WireGuard Split Tunneling with Anonymous VPN

Sorry to revive, but first I’d like to say thanks for this writeup! Worked like a charm.

My question is regarding DNS leak: when using dnsleaktest.com, my ISP and true public IP appear in the result. Is Wireguard able to hide the public IP? I’m using it on a pihole with Unbound as the DNS resolver. Both internal and external machines show the ISP and true public IP of my home setup.


1 Like

Yep, since we’re just forwarding the traffic out from your network.

It sounds like you want a combination of Wireguard and an anonymous VPN. Since you set up WireGuard on an RPi in the first place, I assume what you’re after is the ability to access your home network remotely, but then all outbound traffic you want to tunnel through an anonymous VPN. Do I have that right?

If so, it should be possible. I’ll see if I can make some iptable recommendations if you’d like to be the guinea pig. Just let me know.


Thanks for the reply! You got it - exactly what I’m interested in doing. I wasn’t sure if WireGuard was capable of that or not, but I’m willing to mess around with your suggestions if you’d like to experiment! My image is backed up already so feel free to suggest away :slight_smile:

I’ve been thinking about this and I see two main ways of approaching it (and possibly a third more complicated setup):

  1. Handle the routing on the client itself with your regular VPN turned on and WireGuard with the AllowedIPs directive set to your local (home) network subnet. That is, instead of AllowedIPs=, you’d have AllowedIPs=

  2. Handle the routing/forwarding of outbound traffic on the WireGuard server (RPi) itself. We might even be able to just get away with masquerading on whatever device your anonymizing VPN app creates.

I think option 2 is preferable, so let’s start there. Here are the next steps, I’d recommend:

  • Install/set up your VPN on your Raspberry Pi WireGuard server and make sure it’s running/working on the RPi.
  • Make sure WireGuard is still running.
  • If you’re feeling adventurous, try pointing the masquerade at your VPN interface/device. That is, replace the -o eth0 with -o <VPN device here> in your server config. Note that you’ll probably have to bring the wg tunnel down, make the changes, and then bring it back up. (See How To Set Up a WireGuard VPN Server on Ubuntu Linux - #22 by TorqueWrench for further information.)

Note that the above steps, without further modification, will just hide your IP with your VPN IP and won’t allow you to access your home network, but I want to keep it relatively simple before we proceed from there. If that isn’t working, please send along the output of ifconfig.