Don’t VPN Everything! - Split Tunnel Your Traffic - Policy Based Routing / OpenWrt Wireguard OpenVPN

Yes OpenVPN would be great as it's the only one that works for my VPN providers currently, I have a basic setup and am hoping this tutorial will help me set it up right, but having a dedicated video for it would be a great help

@@KCKingcollin Awesome! I first worked with OpenVPN as a VPN solution, before I got into Wireguard, so I do have some familiarity with it, let alone, I set up a OpenVPN client with guidance from my VPN provider.
In regards to using OpenVPN with this video, its effectively the same as for Wireguard. Meaning, once you have your VPN tunnel set up (and a VPN interface), regardless of the VPN backend, this process should work. Are you having issues setting up a VPN client, or doing split tunneling / policy based routing (PBR)?
Since using a different VPN backend doesn't change split tunneling, I'm unsure if i would make another video there, other than setting up a OpenVPN client / server. Regardless, I'm happy to offer my 2 cents for your situation.

@@DevOdyssey I managed fumble my way through it, but your video definitely help massively thanks a bunch

@@KCKingcollin I can attest that basically every video I make, comes from me stumbling though different interesting IT topics until I get something working, and thats when it all comes together in my head.

Thanks for watching! I truly appreciate the compliment. I have plenty more great content I’d like to get to, and one video just about ready, actually regarding the set up of OpenVPN client on OpenWrt, just as I used in this video. It might be useful for you if you plan to follow this video.

Thanks for watching Alex! Appreciate the compliment.
Possibly, as it depends on how deep I can go into that topic, let alone, how well I can learn it. I have a very high level knowledge of what it does, and I can actually understand the scripts used to populate those nfsets / ipsets. However this really is only useful for domains that have multiple domains that content is procured from (i.e Content Delivery Networks, or CDNs), where your originating IP is of concern for those providers. If its not a concern, then there isn't a need to do this. There is likely other use cases that I'm not seeing on the surface, but that is generally how I understand it. So any other streaming service, this would be good to create those sets for.
It's based on public information, so you'd have to find and procure those domains into a set, by using a script, or any other means. The below example from reddit seems pretty good, though I can't confirm how well it works. Your ability to create these files effectively will come down to your ability to script out pulling the necessary IPs you want to route through your interface of choice. Just to note, this will automatically create the policies for you and it will not show up in the GUI. For example, the default scripts there means that Netflix will be routed through your WAN, regardless if your default gateway is a VPN interface.
www.reddit.com/r/openwrt/comments/zl4v9d/policybasedrouting_pbr_how_to_use_custom_user
Let me know if you have any other questions.

You're welcome! I really appreciate the compliment. 😊

You're welcome @user-fc9ic5cm8d!
I don't have a video on that unfortunately, but you should be able to follow the docs for pbr and set this up.
docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport
There is a screenshot in there that shows you an option to change your resolver set. After making sure you have dnsmasq-full package installed, I don't think there is anything else you'd need to do. You can add custom user files on top of that if you want, but again not required. You can find more information on that in the link above.

Thanks for watching Kevin!
You’re welcome! Glad you understood it 😊.
I hope it helps you achieve any policy based routing goals you have!

Thanks for watching @kennethbrown445!
Nope, no VLANs necessary for split tunneling. It's great when you figure out a deployment is easier than expected haha.
Now if you want to set it up with VLANs, really there is nothing else you'd need to be aware of. Just if you want to really target a VLAN, specify its subnet as the source of your policy, just as you noted. So in your policy that you tunnel over your VPN connection, specify your guest VLAN subnet as the source, and the interface as your VPN interface, and that should tunnel all guest traffic over the VPN.

You're welcome, happy to see you watching another video!
You should be able to simply set youtube.com as your destination and it should work. Now I'm not sure if this covers everything that youtube uses on the back end as a part of its services, but this is effectively where you'd start.
In addition, if you needed to route youtube sub domains, I did talk about that as well on a high level at 9:02.
Basically, you can create a script that would pre populate all dnsmasq nfset (so long as you set that as your resolver), and pull down IPs for domains and subdomains, and any policies you write, would inherenetly include the subdomains (so long as you have a domain set in your policy).
You can find more information here on that, that I actually referred to recently in another comment.
docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport
For now start with adding youtube.com in your policy and see if it works as expected.

Thanks for watching Eddy!
I'm happy you shared your experience with me, as I haven't been using it as long as you have. Glad it gets the job done, though I'm interested in the limitations you've encountered. They do make sense to me. The domain based streaming seems difficult to me, though not impossible. You just need a really good source of knowledge to pull down the ASNs and domains to create the custom ipset, nfset. MAC Address randomization is becoming more common now, so thats basically less of an option, unless they offer the ability to shut that off. Source interface not an options and doesn't make too much sense that it would be either. Source IP Address usually makes sense for setting up a policy, since you can set your device IPs to be static in multiple ways. Eventually, I'd like to try this on my IoT network.
Either way I like how you are achieving this set up in a real life scenario, and sharing it with us all.

Thanks for watching ロジャー !
Thats awesome! I'd love to see people use PBR more, as its not that complicated and has a lot to offer for many home network users use cases.
Glad I could reference it haha! Which link is your website?

Hi @emmanuelessien8184, thanks for watching. I replied to your comment on my OpenVPN video, but I’ll repeat the relevant part here. If you want each lan device to have a different VPN public IP then you’ll need to pay for enough access to cover all your devices and set up separate tunnels for each other them to use. You should follow this video and create separate tunnels for each lan device and policy route each of those lan devices to a different vpn interface.

Thanks for watching Zhyphirus!
Great question, and that’s correct, the WAN needs to be the default gateway for this setup to work with wireguard as a split tunneled interface.
As for DNS leaking, I didn’t experience that but more so I didn’t actually test or check to see if it was. What you are saying does sound correct, setting the VPN DNS on the LAN interface should get it to use that DNS server, and therefore prevent leaking. I’m not sure why internet access stops working when you do that. Have you tried setting the DNS VPN IP on the WAN interface? That might be what you need to do to stop DNS leaking.
Using AD Guard home shouldn’t interfere based on my understanding.
If that doesn’t work you might need to set up a PBR rule for DNS traffic to go through the WAN interface but you shouldn’t need to do that based on my understanding, nor should you have to with the wireguard interface, though you can try it out and see if it works.

Thanks @ckwcfm! I appreciate you watching. It's unfortunate you are not able to get it working with multiple WANs. Are you referring to a WAN and a VPN, or actually two different WAN connections from two different ISPs? Functionally, it should be the same as a WAN and VPN interface split tunneling. Just trying to get some clarity on what you mean.

@@DevOdyssey Ya. I managed to make it work now. Thank you very much. Very nice video.

@@ckwcfm Awesome! Glad to hear that. You're welcome and thanks again for watching.

Glad you liked it @WildPyro341! Thanks for watching. That seems strange, you should only have to add a MAC or IP in the rule to get it to route through your interface of choice. Does it work when you add a destination in the remote address field? Just curious to see, because if it does, then we at least know the rules are working. If you want to router all traffic it shouldn’t be anything additional in the remote address field, though I guess you could try adding 0.0.0.0/0 and see if that does anything. Without knowing the other options you have in your rule, it’ll be hard to troubleshoot.
Assuming you were leaving it all the same as shown in the video, then it should work. Anyway give this a try and if it works, we at least know the routing / ruleset is working.

@@DevOdyssey I figured this out myself! I guess installing OpenVPN/PBR on my router didn't automatically set up a "tun0" interface and I had to do this myself. Once I did this, PBR automatically selected that as the default gateway and started routing traffic as normal. Thanks for the suggestions and the response!

@@WildPyro341 Great to hear you were able to figure it out.
That is correct, installing PBR does not install OpenVPN. I skipped that part as that was not outside of what I wanted to cover. Definitely have to install OpenVPN on your own and set that up as a prerequisite to this video, or any other interface (VPN or not) for that matter. I actually made an OpenVPN client configuration video that will be going out very shortly.
Nonetheless, happy you got it figured out and it all fell into place.

Thanks for watching @sidneyking11!
First, could you verify if you have the PBR package installed as shown in this video? If you do, then you’d simple add a PBR rule, for your wireguard interface to route all VPN traffic through that interface. You would do this starting at 10:27 in the video above, where the local addresses would be your local wireguard network and the interface at the bottom would be wireguard.
This would allow you to only route all VPN traffic through the VPN interface, and not all network traffic on the router. Otherwise, to do this without PBR, you’d have to route all your router traffic through the VPN, and specify the allowed IPs to be 0 . 0 . 0 . 0.
So with PBR, you can customize what traffic you want to go through the VPN. Or if you want you could write your own routes in the routing table, but PBR rules is probably easiest.

Thanks for watching @saotekwong3276!
Referring to the link below, you should be able to route all subdomains of a domain in your policy. However, you don't explicitly wildcard it. Instead you write to domain as you normally would, say google.com, and then when you set your resolver set to dnsmasq.ipset or dnsmasq.nftset, whichever is supported on your system, then it will route subdomains through your existing policy.
Refer to the comment below from the creator of PBR for more information. My answer is simply what he provided, and not something I have personally experienced.
forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/779

@@DevOdyssey Thank you very much. I tried dnsmasq.nftset, but it is not working. I have no idea why

@@DevOdyssey Thz for you information. However, I have tried and but it does not work.

@@saotekwong3276 So can you elaborate on it? Whats not working about it and how is it not working? How have you tested it to prove its not working? Have you ensured that you have dnsmasq set up on your router?
If you have further trouble here, it would probably be worth getting onto the OpenWrt's forums to ask for assistance, where you can share screenshots of what you've done any your observations of your tests, and the community should help you get it working, including creator of the pbr package.
forum.openwrt.org/
forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639?page=38

Thanks for watching Syed!
I appreciate the compliment. As for configuring both at the same time, I didn't have any particular problem doing that, just followed the general process for Wireguard, and for OpenVPN, I followed my VPN provider's (Mullvad) instructions, that I have in the description. I have also linked it below:
mullvad.net/en/help/openwrt-routers-and-mullvad-vpn/
I am honestly not sure why you are seeing that issue, it's hard to tell without knowing any of your configuration, but I hope the instructions above help. What is the VPN provider you are using? They likely will have instructions on setting it up, even with a generic OpenVPN client that should be helpful when setting it up with OpenWrt. So if you haven't don't that, I'd start there.

@@DevOdyssey Can i use Wireguard and OpenVPN profiles from the same provider (such as Express VPN)

@@syedhussain904 my provider Mullvad let’s me use Wireguard and OpenVPN profiles at the same time, and in theory, I have access to 5 VPN profiles, two simultaneously for sure, but likely I can use all five at the same time.
I haven’t used ExpressVPN before, but they might let you do it. It looks like they let you use 5 devices at once from my research so given that, you should be able to do the same, since each config would be considered another devices, even if you run those configs on the same device.

As for the WiFi network, what you'd do is simply create a new network interface that you will dedicate to WiFi. Then you'd assign that network interface to the wireless (WiFi) radio device, that you'd configure as normal. Then, when creating policies, you'd use that network as the "Local Addresses / devices", and set the interface as your WG interface, and leave Remote Addresses blank, so that all traffic goes through that interface.
For the other SSID (for WAN), you'd configure this normally as well. Then for your network interface, you'd do this normally as well, as noted above, except you'd use a different WiFi radio device for this network interface.
Then, if following along with this video, and if your default gateway is WAN, you wouldn't have to write any policies, as all that traffic from the WiFi network would automatically be routed to the WAN interface.

@@DevOdyssey Hello i am interested in doing this, however when i install wireguard and set the wireguard interface, all devices that connect to lan/wan/wifi are connected to the wireguard tunnel so all the devices connected connect to the wireguard vpn. and not like you said in the comment that the wan should connect to the isp provider address. when installing wireguard and creating the interface on firewall option i choose to put wan/wan/and wireguard together, with your recommendations shall i separate those interfaces ? or shall i need to create a wan interface in the firewall section ? so in this case they can be separated ? like the user above i want to have one wifi with normal isp ip address and another one using wireguard vpn, not sure if policy based routing is strictly necessary ?

Hi Heinser.
I’m not sure I complete understand, but I’ll do my best.
So first off, when you create the wireguard interfaced, not everything is connected to it by default. I guess it comes down to terminology here, but what you’re likely describing is that all your traffic is being routed over the tunnel to that wireguard peer. In this scenario you want to avoid that. The policies you create will do the routing for you. Refer to the link in my video description that talks about a wireguard setup with wan for policy based routing, where the default route is over the WAN.
I’m not sure what you mean as you chose to put them “the wan and wireguard interfaces” together. I assume those are the two interfaces you are using for policy based routing. You should already have a wan interface in your firewall section, especially if you are connecting to a wireguard instance over the internet.
What you want to do, based on your last statement, is to create two networks, one for each wireless interface. Then adding those networks to the wireless interfaces. Then in your policy based routing, simple use one of the wireless networks, and create the policy for all traffic from that network to go over the wireguard interface, and that’s should do it. So then you’ll have two different wifi networks, one over a vpn and one using your wan interface from your ISP.

​@@DevOdyssey Hi, Orest. Great tutorial. I'm trying to implement the same thing (Wi-Fi routed through WG) on OpenWrt 23.05.0.
I want to ask one thing, while creating a new interface, what 'Device' should I choose? wg0 adapter or something else? TIA.

Thanks for watching@@ktj94 !
So this depends. First, do not chose the wg0 device for creating a new interface. That device is a dedicated for your WireGuard overlay network, and the only way add clients to that overlay network is by installing WireGuard on them, and connecting them to each other (i.e setting up peer configurations).
If you are setting up a separate local network, say like an IoT network, you can simply create a VLAN, and then chose that VLAN device for that interface. You can follow either of these videos below for more information on how to create a VLAN interface:
ruclips.net/video/d3aYMqt-b_c/видео.html
This video shows you how to create a DSA VLAN or what I refer to as a Regular VLAN config (802.1Q). With DSA VLANs the port tagging is easier with OpenWrt interface, especially if your router has multiple ports.

You're welcome @realps2739! Thanks for watching!

@diyer1190 thanks for watching! Sorry to hear you’re having trouble. What version of OpenWrt are you running, and have you looked at the logs to see if there are any errors? That’ll get you started to see what the issue may be happening. Refer to the PBR documentation in the video description for additional guidance

@@DevOdyssey yes, since I upgrade to latest ver 23.05.3 it works now,thanks your videos! keep going

@@diyer1190 Great to hear its working, appreciate the follow up.
Thanks for the support, it really does help.

Thanks for watching G Krug!
So, to change your service gateway, or default gateway from WG to WAN, you'll need to follow the section "A Word About Default Routing" where it talks about Wireguard. In particular, you'll need to put that settings in the network file under the wireguard interface. If this is what you were referring too, its not a command, but rather a config item.
Or, the easiest way to do this is go into your wireguard interface settings, then edit the wireguard peer, and the check box that says "Route Allowed IPs", make sure that is unchecked.
Then, your default gateway will be your WAN and not WG.

@@DevOdyssey Thanks for the reply. I was able to get the default gateway to change from WG to WAN. However this completely bypassed the WG routing all together while the WG interface is running. I am trying to accomplish what I previously did with VPN-bypass on Open-Wrt. I seem to be stuck at the proper "Policies" for split tunneling a Smart TV. I only need to exclude one device from the WG traffic.

@@gkrug6043 Glad to hear it worked! What you are experiencing though is expected. Since WAN becomes the default gateway, everything is routed through WAN, unless you specify what should be routed through another interface, such as WG. Its effectively the opposite of VPN-bypass. To get the same desired affect, you'll need to create a policy that routes everything through the WG interface, and in that policy, specifically exclude your Smart TV.
Just to note, and an oversight on my end, using Wireguard as the default gateway does work, however with the following caveat that I didn't spell out.
"If the Wireguard tunnel on your router is used as default routing (for the whole internet), sadly no pbr rule will allow it to intercept and properly route the UDP traffic of Wireguard server, please either use the OpenVPN server and configure it to use TCP protocol or use the Scenario 2 below."
This is under the condition, assuming that you use the Wireguard instance on your router, as a server. Put simply, this is saying if you use Wireguard on your router to connect to your home network, then you cannot route UDP traffic from the Wireguard server. Meaning, if you connect back to your router using Wireguard, Policy Based routing will not work in that scenario. Otherwise, only using Wireguard as a client should work. They say to use OpenVPN server running TCP to connect back to your home router, if you use Wireguard as a client and as your default route.
Anyway, not being sure what scenario you're in, you can do the following.
Not using Wireguard as a server:
Set Wireguard interface back as your default route, create a policy to route the Smart TV through the WAN.
Using Wireguard as a server:
WAN interface is your default route, create a rule to route the Smart TV through WAN. Create a second rule (below the first rule) to route your whole subnet, through Wireguard interface.
Doing that, you should see the desired affect, as the rules are processed in order from top to bottom.
Hope this clears things up for you!

@@DevOdyssey It seems like I had been overthinking and overcomplicating this process. I kept the service gateway as 'WG" under pbr. Under "policies" I now have a simple policy to exclude the single IP (device) from the WG and utilize the wan as the gateway. I think the issue was which settings to utilize/fill in "Policy Based Routing - Configuration". Thank you again!

@@gkrug6043 Usually with networking like this, its very easy to overcomplicate. The setup you've described sounds simple, and therefore best for your use case as it stands. For those Policy Based Routing Configuration settings, what I shared in the video should apply. Getting the chain right can be confusing, as I initially used Output until my testing showed it didn't worked the way I expected. There's certainly plenty of more detail to go into for Policy Based Routing, but this video should cover the set up most people would want to implement.
You're welcome! Glad it helped you out.

Hi Liam!
I wouldn't use the term bridging to avoid confusion, as that means something else. But I will say I love the idea, and I've actually considered similar solutions as well, except using edge routers with Wireguard connections in places that I dont have a nice router / home network setup like at my home. What you seem to be looking for is tunneling the network on your eth2 port through the Wireguard Tunnel.
This should be quite simple, and the video should help you follow along.
Roughly, first you'd have to create a new network, lets call it the IoT network, and assign it to the eth2 port. Once you have created that network. All you will need to do is at 10:20 in the video, for "Local Addresses / devices" input box, put in the network your smart TV is on, such as 192 . 168 . 1 . 0 / 24 (assuming thats your IoT network range). That will then route any traffic originating from that network, through the Wireguard tunnel and achieving your goal. If you want just the Smart TV to go over the Wireguard tunnel, you can simply assign your smart TV with a static IP, and place that static IP in that aforementioned input box, instead of that whole network range. Then that way, if you need other IoT devices to go over the local WAN port, they would still do that.

@@DevOdyssey thank you! I’m looking forward to setting this up when I get home. I must ask - is there a benefit to using PBR rather than simply bridging the VPN to the Ethernet port?

@@liammiller9015 You're welcome! Sure, so good question. So when you bridge interfaces, you are taking multiple "physical" ports, and putting them on the same network. So if you bridge a VPN interface and a physical interface, you'd imagine they'd be on the same network, just as it seems like you are thinking. However, this simply won't work.
At least for Wireguard, in order to be on that network, each interface needs a public / private keypair, which Wireguard then performs cryptokey routing in order to get traffic moving to the right Wireguard interface. Since the eth2 interface is not a Wireguard interface (with no public / private keypair), it simply won't connect. Let alone, there is also no DHCP and wouldnt get assigned an IP address, as Wireguard does not use DHCP and these IPs are statically assigned per interface. Wireguard is considered an overlay network, meaning it must exist ontop of another "physical" network setup, similar your typical VPN network.
For OpenVPN, I can't speak to how that would work, but I imagine it would be the same. While it doesn't have cryptokey routing, and its possible to use DHCP with OpenVPN, it does have its own authentication mechanism for getting on the VPN network. Nonetheless its also a virtual overlay interface, like Wireguard and has its limitations. I'm not saying it won't work with OpenVPN, but I haven't tried it, and from my understanding of networking concepts, it shouldn't work.
Regardless, mess around and give it a shot. Whatever the outcome, you are sure to learn something.

@@DevOdyssey Thank you so much! I think the confusion came from another video by PrimeTechGuides3050 where he created a OpenVPN TAP bridge between two routers. The client uses a bridged port to obtain an IP address from the server. This is something I definitely want to test myself once I can deploy a better router at the server location. Would be interested if you can create your own take on his guide if you find the time.
Your explanation explained the Wireguard setup I'm trying to achieve for this. Excited to get it running!

@@liammiller9015 You're welcome! Thanks for sharing more information. I was able to find the video you were referring to here.
ruclips.net/video/ZS3vXA0s2qU/видео.html
After watching that, and doing a bit of googling, I realized I should have expanded a bit more, and left some key information out that would clarify things. The reason why he's able to create an OpenVPN TAP bridge is because OpenVPN supports being a Layer 2 protocol. Because of that, it can act on the data link layer, and therefore bridging would work, since that happens on Layer 2, or again, the data link layer. Normally, most usage of OpenVPN is on the Layer 3 level, which is where bridging wouldn't work, and was what I was thinking of earlier.
openvpn.net/vpn-server-resources/some-basic-networking-concepts-simplified/#osi-layer-2-bridging-and-layer-3-routing
I'd still encourage you to test it out. Even watching that video, I realize that I actually have a use case for it, and might even try to set it up some time in the future and see how it would work for my network. I'd like to get to it, I just can't guarantee when I would.
If you have a need for Layer 2 traffic to go over the VPN, then you'll need to use OpenVPN.
Wireguard, on the other hand, only works on Layer 3, and has no way of working on Layer 2. Therefore, you cannot do any bridging of a Wireguard interface, and a physical interface / NIC.
www.wireguard.com/papers/wireguard.pdf
Great to hear my Wireguard setup is what you're looking for. I'll be happy to hear once you get it working as well!

Thanks for watching ZANDATSU!
Yep, you certainly can do that. If you create a separate network for your wlan1 interface, you can route that over OpenVPN interface. For example, at 10:53 in the video, you would specify the network you created for the wlan1 interface, and then at the bottom, chose your outbound interface, which would be OpenVPN. Then all wlan1 traffic would go over OpenVPN.
Unfortunately, you can't just route the wlan1 interface itself over the OpenVPN interface, as that would be at layer 2, while PBR functions at layer 3. Thats why is important to have a specific network for your wlan1 interface, and not share that network with the LAN interface or any other local interface for that matter.

Thanks for watching Vahid!
So you'd follow the steps as noted at 09:56, when creating custom policies. In that, you'd put the target IP's in the Remote addresses / domains section. Given that public IPs are generally assigned in a geo located manner, this should affectively achieve what you are looking for.

Hi and thanks for watching @user-yb1bp4qb9c!
While I don't have a specific video on how to do that, you can refer to the instructions here on default routing
docs.openwrt.melmac.net/pbr/#AWordAboutDefaultRouting
Basically, if you don’t make your VPN tunnels the default gateways, then your WAN will remain the default gateway. If you ever have made your VPNs the default gateway, you simply “turn that off” and the default gateway will then revert to being the WAN.

Thanks for watching Tiashe. Thats strange, did you update your package list first? That would be the biggest reason why you would find luci-app-pbr. Otherwise, I can only thing of it being hardware limitations, but I currently dont know of any for luci-app-pbr, so I can't fully speak to this.
Or it might be the version of OpenWrt you are running, is it pure OpenWrt and is it the same version as I used i the video (22.03)? If not, the pbr might not work for your version of OpenWrt. Lots of variables here that could be the cause of your issue.

Thanks for the feedback, I appreciate hearing it 😊

@@DevOdyssey you have solved one of my biggest network problems from many years ago 😹❤️

@@DanialAMD Happy to hear that! I bet it is a problem for many people who use VPNs on their router, as they have no easy way to select and choose what devices, or what destinations, to go over the VPN. This is a great solution that makes it very easy to implement, and was glad to have found it and gotten it to work. Definitely something I'll keep in my back pocket for future deployments of OpenWrt.

Thanks for watching @antonvolynkin1196!
If you want to register more than one IP per PBR rule, I believe you can simply copy and paste a comma separated list of IPs into the Remote addresses / domains section at 11:55 in the video, and it should work.
I'd recommend referring to the documentation for more information on setting up PBR rules.
docs.openwrt.melmac.net/pbr/

Thanks for the answer @DevOdyssey ! Addresses can even be added separated by a space. You're right. But what if there are a lot of them? Let's say 1000 or more. As I understand from the documentation, you can write a script. Like for Netflix domains or Amazon domains. But unfortunately I'm not good at scripts. Can you recommend a ready-made solution

You're welcome @@antonvolynkin1196 !
So it looks like you want to create a custom user file. While I haven't made any of my own, I'd refer to the example Netflix and Amazon ones that come with the app.
This link should show you where they are on your file system. Make a copy of one of the files, and then play around with it to learn how it works.
docs.openwrt.melmac.net/pbr/#custom-user-files
I'd also refer to this link to get a better understanding of the syntax.
docs.openwrt.melmac.net/pbr/#ProcessingCustomUserFiles

Thanks for watching Heinser! Appreciate the sub!

Thanks for watching Dayton!
I'm not promoting any specific product or service in this video, but rather a concept, I do stand by my words. VPN services over inflate their value and tout that you need a VPN all the time to protect you from every single activity on the internet, when in actuality, traditional VPNs do very little to actually protect you. They work more from a privacy aspect, than from a "cyber criminal" protection aspect. Not all internet traffic is equal, and not all traffic needs a VPN, let alone, VPNs are used for way more applications than just privacy in corporate environments. In those environments, they often do not need to VPN all traffic, and some can just go directly to the internet.
All that being said, split tunneling and policy based routing are very critical concepts used in networking today, that can be used in many personal deployments for similar benefits, as noted in the video.