with the additional information.

[posita]

Hmmm…so maybe the paragraph about vpn-policy-routing "superseding" needs to be retracted?

Descriptions (one paragraph for each service at the very top of the READMEs for each package) clearly describes which package does what.

FWIW, the differences between the two packages are definitely not clear to me, which was partially the motivation behind filing this. Unless you already know the differences, the descriptions sound remarkably similar.

vpn-policy-routing & luci-app-vpn-policy-routing

This service can be used to enable policy-based routing for L2TP, Openconnect, OpenVPN and Wireguard tunnels and WAN/WAN6 interfaces. Supports policies based on domain names, IP addresses and/or ports. Compatible with legacy (IPv4) and modern (IPv6) protocols. Please see the README at GitHub/jsDelivr and OpenWrt Forum Thread for further information.

The way I read this is that vpn-policy-routing can be used to set policies based on domain names, IP addresses and/or ports that determine which path (VPN vs non-VPN) packets take.

vpnbypass & luci-app-vpnbypass

This service can be used to enable simple OpenVPN split tunneling. Supports accessing domains, IP ranges outside of your OpenVPN tunnel. Also supports dedicating local ports/IP ranges for direct internet access (outside of your OpenVPN tunnel). Please see the README at GitHub/jsDelivr and OpenWrt Forum Thread for further information.

The way I read this is that vpnbypass can be used to set policies based on domain names and IP ranges that determine which path (VPN vs non-VPN) packets take.

Besides one offering the ability to route via port (which I think is inaccurate, since I believe vpnbypass allows that, too), it's not clear what the differences are via these descriptions.

Even after reading the detailed docs, I'm still fuzzy on what the differences are with respect to use cases. Maybe the mechanisms each use to achieve their behaviors is different, but I struggle to find good guidance to help referee a decision about which to pick if I want some traffic to be extra-VPN. It's not even clear whether they're mutually exclusive. Can a user install both? What would happen? Would nothing work?

For example, which one would I use if I want default packets to be routed through the VPN with some very specific exceptions? What if I wanted packets routed through the VPN to fail if the VPN was down, but extra-VPN packets to still be routed (regardless of the status of the VPN)? I can't make those calls right now without experimenting with both to answer my own questions, which is a huge time investment.

All I'm suggesting is to provide more detail to guide the newcomer to help referee the decision of which to deploy without undue experimentation on their part.

[stangri]

Would this change be better in your opinion to highlight specifics of the packages: https://github.com/stangri/docs.openwrt.melmac.net/commit/551e9f1a043e6e8e9f20d7579af0cc121aa79bcb ?

Hmmm…so maybe the paragraph about vpn-policy-routing "superseding" needs to be retracted?

Features-wise, vpn-policy-routing still supersedes vpnbypass, but I can't say former is better. The car supersedes the bicycle features wise, but it isn't always better. For a lot of people vpnbypass would be a better choice.

All I'm suggesting is to provide more detail to guide the newcomer to help referee the decision of which to deploy without undue experimentation on their part.

I'm not sure if it's possible to provide all the detail within the repo README, that's why I link the individual packages README. There are just too many concepts which will need to be described to separate the two.

Based on this conversation, I think I'll eventually create a small comparison table between vpnbypass and vpn-policy-routing within latter's README and link it from the repo README. I'll update this issue when the READMEs address it.

[posita]

https://github.com/stangri/docs.openwrt.melmac.net/commit/551e9f1a043e6e8e9f20d7579af0cc121aa79bcb definitely adds a lot of clarity, so 👍 to that. Thanks!

A table would be great (if you ever get around to it).

Thanks for your consideration!

[stangri]

Thanks again for pointing out deficiencies with the docs and submitting suggestions. I wasn't sure if the vpn-policy-routing and vpnbypass will outlive creation of pbr or not and turns out, there are too many changes brought up with fw4/nft and new dnsmasq for me to be able to maintain all 3 packages. Now that vpn-policy-routing and vpnbypass have been obsoleted, I don't want to update their docs anymore, so I'm closing this.