Port forwarding through vendor vpn without all trafic in vpn


Im trying to access port on my router through vpn provider via wireguard. I have everything set up and working if i let all my traffic go through the vpn. Which is not desirable. So when i disable "Route Allowed IPs" ( on wireguard peer to not route all of my traffic through vpn i cant access the port. But wireguard handshake between my router and vpn provider is still working.

So if someone can point me to the right direction i would be grateful.

It sounds like you want to be able to access your router remotely, when you're not at home, using a commercial VPN provider. Is that about right? Does this diagram illustrate what you're trying to achieve?


If so, is there a particular reason why you couldn't host the VPN directly? Something like this?


1 Like

Yes the first diagram illustrate what im trying to achieve
reason why is that i want to try hide my routers public IP address when im connecting from public wifi

There's no significant benefit in doing so. I can guarantee that the bad guys are already scanning your router's public IP address anyway, regardless of whether or not you're using public Wi-Fi.

As evidence, my own firewall's logs are chock-full of random scans and probes which are obviously precursors to further activity if the crooks succeed in getting past my firewall.

They're not targeting you (or me) specifically; they're looking for any vulnerabilities they can find, regardless of whose device it is. As long as your router's configuration is secure (and as long as there are no vulnerabilities in your router's software) then you should be fine.

However, it's an interesting academic exercise, to achieve what you want, so let's continue.

I reckon you could probably achieve your result by amending the AllowedIPs directive on your laptop/phone/whatever to contain only your router's WireGuard interface IP address and/or internal IP address. Give it a go.

1 Like

A point about terminology: WireGuard calls it "allowed". In fact, it's "forced".

If AllowedIPs is, then all traffic is forced through the VPN.

If AllowedIPs is, for example,, then only traffic for is forced through the VPN.

1 Like


which is "nonsense" for me, no offense
if you install WireGuard on phone/laptop and connect to your router from any public wifi, you will be still still protected with WireGuard

OpenWRT default firewall is to drop all incoming connection on WAN
and your WG tunnel will protect your internal communication

so, no much benefit from complicating things

I'm gonna put my money where my mouth is.

I've got a cheap NordVPN subscription, which supports WireGuard. Let's see if I can achieve the OP's desired result. I can speculate all I want about what might or should work, but there's no substitute for hard evidence.

Back in a bit...

1 Like

Congratulations. You beat me. I wasn't able to tunnel my own private traffic between two separate devices which were both using the same NordVPN WireGuard (or "NordLynx") endpoint.

I'm not sure if it's straight-up not possible, perhaps due to how NordVPN implements WireGuard and the associated configurations, or if it's down to a gap in my knowledge (or an error in my working). Maybe it's possible with other WireGuard providers, maybe not.

However, hosting my own WireGuard endpoint for my devices to connect to while out and about is trivially easy to accomplish. And, as noted above, hiding my public IP address offers no benefit anyway, so this is my preferred approach and is the one I'd recommend.

I would suggest you reconsider your "hide my routers public IP address" requirement.

Every single device with a public IP address is being actively probed by the bad guys, and yours is no exception. You don't stand out from the crowd in that regard.

If you are being targeted specifically for some reason, then you have other problems you need to fix first before worrying about any VPN stuff.

1 Like

Thanks for the effort

I already have wireguars set up as a lan access but was trying to do it through vpn provider

But you are probably right that ist too much hassle for little to non benefit

1 Like

I have this setup. I use torguard but I have to use the port-forwarding feature. Nordvpn didnt work for me.

Alternatively and inversely, I do use the app luci-app-pbr so that I can set a guest wifi without any VPN connection and I have a laptop joined to that wifi that I can access remotely and I use it to maintain or modify any vpn connections at that remote location. The ISP will also bottleneck my personal wireguard connection when I don't use a VPN so using a wireguard VPN to remotely connect to my network for transfers is faster for me.