I got tired of traditional VPNs being blocked everywhere because of datacenter IP detection, so I built a WireGuard-based setup that can selectively route only specific devices through residential exits.
Architecture is roughly:
Device
→ WireGuard
→ VPN node
→ DNS
→ residential proxy exit
→ Internet
The interesting part was getting transparent proxying working correctly with:
\- iptables TPROXY
\- policy routing
\- srouting rules
\- per-device residential routing
\- avoiding UDP/QUIC bypass issues
One thing I wanted was:
\- normal devices use direct routing
\- only selected devices use residential IPs
\- all controlled dynamically without restarting WireGuard peers
I ended up exposing a small management API that updates routing rules dynamically based on WireGuard client IPs.
Still refining it, but it’s been surprisingly stable once the TPROXY and policy routing pieces were correct.
Still refining everything but it’s been fun. I built this for personal use, but if you want to give it a go let me know.