How to make exceptions for devices, where wireguard is standard?

I am using wireguard on my router, which is enabled in the firewall as well. (LAN>wireguard adapter.)
How do i now make exceptions for certain devices, so that all other traffic is still routed through the vpn tunnel?


You can make specific routes for your different hosts (on OpenWrt), or use policy based routing. PBR is often preferred because it allows for lots of additional control (including by protocol and destination address, among other thigns).


hmmm...using luci all the time and not having much knowledge, i am getting confused.
Right now i am forcing all traffic to flow through wireguard by having a wireguard interface with auto-start, and the firewall is having LAN>wireguard, making traffic impossible to "leak" outside of the bubble.
How do i easily make exceptions, that my smart home hub and possibly my television can access the web without wireguard?

Like I suggested earlier, take a look at policy based routing

There is a LuCI (web interface) app for this so that you don't have to work on the command line.

You can also so the inverse, if it takes less rules to implement (this depends on the number of networks you created/exceptions you desire):

thanks, i installed it and looking over it, but like typically with openwrt, there are so many options i get lost. something can probably easily break or not work when not properly configured. Are there not tutorials how to make a exception for a single device(maybe need to make it's address static first?) in order to make it go to wan, incoming and outgoing traffic? and keep everything else unless excepted towards the wireguard interface?

Would this be enough? in the interface i can choose between the wireguard interface and the wan interface. I would have to make the IP static of the device? the IP is the local device that i want as exception. Or would this rule then clash with the current firewall rules of LAN>Wireguard interface?

I tried adding a mac address or a static IP of the devices, but it's not working. the devices go offline and i think it's because the firewall. But how would i then need to set the PBR rules or firewall to route everything through the wireguard interface, with these two devices as exception?

here are the standard gateways, that show the wireguard interface is standard, as it should..


You need to make sure this is unchecked in your wg peer configuration in wireguard:

Then i think pbr detects your default gateway wrongly it has to be wan i believe.

Either the route checkbox solves this with default gateway once you restart the wireguard interface again and then pbr or if that doesn't work you need to increase the metric values per interface, this can be found under the interface edit>advanced tab, this will prioritize the interfaces as gateway.

The route checkbox has to be off since pbr takes care over the routing.

Then you only have to add the rule for your device in pbr like the image you have shown with prerouting to wan.

And after this you add another rule: prerouting over surfshark interface.

progress....thanks for your reply :blush:
I disabled the "route allowed IP's" in peer settings of the wireguard interface and added the extra rule of prerouting over surfshark interface. internet is now working (it was not if i didn't add the rule) but the devices i want to have as exceptions, still have no internet. if i disable them from PBR, they regain internet. the default gateway changed to WAN though.

Here is what i have now:

For your client a static lease is indeed advisable.
Although you usually will get the same IP address you cannot be sure.

If I understand you correctly you want to route all traffic through the tunnel except one client.
If so consider keeping the route Allowed IP s enabled, provided your allowed ips are, then everything should be routed via the tunnel.
Then you only have to route the traffic from that single client via the Wan, just like you did with PBR. Only I would use:

Important when you are done reboot, that should start everything.

I hope this helps

1 Like

whats the difference between and
I don't quite understand the difference between your suggestion of keeping route allowed ip's enabled, or disabling it. Either way, the devices i added to PBR are offline when i enable them there, no matter which way.

/32 means "one host"
/24 means "one subnet, of 256 addresses" may be of interest.


i just tried switching to instead of, and the wireguard interface stopped sending and receiving packets, so internet was down. Or does this only work together with enabling "route allowed ips" in the wireguard peer settings?

I tried swapping the mac addresses to the static ip's of the devices, and changing the order in the field, but still no connection once enabled.

EDIT: My firewall settings are ok? see earlier post. With forcing all traffic to go to surfshark(the wireguard interface) i tried changing it from LAN>WAN and then i lose my internet :sweat:

i just noticed i have a DNS leak with the current settings (disabling route allowed ips and letting PBR taking care of routing). on first view i see my IP from my VPN, but doing a scan, it finds my ISP's hostname.

I went back to the normal settings like @xize suggested, and the leak is gone. The two exceptions still won't connect to the web though, when enabled.

I think but im not sure since i allow this leaking behaviour myself since i use nextdns.

If you go into your wireguard interface and then go to advanced there should be a checkbox to use custom dns can you check if that fixes the leak?

And about having no internet can you try pinging a external ip like

The custom DNS option is already enabled, two DNS addresses that were never removed. Use default gateway is checked, though.

ah I think you need to higher the dns weight in the wireguard interface in the advanced tab.
after I was testing this extensive myself because mine kept leaking I figured out its not only the dns weight you have to put in.

but you also need one pbr rule after the vpn rule:

the that is my pc network for you it should be, the reason why it still was leaking for me was because it felt back to wan for some reason and it only worked if I disabled the dns ability in wan... which is not what you want.

I also played a bit more with metrics to see if it affected the dns priority but it did not for me.

nope im wrong im still leaking with a extended test.

jup I found the solution now :smiley:

DNS weight only works if you disable Use DNS servers advertised by peer option under advanced in wan, you will see two textboxes you can make these empty, you would assume wan will not get dns but for some reason it still gets a dns.

Well, i tried to put back in all your settings and rebooted, and had no internet. tried playing around a bit, for example removing the external and port 53 then save and restart, did not work, still no internet whatsoever. Re-enabled route allowed ips in peer sellings, removed the "2" i added in dns weight on the wireguard interface and disabled the rules in PBR completely, restarted, no internet. Enabled the "DNS servers advertised by peer" in WAN settings again and then internet came back.

that pbr rule to can be removed.

ive been checking more things [Solved] PBR and Wireguard -- DNS Leak - #6 by trendy
when im reading this and tried to add option 6, it should work aslong you don't hijack dns via a portforward rule.

so what I did was adding this in my dhcp options:

that dns is from mullvad which is a local ip, but I believe if you replace that with the one from surfshark it should work.

please note when you do a change pbr activates a killswitch which sometimes can be a little slow best is to assist the logs in luci to see if its really done.

this is the lan interface right? so i should add a single DNS from the wireguard server (surfshark) to the DHCP-options in the lan interface?
Then increase dns weight to two in the wireguard interface, disable "route allowed ips" in wireguard peer settings, add a record to the PBR to >prerouting> WAN, and finally disable advertising dns servers by peer in the WAN interface? missing anything? :sweat_smile: