Necessary components for a split wireguard tunnel

Apologies for a noob question, I've been searching but don't think I've made much progress.

Local net:
Remote net:
VPN net:

Wireguard peers:

  • local router /
  • remote host

I want to divert internet traffic to some domains over wireguard to emerge from the remote net. To test that it's working, the result of curl should describe the remote city rather than my local city.

I'll focus on,

Steps taken:

  • Ensure connectivity from local net to remote net: ssh
  • Ensure frequent handshakes between router and remote peer
  • add to the AllowedIPs section of router's config for wireguard peer:
config wireguard_vpn 'm83'
	option public_key '<my_public_key>'
	list allowed_ips ','
  • add a route in router's /etc/config/network to direct from local lan zone to peer
config route                  
        option interface 'lan'
        option target ''
        option gateway ''
  • add vpn interface to lan zone (automatic from wireguard package)
config zone
        option name 'lan'
        list network 'lan'
        list network ''
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

Still, I can't curl and get the desired result either from the local net or when logged into the router itself. What am I missing?


i think it is not correct, because route is NOT on LAN interface,it is on 'm83' if i get it right ?

and second, you don't need static route
in wireguard config, you need to add

        option route_allowed_ips '1'

this will route 34.117.x.x to proper interface

1 Like

A better mousetrap.

Routing application traffic based on IP address, when you don't control and can't guarantee the reliability of that IP address, is not the most efficient approach. What happens if moves to a different IP address? Many high-volume websites sit behind services such as Cloudflare, with multiple IP addresses available for use.

A better approach would be to use a proxy server, and configure your browser (or http_proxy / https_proxy environment variables) to send certain traffic to the proxy.

This thread describes another forum member's efforts to do just that: Usung 'smart routing' for browsers in LAN and on mobile - #3 by iplaywithtoys

I, too, happened to do the same thing last week. I wanted to send some traffic (determined by pattern-matching on the .TLD) out of an exit node in another location. So I did the same as that other forum member. And you can, too.

The idea is to route requests from 'lan' to the 'm83' device, where it will emerge to the Internet.

I tried removing the route and adding the wireguard option but no luck yet.

Thanks for this, it looks like quite a robust solution, thank you!

In actuality, I plan to target a few IP blocks managed by corporate entities, not, so I'm willing to believe that while individual IPs will be dynamic they will generally stick to the fixed ranges.

Besides not wanting to bite off too much at once, my other reluctance to start with this approach is my openwrt router is an embedded tp-link device so containers or other infra in the network stack is a bridge too far for right now.

I'll read through more in detail to see what elements I can use.


from ssh, try
ip r
lets see where this route points

With my route in place:

config route                  
        option interface 'lan'
        option target ''
        option gateway ''

root@OpenWrt:~# ip route
default via dev eth0.2  src <myPublicIP> dev eth0.2 scope link  src <myPublicIP> dev br-lan scope link  src dev br-device_br scope link  src dev br-media_br scope link  src dev br-danger_br scope link  src dev vpn scope link  src 

The route doesn't show up even after a reboot, perhaps it's invalid?

as you see, is on dev VPN
so above line, interface lan, is NOT correct
please change it as i wrote above

Apologies, now it is

config route                  
        option interface 'vpn'
        option target ''
        option gateway ''

root@OpenWrt:~# ip route 
default via dev eth0.2  src <mypublicip> via dev vpn dev eth0.2 scope link  src <mypublicip> dev br-lan scope link  src dev br-device_br scope link  src dev br-media_br scope link  src dev br-danger_br scope link  src dev vpn scope link  src 

so, finally, it is there

is your question answered/solved ?

Sadly no, it doesn't seem to be emerging on the other side.

root@OpenWrt:~# traceroute
traceroute to (, 30 hops max, 38 byte packets
 1 (  35.135 ms  38.632 ms  37.638 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *

traceroute is an imperfect diagnostic tool and relies on many elements, some of which may be outside of your control. Seeing * * * can be perfectly normal depending on how devices on the other side of the VPN are configured.

A better test would be to see if the intended traffic for actually makes it through on the port(s) you want. As you (presumably) don't control, one possible approach you could take is to run tcpdump on the remote VPN endpoint, listening for the traffic you want to verify.

well, your side, your router is now correctly configured
intended route is here, and it is traveling toward gateway

now, question is, other side ?
how is it configured?

maybe you could enable masquerading on VPN zone, so your package will travel with address

I think unrelated to anything I've been doing here, my remote node m83 had some segfaults in its system log and now seems not to be coming back up. I'll resume this thread once I regain access to my remote node.

Back up faster than I thought.

I captured some traffic on m83 with tcpdump

:~$ sudo tcpdump -i wg0 -w m83.pcap

and brought the pcap file to my local machine to explore with Wireshark.

m83's routing table looks like

m83:~$ ip r                 
default via dev eno1 dev docker0 proto kernel scope link src dev wg0 scope link dev wg0 scope link dev eno1 proto kernel scope link src 

and I found a packet initiated from a curl operation on my local host:

It looks like perhaps my masquerade is misconfigured if the source is the remote net's gateway.

It might be, if the displayed source was your remote net's gateway. But it isn't.

The source of that packet is, not

That source IP address tells me that the curl attempt originated from a PC in your local network, with the IP address, and your VPN successfully sent it across to the other network.

Well that's an interesting, if embarrassing, coincidence - spot on.

It looks like the originating host did, in fact, get 1.143 from its local DHCP.

I'm pretty sketchy with my linux networking - is this then a question of creating a new routing rule on m83?

Possibly. You sniffed incoming traffic on the wg0 interface; it wouldn't hurt to also sniff the desired exit interface to see if there are corresponding outbound packets leaving that interface. The results may indicate what, if anything, might need to be adjusted.

It appears that m83 is not the main router at its site, it is a device on a LAN. This means that symmetric routes, if used, have to be configured in that site's main router: via via

The other option is to masquerade out of m83 so that Internet usage appears to originate from, then the main router (presumably does not need another route to return it properly.

1 Like