I have everything working, but I’m unsure if I implemented it the “right” way.

What I want: selectively route traffic from my home router through other computers.

My setup: Home router (Mikrotik) is double NAT (ISP router is shared, I can’t modify its settings, dynamic IP, no port forwarding…). I have a VPS with a static IP. Home router has a WireGuard link to VPS; I have raspberry pis at families’ houses, connected to VPS via WireGuard, through which I want to route traffic. So: WireGuard forms a star topology, with the VPS (not the router!) at the center.

As I understand, each gateway must be directly accessible (1 hop away), so I did not have luck using my router to set a route through a WireGuard raspberry pi—both my router and the pi are peers to the VPS (and can communicate fine with each other), but they are not direct peers to each other. A traceroute is home router → vps → pi. AFAIK given that they both have dynamic IPs (and I can’t set up port forwarding), I cannot make them direct peers (?).

What I did: I ended up using tunnels to create another star topology network on top of the WireGuard network, but this time with the router at the center. I did this with GRE tunnels—I wanted something with minimal overhead, and because this is entirely on top of the WireGuard network, I wasn’t worried about any encryption at all (should I be?). Other tunnels (and even WG over WG?) would presumably work, too. Once the tunnels are up, there are some routes that need to be manually entered on the pi.

It is pretty neat now that it works—I have a separate SSID which routes all traffic through one of the pis.

My question: This all seems rather complicated; did I do this the “right” way, or are there better ways of handling this?