Isolated network not routed through wireguard

lumilumi · January 15, 2026, 4:44am

hello, i'm trying to set up a network on my router that will not use wireguard (cause I know that telegram for example will leak your stuff if used with VPN)

I would like to make a new network that doesn't go through wireguard .... where can I start with that? I can't seem to understand what this post is talking about -- where do these inputs go?

or is there a way for me to set up my computer to be able to turrn off wireguard for a bit for specific devices? or for specific programs?

psherman · January 15, 2026, 4:51am

You can start by setting up a new network, if you haven't already. The guest wifi network wiki is probably the best method to get you started, with minor modifications easily made if you want to have it connect to ethernet and/or change the firewall rules to allow routing between the two networks.

Then, you'll add Policy Based Routing and create the policies for each network (i.e. one which routes through the VPN, the other routing through the standard wan).

lumilumi · January 15, 2026, 5:25am

ok I have my "guest" wifi set up - an it appears I can connect to internet just fine on it

and i've got the PBR app downloaded
still looking around trying to figure out how to do that though - the guide u linked is very short on my end - https://openwrt.org/docs/guide-user/network/routing/pbr

but i'm having some trouble understanding
my guess of what I need to do

ROUTE 1 regular 2.5g and 5g routes that r routed through vpn
ROUTE 2 a 2.5g who is routed outside of the vpn

lumilumi · January 15, 2026, 5:29am

Local OpenVPN Server + OpenVPN Client (Scenario 1)

If the OpenVPN client on your router is used as default routing (for the whole Internet), make sure your settings are as following (three dots on the line imply other options can be listed in the section as well).

Relevant part of /etc/config/pbr:

config pbr 'config'
	list ignored_interface 'vpnserver'
	...

config policy
	option name 'OpenVPN Server'
	option interface 'wan'
	option proto 'tcp'
	option src_port '1194'
	option chain 'output'

The network/firewall/openvpn settings are below.

Relevant part of /etc/config/network (DO NOT modify default OpenWrt network settings for either wan or lan):

config interface 'vpnclient'
	option proto 'none'
	option device 'ovpnc0'

config interface 'vpnserver'
	option proto 'none'
	option device 'ovpns0'
	option auto '1'

Relevant part of /etc/config/firewall:

config zone
	option name 'lan'
	list network 'lan'
	list network 'vpnserver'
	...

config zone
	option name 'wan'
	list network 'wan'
	list network 'vpnclient'
	...

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'tcp'
	option dest_port '1194'

Relevant part of /etc/config/openvpn:

config openvpn 'vpnclient'
	option client '1'
	option dev_type 'tun'
	option dev 'ovpnc0'
	option proto 'udp'
	option remote 'some.domain.com 1197' # DO NOT USE PORT 1194 for VPN Client
	...

config openvpn 'vpnserver'
	option port '1194'
	option proto 'tcp'
	option server '192.168.200.0 255.255.255.0'

ok I found this from this doc - is this what I need? (basically am I reading this correctly if I want to set up one network not to go thru vpn)

lumilumi · January 16, 2026, 4:16am

all right I tried doing this:

(this is the guide link: https://docs.openwrt.melmac.ca/pbr/1.2.0/#IgnoreTarget)

through the luci pbr app
this is what the settings look like:

added new policy, added the ipv4 address of the guest network
moved it to the top of the list as recommended

checked the mullvad site to see if it was still using mullvad - was still routing through wireguard
(checked the other router (ISP's main router) and that is not connected to mullvad (as expected))

so whenever any device tries to connect to the router (despite my attempt to do this pbr) its getting a mullvad connected

can anyone help spot the mistake? or give me a guide that has instructions... would really appreciate it!

lumilumi · January 19, 2026, 4:14am

still looking for ideas! I followed the guide and it doesn't seem to be working for me

egc · January 19, 2026, 7:49am

If you choose ignore as target then it really is ignored meaning PBR does not do anything with it and your local address 192.168.51.1/24 will just follow the default route.

lumilumi · January 19, 2026, 8:36am

ah, I see

that's what the guide said to do....

what do I use instead?

lumilumi · January 19, 2026, 8:51am

hi, where is the step one for this?
I don't see any instructions on this page

what um, steps can I follow to use this guide? I don't see any instructions here
I'm disabled, and I have trouble understanding these things

egc · January 19, 2026, 9:00am

No it is not

If you open up Luci > Policy Routing

it is really staring into your face where you should look

See the README for details.

lumilumi · January 19, 2026, 9:59am

hopefully this is on topic enough

heres the luci settings I see off the top of the bat

maybe I should fiddle with these and turn some of these presets on? could really use some instructions....

lumilumi · January 21, 2026, 3:33am

Here’s a sample client configuration file with split tunneling set up:

[Interface]
PrivateKey = 
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 
Endpoint = :51820
AllowedIPs = 0.0.0.0/0, ::/0  # Route all traffic through VPN

# Split tunneling: Exclude certain traffic from the VPN
PostUp = ip rule add from 192.168.1.100/32 table main
PostDown = ip rule delete from 192.168.1.100/32 table main

In this configuration, the AllowedIPs is set to 0.0.0.0/0, ::/0, meaning all traffic will be routed through the VPN by default. However, the PostUp and PostDown directives add a rule to exclude traffic from IP address 192.168.1.100 from going through the VPN. This is how you achieve split tunneling—by routing specific traffic outside the VPN.

is this closer? I still don't know what to do how to do this
still need some help or pointers

lumilumi · January 23, 2026, 12:17am

is this ai?
where can I go to set up my wireguard interface to only work on one or two networks
I am having difficulty figuring out what is ai slop, or what is real

as well as having difficulty with understanding the "readme" details - cause im not finding any instructions on this specific thing that I would like to do
really struggling! still disabled, would appreciate direct instructions cause the wireguard guide by ecg by default just routes everything through wireguard

I think it might be something about "allowed IP's" but I would appreciate help understanding the formatting of what allowed IP's are

cause i don't undrstand

mk24 · January 23, 2026, 1:56am

That is the official Wireguard site, however configuration on OpenWrt is different as it is integrated into OpenWrt's UCI configuration files.
Read @egc guide it is very good.

The concept of allowed_ips is often confusing to newcomers. Allowed_ips are the inside the tunnel source IPs that you expect to see from the other end of the tunnel. On a point to point tunnel you could allow all IPs (/0 network) from either side, but then you would want to control routing separately rather than route_allowed_ips. On a point to multipoint setup, the "hub" or "server" (Wireguard interface with multiple peers) uses allowed_ips to direct packets back to the particular tunnel that leads to those sources. It is then important that alowed_ips be non-overlapping.

lumilumi · January 23, 2026, 6:07am

ok looking through ecg's guide it looks like theres this:

but do I input this into PBR menu wwith the policies or does it go into the rules area?

like I would be telling my guest network that it can skip wireguard and go straight to the wan / internet without vpn

egc · January 23, 2026, 2:47pm

That is in the Firewall section (about killswitch), it even states that that rule is in:
/etc/config/firewall

If you do not know the difference between firewall and routing then I suggest you go back to the basics and first learn the basics before you can do more complex things.

lleachii · January 23, 2026, 3:08pm

This actually is a difficult concept to grasp for a noob. Many years ago I had to practice on a machine without a firewall to really understand this.

lumilumi · January 27, 2026, 4:52am

I can understand thankfully that this is part of the firewall, but what I am a bit confused about is how to input that correctly into the Luci interface, because the firewall options don't really seem to have the exact same / or similar enough options for me to figure out how to input it properly - I attempted to input it through the luci settings but it doesn't seem to have worked

and for firewall specifically I cant seem to find a way to export the config as .txt or some other format - as theres not a firewall text portion (that I can find)

yes, I am a noob, I don't know what i'm doing - please help

egc · January 27, 2026, 7:55am

It is about routing so you need Policy Based Routing, either with the PBR app or manually.

The PBR app docs: https://docs.openwrt.melmac.ca/pbr/1.2.1/ should get you going, it even has a link to an instructional video

lleachii · January 27, 2026, 11:47am

This is taken quite a while for you. I don't use PBR, only the manual method - so I hope this doesn't confuse the situation.

config route                
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'      
        option gateway '<gateway_IP>'
        option table '2'

config rule                          
        option src '192.168.51.0/24'         
        option dest '0.0.0.0/0'       
        option priority '2'          
        option lookup '2'

(BTW, your PBR config says a single IP of 192.168.51.1 instead of 0, which specifies the whole network.)

Additionally, it may be easier to leave WAN as normal and make exception(s) for the other networks. Why?

So you don't have to specify the WAN gateway (which could change on a DHCPv4-based WAN interface).