I’ve been thinking about this and I see two main ways of approaching it (and possibly a third more complicated setup):
Handle the routing on the client itself with your regular VPN turned on and WireGuard with the AllowedIPs directive set to your local (home) network subnet. That is, instead of
AllowedIPs=0.0.0.0/0, you’d have
Handle the routing/forwarding of outbound traffic on the WireGuard server (RPi) itself. We might even be able to just get away with masquerading on whatever device your anonymizing VPN app creates.
I think option 2 is preferable, so let’s start there. Here are the next steps, I’d recommend:
- Install/set up your VPN on your Raspberry Pi WireGuard server and make sure it’s running/working on the RPi.
- Make sure WireGuard is still running.
- If you’re feeling adventurous, try pointing the masquerade at your VPN interface/device. That is, replace the
-o eth0 with
-o <VPN device here> in your server config. Note that you’ll probably have to bring the wg tunnel down, make the changes, and then bring it back up. (See How To Set Up a WireGuard VPN Server on Ubuntu Linux - #22 by TorqueWrench for further information.)
Note that the above steps, without further modification, will just hide your IP with your VPN IP and won’t allow you to access your home network, but I want to keep it relatively simple before we proceed from there. If that isn’t working, please send along the output of