I’m trying to setup my VPN and I’m a bit confused here.
I have a commercial VPN subscription that I’m using on my phone and laptop. Now I’ve set up WireGuard on my OpenWRT router to access my home network remotely. I can connect to it from my phone but from what I see there’s no way to have both commercial VPN and my local network WG active at the same time (both are using WG so I’m trying to create WG config with two peers but I don’t think it’s possible).
So what do people actually do? From what I see I have 3 options:
- Don’t use commercial VPN on my phone, only use WG to access my network
- Switch between VPNs manually whenever I want to access my network
- Setup commercial VPN on my router, move all my networks traffic through this VPN and move all traffic from my phone through my home network.
Am I missing something? What’s the typical approach here? I thought that what I’m trying to do is basic scenario but it looks like it’s not that simple if at all possible.
I create an work profile in my android phone with Insular app from f-Droid (but there is alternatives from Google play too). And connect tailscale to home server there and put all necessary app here too. Basic profile has commercial VPN with split tunneling per app.
But I check threads and there are better alternatives.
Netmaker looks really nice. Has the lowest requirement, self-hosted and open-source. I will give it a shot but if the setup is too complicated I will just go with separate profile and wireguard.
If you use an app like RethinkDNS, it will allow you to run multiple, simultaneous VPN connections and then choose how you want to route your traffic.
I have the same situation as you. I run two VPN connections. One to home and one to a VPS. I route all traffic to 10/8 to the home VPN, certain apps to my VPS VPN and then the rest of the traffic via the local connection.
RethinkDNS also does local DNS filtering and allows you to specify which DNS service to use. I run my own DoT service that backs off to the PiHole at home.
Ah, so I bet what they’re doing is looking like a single VPN from the Android OS level, setting a default route into that, and then doing routing in userspace.
Can it connect to the VPNs simultaneously though? I don’t have it, but from what I see it can have configurations from multiple vpns but only one can be up at a time.
Yep. I have two at the same time.
I have not used such a configuration, but I believe that it’s fine to have multiple WireGuard VPNs concurrently up, at least from a Linux client standpoint. I have no idea whether your phone’s client permits that — it could well be that it can’t do it.
Your routing table would have the default route go to a host on one of them (and your Internet-bound traffic would go there), but you should be able to have it be either. Or neither — I’ve set up a WireGuard configuration with a Linux client where the default route wasn’t over the WireGuard VPN, and only traffic destined for the LAN at the other end of the WireGuard VPN traversed the WireGuard VPN.
From Linux’s standpoint, a WireGuard VPN is just like another NIC on the host. You say “all traffic destined for this address range heads out this NIC”. Just that the NIC happens to be virtual and to be software that tunnels the traffic.
EDIT:
It sounds like this is an Android OS-level limitation:
https://android.stackexchange.com/questions/261526/are-there-technical-limitation-to-multiple-vpns
In the Android VPN development documentation you can find a clear statement regarding the possibility to have multiple VPNs active at the same time:
There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created.
That same page does mention that you can have apps running in different profiles using different VPNs at the same time. That might be an acceptable workaround for you.
The Android limitation is exactly what I found - only one VPN at a time. I checked the work profile trick and it does work, I can have two VPNs running. This is not ideal as apps from one profile still won’t use the commercial VPN but maybe I can live with that. I will do some more testing. Thanks for the tip.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System PiHole Network-wide ad-blocker (DNS sinkhole) VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
4 acronyms in this thread; the most compressed thread commented on today has 11 acronyms.
[Thread #225 for this comm, first seen 9th Apr 2026, 08:00] [FAQ] [Full list] [Contact] [Source code]
I use Tailscale with an exit node container that forwards all traffic to the commercial VPN via a wireguard config. This “hopping” solution serves me well enough, and works for Android too.
If you want to simultaneously have two VPN interfaces, you may wanna consult this and this guide. The principle should apply with non-Tailscale wireguards too I think
So you’re using tailscale android app as the only VPN and all traffic from your phone goes through your local network, yes?
Your tailscale exit node is deployed on some server in your network, right? (I’ve set up my WG server on my router) Does your router just port forward all tailscale traffic to it?
Yes, the app is the only “Android VPN”. The exit node is deployed on another network, but there should be no problem deploying it locally.
My phone would be attempting to make direct WireGuard connections to my other Tailscale nodes (be it the server, the exit node, or any other device), so it’ll prefer local connections. When it can’t (e.g. in a different and restrictive network), it will relay these traffic through DERP servers. Tailscale automate these processes very well, so no port forwarding is needed.
Note that to establish these encrypted direct tunnels, Tailscale clients have to talk to a control server to fetch required metadata. I selfhost this piece via Headscale along with the DERP servers. The stack would be quite complicated for those who already had a wireguard tunnel, but I found myself liking it because Tailscale has other cool features too.
Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different
AllowedIPsfor them.Alternatively, I guess you could also do “split-route” by defining different peers in your Android WireGuard app, and use different AllowedIPs for them.
That’s exactly what I’ve been trying but it doesn’t work. Only one peer is able to do a handshake. It looks like it should work but I actually haven’t seen anyone recommending this or saying they manged to set it up. Everyone just ends up routing everything through private VPN. I will read some more about tailscale but I think it’s an overkill for me. I will probably just use different VPNs in separate android profiles.
If you’re using Mullvad as your VPN Tailscale supports it right out of the box. You could use Tailscale only and use Mullvad’s VPN as an exit node. This is probably the easiest and most out-of-the-box ready solution.
I‘m using two different setups:
Phone with wireguard app:
- VPN client installed on my router
- WireGuard server Running on Router
- Phone connects to the routers wireguard server and from there my phone is routed through the VPN client for web traffic (but I’m not using OpenWRT so you have to check if this is possible for you)
Laptop with wireguard app and VPN installed as browser extension:
- WireGuard app is configured to only route traffic to my local subnets through the wireguard VPN.
- Web browser is encrypted through the VPN extension.
Really depends on what you need. For me this setup fits my bill.
But there’s also tailscale (which you can also selfhost: headscale)
Additionally you could also set up your own independent wireguard server to get more granular control for routing and firewalling. But you would need a device that’s running 24/7 (same for headscale). A raspberry pi would probably be enough for that.
Looks like most people are doing some version of option 3, routing everything through home network. I hoped there’s a simpler way but maybe I just have to go in this direction.
One question, the VPN client on your router routes everything from your network or just the phone?
I am running tailscale to access my homelab and my exit node and I use wireguard protonVPN connection for that exit node. It involved messing with nftables, check this for more info. In theory, you could do the same with two wireguard connections. One connection in and one as an exit. Maybe easier solution would be having these on separate machines/vms. Having the exit vpn on the openWRT as default for all connections and then the connection in on a separate container or vm, and it would exit through the router. I am not sure but I think the wireguard then naturally exits trough the router (gateway).
