I have everything working, but I’m unsure if I implemented it the “right” way.

What I want: selectively route traffic from my home router through other computers.

My setup: Home router (Mikrotik) is double NAT (ISP router is shared, I can’t modify its settings, dynamic IP, no port forwarding…). I have a VPS with a static IP. Home router has a WireGuard link to VPS; I have raspberry pis at families’ houses, connected to VPS via WireGuard, through which I want to route traffic. So: WireGuard forms a star topology, with the VPS (not the router!) at the center.

As I understand, each gateway must be directly accessible (1 hop away), so I did not have luck using my router to set a route through a WireGuard raspberry pi—both my router and the pi are peers to the VPS (and can communicate fine with each other), but they are not direct peers to each other. A traceroute is home router → vps → pi. AFAIK given that they both have dynamic IPs, I cannot make them direct peers (?).

What I did: I ended up using tunnels to create another star topology network on top of the WireGuard network, but this time with the router at the center. I did this with GRE tunnels—I wanted something with minimal overhead, and because this is entirely on top of the WireGuard network, I wasn’t worried about any encryption at all (should I be?). Other tunnels (and even WG over WG?) would presumably work, too.

It is pretty neat now that it works—I have a separate SSID which routes all traffic through one of the pis.

My question: This all seems rather complicated; did I do this the “right” way, or are there better ways of handling this?