Using Static Routing on Router to bypass VPN Dynamic IP?

Question

I have searched the forums, but since networking isn't my area of expertise, I don't know if this has been explicitly answered, so I'm hoping this isn't a duplicate.

I currently have a TL-WR841N router which is configured with a WAN Dynamic IP address provided by my VPN provider. Currently, the IP I have configured in my router is one that allows streaming from Netflix. However, this prevents Amazon Prime Video from working.

Previously, I contacted TP-Link and asked if there was a way to allow certain devices to bypass the VPN and instead use my real IP address for the sake of accessing streaming content. Specifically, I wanted to tell the router that all my devices except gaming consoles should connect through the VPN. I was told this isn't possible. So I did a bit of research, and a friend had mentioned something about static routing, which my router is quite capable of doing.

From what I understand, static routing would allow destination IP addresses to bypass the VPN, and if that's the case, it'd work in my situation, as I just want to be able to access all streaming media while my VPN is activated. Is static routing what I need? Amazon publishes a list of their IP ranges, but there's over 1000 of them. If static routing is indeed the answer, do I need to add a case for all the published IPs? Or is there a better way to achieve what I need?

Answer 1

The TL-WR841 is just a Linux computer with a UI that's provided by TP-Link.

If you use a VPN on it, it will have two network interfaces (one for the VPN, on for your ISP's WAN). Linux has routing rules that can decide which interface to use according to the destination IP address (what you call "static routing"). Linux also has something called policy routing where you can route based on the source address.

So if you configure your router to assign all of your devices always the same IP address via DHCP (sometimes called "static DHCP"), you can use the IP address to identify the device, and route accordingly.

Now the question is how to set this up. If TP-Link says you can't route by device, they probably don't have an UI for policy routing. If you do have an UI for "static routes", you can of course route by destination.

An alternative is to re-flash your router with a different firmware, e.g. OpenWRT. You have to be a bit careful, the TL-WR841N is based on very different hardware depending on the version, and for the some types (mostly older hardware) it works, for some it doesn't.

Once you have full access to the device, you can configure everything you want, including policy routing by source address. You'll need to be comfortable with the Linux commandline to do this, though.

There are other firmware variants like DD-WRT (based on OpenWRT, same hardware restrictions) with a more user-friendly UI. Here is the DD-WRT wiki page for policy routing. If I understand it correctly, it does have some UI support, but you still may need scripting for the VPN (but I haven't done it on DD-WRT, so my interpretation may be wrong).

It's possible to re-flash your router to the original TP-Link firmware (download, or save it before flashing the first time), so you can experiment.

Edit

For static routing: I don't know how the TP-Link UI looks like, but in general, you need a collection of destination IP addresses, e.g. all IP addresses related to Amazon Prime Video (multiple servers can be involved in that, and they may load balance using multiple IP addresses). These may be single addresses, in which case you need a netmask of /32 resp. 255.255.255.255. Or the may be complete IP ranges, e.g. the Amazon public IP range, in which case you can group them together with a different netmask.

The gateway (next hop) will be the gateway for the connection over which you want to route, either WAN or the VPN. Looking up the interfaces should give you the gateway. The gateway may change both for the WAN and VPN when the connection is setup, so it may be difficult to assign this statically.

Answer 2

The following article has a detailed procedure for achieving your aim using the standard firmware:
How to put your PS3 or PS4 into a DMZ.

I summarize it below:

• Give the console a static IP address in Settings > Network Settings. This address should be in the range of your local network, perhaps like 192.168.0.X, but make sure that it is not within the DHCP range of addresses.

• Log on to your router as administrator, and search for an option called DMZ. As the IP address for your DMZ, put in the IP address you gave your console earlier.

• On the console, again in Network Settings, select Internet Connection Test.
  If successful, your NAT Type may read '2'.

This should connect your console directly to the Internet, in effect bypassing the VPN. Its success depends also on how your router handles VPN and DMZ specified both at the same time.

For more details, see the above article.

Answer 3

This is an unordered set of answers:

The problem I'm having is that it does allow for Static Routing. I'm just not sure how to set that up properly (e.g. what's the destination IP, what's the subnet mask, and gateways?).

Within a route, the destination IP + mask (or IP/prefixlength) defines what you want to reach, a specific address or a range. The gateway defines how you'll reach it, i.e. the "next hop" to pass the packet to.

Your router will have a page somewhere showing all active routes (static and dynamic). Among them you'll see a route for 0.0.0.0/0 (mask 0.0.0.0), also known as a "default" route because it matches any address. That's the route your router normally uses for Internet access, and its gateway/nexthop will be some router address belonging to your ISP.

Starting a VPN connection will add more routes – when the VPN is meant for Internet access, it will add a second 0.0.0.0/0 route, but this time with a VPN server's address as the gateway (or no address at all, just an interface name).

If the same packet matches multiple routes, the route with longest prefix (or most '1' bits in the netmask) will have the highest priority. (For example, a mask=255.255.255.0 route will take priority over a mask=0.0.0.0 route.) If there are multiple routes with identical destination+mask, priority is set using the "metric" parameter.

So while the VPN is active, you have two 'default' routes for 0.0.0.0/0, but the VPN route has higher priority (lower metric), so that all Internet access will go through the VPN. To override it for a specific destination, you'd add a new route with that destination, copying the gateway parameters from your ISP's main default route.

Specifically, I wanted to tell the router that all my devices except gaming consoles should connect through the VPN. I was told this isn't possible.

It's indeed impossible with regular IPv4 routing.

(Although on Linux it would be possible with regular IPv6 routing, as IPv6 routes can match also on source, not just destination. Unfortunately that's not implemented for IPv4, and in any case you won't find it in TP-Link's configuration screens anyway.)

However, it's possible with the "policy routing" feature that was mentioned by @dirkt. Policy routing inserts an additional step before regular routing – it lets you create several independent routing tables and define rules when to use which table.

For example, you could define that packets from your gaming console will use table 1 (with regular ISP's default route in it), and packets from other devices will use table 2 (with the VPN's default route in it).

Amazon publishes a list of their IP ranges, but there's over 1000 of them. If static routing is indeed the answer, do I need to add a case for all the published IPs?

With standard routing, yes, you would need to list all destinations.

Policy routing changes the situation, as it lets the device make routing decisions based on other parameters, such as source address, or the protocol/port in use.