Traffic not routed through VPN tunnel

Routers VPN, DNS, Leaks
1

What I want to achieve:

A Fritzbox 7350 shall be my main router/modem (establishes a connection to my ISP and runs a DHCP server).

A GL-MT6000 (Flint 2) shall establish a WireGuard tunnel to a VPN server (PrivadoVPN).

Only the devices connected to MT6000 shall use the VPN tunnel. No VPN tunnel for the devices connected to the Fritzbox.

All devices - whether connected to the Fritzbox or the MT6000 - shall be able to "see" each other (in the same subnet).

My current setup/configuration:

Fritzbox

  • establishes the connection to my ISP

  • DHCP server running

  • IP address: 192.168.178.1

GL-MT6000:

  • Connected via LAN1 port (configured as a LAN port, not as WAN port) to the Fritzbox

  • Network mode: Router

  • Fix IP address: 192.168.178.100

  • Netmask: 255.255.255.0

  • DHCP disabled

  • VPN mode: Global Mode

Wireguard config file that I imported:

[Interface]

PrivateKey = xxx

Address = 100.64.86.46/32

DNS = 198.18.0.1,198.18.0.2

[Peer]

PublicKey = xxx

AllowedIPs = 0.0.0.0/0

Endpoint = 91.148.237.4:51820

I added the following route in file /etc/config/network:

config route 'fritzbox'

        option interface 'lan'

        option target '0.0.0.0'

        option netmask '0.0.0.0'

        option gateway '192.168.178.1'

My current situation/problem:

All devices (connected to Fritzbox or MT-6000) can access the internet.

MT-6000 can establish a VPN connection to PrivadoVPN server.

All devices can see each other.

Problem: Traffic from devices connected to MT-6000 does not go through VPN tunnel.

Any hint to what I missed is appreciated?

Thanks

Network_LAN_Setting
Network_LAN_Setting1552×1236 42.8 KB

Network_DNS_Setting
Network_DNS_Setting1552×886 39.4 KB

VPN_Dashboard
VPN_Dashboard1552×844 31.3 KB

4

Hi,

There doesn’t seem to be a good way to achieve your goal with the current topology and configuration.

The Fritzbox is acting as the DHCP server, while DHCP on the MT6000 has been disabled. As a result, all LAN clients receive 192.168.178.1 as their gateway address.

Therefore, even devices that are directly connected to the MT6000’s LAN will still send their Internet traffic to the Fritzbox, and the MT6000 will follow this setup by forwarding the traffic directly to the Fritzbox at Layer 2 (bypassing the VPN tunnel).

5

Hi,

is there a way to achieve my goals with another configuration/topology using those two devices? Or isn’t it possible at all?

Thanks

7

We recommend the following two possible solutions, depending on how much flexibility and separation you need between VPN and non-VPN devices.

Solution 1: Assign the VPN Gateway Per Device (Simple Setup)

Overview

Devices that should use the VPN are manually configured to route traffic through the Flint 2. Other devices continue to use the Fritzbox normally.

Steps

  1. Identify the devices that need to use the VPN.
  2. For those devices, manually set the default gateway to the Flint 2’s IP address:
    192.168.178.100
    OR
  3. Configure the Fritzbox DHCP server to automatically assign this gateway to selected devices.

Behavior

  • Devices using the Flint 2 as their gateway will route traffic through the VPN.
  • Other devices will continue to use the Fritzbox directly.

Pros

  • No changes to the existing network topology.
  • All LAN devices remain in the same subnet.
  • Devices can communicate with each other at Layer 2.

Limitations

  • VPN usage is not automatic based on where a device is connected.
  • Devices will not automatically bypass or use the VPN when switching between Fritzbox and Flint 2 connections.
  • Gateway settings must be managed per device.

Solution 2: Separate Subnets for VPN and Non-VPN Devices (More Flexible)

Overview

The Flint 2 acts as a downstream router behind the Fritzbox, creating a separate LAN for VPN devices while still allowing access between both networks.

Network Topology

  • Fritzbox LAN: 192.168.178.0/24
  • Flint 2 WAN: 192.168.178.100
  • Flint 2 LAN: 192.168.180.0/24

Steps

  1. Connect the WAN port of the Flint 2 to a LAN port of the Fritzbox.
  2. Configure the Flint 2 to use a different LAN subnet, for example:
    • WAN IP: 192.168.178.100
    • LAN subnet: 192.168.180.0/24
  3. On the Flint 2, follow this guide to allow LAN devices to access the WAN while the VPN client is enabled:
    Allow access to WAN when VPN client is enabled - GL.iNet Router Docs 4
  4. On the Fritzbox, add a static route:
  5. On the Flint 2, enable WAN → LAN forwarding in LuCI → Network → Firewall.
    image
    image1192×871 54.3 KB

    image
    image943×756 49.4 KB

Resulting Behavior

  • Devices connected to the Fritzbox:
    • Access the Internet directly (no VPN).
  • Devices connected to the Flint 2:
    • Access the Internet through the VPN.
  • Devices on both networks:
    • Can communicate with each other.

Pros

  • Clear separation between VPN and non-VPN devices.
  • VPN usage is automatic based on which router a device connects to.
  • Almost all functional goals are achieved.

Limitations

  • Communication between devices occurs at Layer 3, not Layer 2.
  • Layer 2–dependent services (multicast/broadcast) will not work, including:
    • mDNS
    • Sonos
    • Chromecast
  • Requires to change current configuration and routing setup.
1 Like
8

Solution 2 sounds very good to me. I'll try that and keep you informed.

Thanks

9

Hello again,

the setup works fine so far. The network topology I chose is the following:

  • Fritzbox LAN: 192.168.178.0/24
  • Flint 2 WAN: 192.168.178.100
  • Flint 2 LAN: 192.168.8.0/24

In the meantime, I enabled the 2.4 GHz Guest Wifi. Clients connected to the guest network get an IP address of the subnet 192.168.9.0/24. Those “guest” clients:

  • cannot ping clients connected to the Flint 2 LAN (expected)
  • can control clients connected to the Flint 2 LAN (not expected), example given below*
  • can ping clients connected to the Fritzbox LAN (not expected)
  • can connect to the web interface of the Fritzbox (not expected)

However, I expected that - connected to the guest network - none of the above things would work. What do I need to change the current behavior to the expected one?

*Example: Smartphone connected to the guest network can control smart lights via a Philips Hue bridge connected to the Flint 2 LAN.

Another thing that I want to reach is, that the devices connected to the guest Wifi should not use the VPN tunnel. To accomplish this, I added a VPN tunnel in the VPN Dashboard with the following settings:

  • From: "Specified Connection Types" => "Guest"
  • To: "All targets"
  • Via: "Not Use VPN"

However, clients still get an IP from the VPN server. Any hint how to configure this correctly is appreciated.

Thanks

10

Hello,

any feedback from anyone on how to configure the guest network correctly?

Thanks

11

Sorry for the late reply—we’ve just returned from the Chinese New Year holiday.

Since ping from Guest to LAN is not working, we believe the isolation is functioning as expected. Please check whether your IoT devices have other ways to be controlled remotely (e.g., via cloud services), rather than relying solely on the local network.

Because the Fritzbox’s LAN is treated as the WAN zone from the Flint 2’s perspective, traffic from Guest or LAN to the Fritzbox LAN is not blocked by default, as this is required for internet access.

You can add the following rule under Luci → Network → Firewall → Traffic Rules to do that:

image
image927×525 26.1 KB

Please chek whether the Guest VPN Police rule is placed at the top (highest priority) to prevent other rules from matching first and causing Guest traffic to be routed through the VPN.

image
image1325×770 47.7 KB

12

Great, thanks. That helped.

Happy New Chinese Year!

1 Like