I would like to use WireGuard only for selected domains and have all other traffic go through the normal WAN interface. This is backwards to all those who want VPN on except for Netflix.
Since my exceptions are domain-based, I need to use an ipset with dnsmasq… I’ve tried the vpn-policy-routing package, but it does not work out-of-the box with GL-iNet’s setup.
I’ve tried modifying the /etc/init.d/wireguard script, but when I don’t disable lan2wan forwarding, after removing the default routes feeding wg0 (0.0.0.0/1 and 188.8.131.52/1) I can get traffic to go out through the WAN. But in testing, when I manually add a route for an IP address to the wg0 interface, it always goes out the wan.
This is not an unusual use case where I would want to route only corporate traffic, identifiable by the company’s domain names, through the VPN and send everything else out the wan port.