(SOLVED) Forwarding single host WAN traffic via VPN

Hi everybody,

I have some for time trying to migrate away from pfsense with my last mile stone is to forward 1 host on the same subnet but not all hosts on that subnet via the VPN so the 1 host only use the VPN as default route but can still respond to queries from VMs on the same subnet.

So far i have only been able to get correct routing when i static route a destination ( for instance with next-hop being interface wg4 and can only access and nothing else) but this solution is not really good for me.

Here is more detailed info:
pfSense runs currently with xx.xxx.xx.23/26 for WAN and for LAN
VyOS runs with xx.xxx.xx.24/26 and for LAN as part of the migration in small steps
the subnet with my VMs are:
the host i want WAN traffic forwarded to only go via the VPN is:
The VPN i want to use resides on interface wg4

My setup from pfSense:
i created a FW rule that blocks from using regular WAN interface to go online
Then i created a FW rule that allows to access the Internet via the openvpn interface that is the VPN im using.
Then there is a nat rule that allows to be NATed to the IP of whatever the VPN server has for IP.

Any help or tips would be greatly appreciated

You want to look at policy routing.
Here’s the example I use to route all traffic from my laptop with IP Address of out via vtun3 (OpenVPN Interface)

Note: You must ensure you do not have “source-validating strict” set otherwise this won’t work!

First the policy statement that says “All traffic from” must use routing table 10 for routing decisions.

tim@ferrari# show policy
     rule 10 {
         source {
         set {
             table 10

Next setup routing-table 10. This basically defines a new routing table, and you can see I’ve set a static default route so that all traffic is routed out vtun3. You’d change yours to be wg4

tim@ferrari# show protocols static
 table 10 {
     interface-route {
         next-hop-interface vtun3 {

Finally the policy route must be applied to the interface the traffic is coming in on. eth1 is the default route for This is where you apply the policy statement.

[edit interfaces ethernet eth1]
tim@ferrari# show
 description "XXX Network"
 duplex auto
 firewall {
     in {
         name LAN-IN
mtu 9000
policy {

With this active, all traffic from goes via vtun3 (except traffic to other devices on the LAN which of course uses arp/direct host-to-host), but all other LAN clients use the standard routing table. You can of course do trickier things, you can have only certain destination routes go into table 10, or ports, etc etc. It’s very flexible.

1 Like

This was exactly the solution i was looking for!

Thank you so much for the examples and explaining all of it!

It is working so well :smiley:

Switching from OpenVPN to Wireguard for this service increased speed from 10-12 MB/s to 90-100 MB/s

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.