Exclude 1 Device from WireGuard VPN

Is there a quick way to exclude 1 IP address from wireguard vpn connection?

One source address or one destination address?

For excluding source addresses you need policy routing, but for excluding destination addresses regular routing is enough (or exclude it from Allowed IPs).

I want to exclude 1 PC from accessing the vpn i guess that makes it a source address (netflix reasons)

That is correct. You could exclude the Netflix destination addresses from using the tunnel, but that would be quite a challenge (been there, tried that). It is way easier to just enforce only one device from not using the tunnel.

so how to enforce that 1 device from not using the tunnel?

I presume your default route is the tunnel? It's worth reading the source routing sections of this here, as whilst it is possible to do this in the network config file I personally have found it can be sometimes non-intuitive if you don't understand the concepts:


What you'd be looking to do is something like this, in network:

config route 'wan_route'
        option interface 'wan'
        option target ''
        option netmask ''
        option table 'nonwireguard'

config rule
        option in 'lan'
        option mark '0x64'
        option priority '100'
        option lookup 'nonwireguard'

So that sets up a routing table with a single rule that routes everything to the 'wan' interface - you want to replace that the name of your real physical outgoing interface.

The next statement adds a rule that routes traffic marked in a certain way to that table. I then would have something like this in firewall.user:

iptables -t mangle -A PREROUTING -s <dev-ip> -i br-lan -j MARK --set-xmark 100

There is possibly a way of putting this into network also, but I'm not familiar enough with the syntax there.

No need to mark in firewall and match the firewall-mark later in the rule. Just match the source IP.