Traffic not routed through VPN tunnel

Routers VPN, DNS, Leaks
1

What I want to achieve:

A Fritzbox 7350 shall be my main router/modem (establishes a connection to my ISP and runs a DHCP server).

A GL-MT6000 (Flint 2) shall establish a WireGuard tunnel to a VPN server (PrivadoVPN).

Only the devices connected to MT6000 shall use the VPN tunnel. No VPN tunnel for the devices connected to the Fritzbox.

All devices - whether connected to the Fritzbox or the MT6000 - shall be able to "see" each other (in the same subnet).

My current setup/configuration:

Fritzbox

  • establishes the connection to my ISP

  • DHCP server running

  • IP address: 192.168.178.1

GL-MT6000:

  • Connected via LAN1 port (configured as a LAN port, not as WAN port) to the Fritzbox

  • Network mode: Router

  • Fix IP address: 192.168.178.100

  • Netmask: 255.255.255.0

  • DHCP disabled

  • VPN mode: Global Mode

Wireguard config file that I imported:

[Interface]

PrivateKey = xxx

Address = 100.64.86.46/32

DNS = 198.18.0.1,198.18.0.2

[Peer]

PublicKey = xxx

AllowedIPs = 0.0.0.0/0

Endpoint = 91.148.237.4:51820

I added the following route in file /etc/config/network:

config route 'fritzbox'

        option interface 'lan'

        option target '0.0.0.0'

        option netmask '0.0.0.0'

        option gateway '192.168.178.1'

My current situation/problem:

All devices (connected to Fritzbox or MT-6000) can access the internet.

MT-6000 can establish a VPN connection to PrivadoVPN server.

All devices can see each other.

Problem: Traffic from devices connected to MT-6000 does not go through VPN tunnel.

Any hint to what I missed is appreciated?

Thanks

Network_LAN_Setting
Network_LAN_Setting1552×1236 42.8 KB

Network_DNS_Setting
Network_DNS_Setting1552×886 39.4 KB

VPN_Dashboard
VPN_Dashboard1552×844 31.3 KB

4

Hi,

There doesn’t seem to be a good way to achieve your goal with the current topology and configuration.

The Fritzbox is acting as the DHCP server, while DHCP on the MT6000 has been disabled. As a result, all LAN clients receive 192.168.178.1 as their gateway address.

Therefore, even devices that are directly connected to the MT6000’s LAN will still send their Internet traffic to the Fritzbox, and the MT6000 will follow this setup by forwarding the traffic directly to the Fritzbox at Layer 2 (bypassing the VPN tunnel).

5

Hi,

is there a way to achieve my goals with another configuration/topology using those two devices? Or isn’t it possible at all?

Thanks

7

We recommend the following two possible solutions, depending on how much flexibility and separation you need between VPN and non-VPN devices.

Solution 1: Assign the VPN Gateway Per Device (Simple Setup)

Overview

Devices that should use the VPN are manually configured to route traffic through the Flint 2. Other devices continue to use the Fritzbox normally.

Steps

  1. Identify the devices that need to use the VPN.
  2. For those devices, manually set the default gateway to the Flint 2’s IP address:
    192.168.178.100
    OR
  3. Configure the Fritzbox DHCP server to automatically assign this gateway to selected devices.

Behavior

  • Devices using the Flint 2 as their gateway will route traffic through the VPN.
  • Other devices will continue to use the Fritzbox directly.

Pros

  • No changes to the existing network topology.
  • All LAN devices remain in the same subnet.
  • Devices can communicate with each other at Layer 2.

Limitations

  • VPN usage is not automatic based on where a device is connected.
  • Devices will not automatically bypass or use the VPN when switching between Fritzbox and Flint 2 connections.
  • Gateway settings must be managed per device.

Solution 2: Separate Subnets for VPN and Non-VPN Devices (More Flexible)

Overview

The Flint 2 acts as a downstream router behind the Fritzbox, creating a separate LAN for VPN devices while still allowing access between both networks.

Network Topology

  • Fritzbox LAN: 192.168.178.0/24
  • Flint 2 WAN: 192.168.178.100
  • Flint 2 LAN: 192.168.180.0/24

Steps

  1. Connect the WAN port of the Flint 2 to a LAN port of the Fritzbox.
  2. Configure the Flint 2 to use a different LAN subnet, for example:
    • WAN IP: 192.168.178.100
    • LAN subnet: 192.168.180.0/24
  3. On the Flint 2, follow this guide to allow LAN devices to access the WAN while the VPN client is enabled:
    Allow access to WAN when VPN client is enabled - GL.iNet Router Docs 4
  4. On the Fritzbox, add a static route:
  5. On the Flint 2, enable WAN → LAN forwarding in LuCI → Network → Firewall.
    image
    image1192×871 54.3 KB

    image
    image943×756 49.4 KB

Resulting Behavior

  • Devices connected to the Fritzbox:
    • Access the Internet directly (no VPN).
  • Devices connected to the Flint 2:
    • Access the Internet through the VPN.
  • Devices on both networks:
    • Can communicate with each other.

Pros

  • Clear separation between VPN and non-VPN devices.
  • VPN usage is automatic based on which router a device connects to.
  • Almost all functional goals are achieved.

Limitations

  • Communication between devices occurs at Layer 3, not Layer 2.
  • Layer 2–dependent services (multicast/broadcast) will not work, including:
    • mDNS
    • Sonos
    • Chromecast
  • Requires to change current configuration and routing setup.
8

Solution 2 sounds very good to me. I'll try that and keep you informed.

Thanks