Omada Controller WireGuard Split Tunneling Issue (Messaging Apps via VPN, Normal Internet via ISP)
Problem Description:
I’m using TP-Link Omada Controller v5.15.24.19 with an ER7206 VPN Router.
I have a WireGuard server running on CasaOS in Germany. My goal is to route messaging applications (e.g., Imo Messenger, WhatsApp, etc.) through the VPN tunnel, while normal internet browsing and other traffic should go directly through the ISP.
What I Tried:
-
If I set AllowedIPs = 0.0.0.0/0 in the WireGuard Peer config → all traffic is forced through the VPN, and messaging apps like Imo work fine.
-
If I set only specific subnets (e.g.,
83.229.96.0/22,5.150.156.0/22) in AllowedIPs → messaging apps do not work reliably. -
DNS lookups show that messaging apps (like Imo) often use CDN providers (Fastly, AWS, etc.). If I add those CDN ranges to AllowedIPs, then many unrelated websites also go through VPN.
-
I also tried Policy Routing based on ports (UDP 3478–3481, TCP 5222–5230). But:
-
If Peer AllowedIPs is not
0.0.0.0/0, the tunnel does not capture all required connections. -
If AllowedIPs is
0.0.0.0/0, then all traffic goes via VPN (not what I want).
-
Key Issue:
-
Omada does not currently support DNS/domain-based routing or application-aware routing.
-
Messaging apps use many IP ranges and CDNs, so it is not possible to reliably route only them over VPN using static subnets.
-
As a result, either all traffic goes through VPN, or the messaging apps fail to connect.
My Requirement:
-
Messaging applications (Imo, WhatsApp, etc.) → must always use VPN tunnel.
-
General internet browsing, video streaming, etc. → should stay on the ISP (no VPN).
My Questions:
-
Is there any supported method in Omada to achieve this type of app-specific (messaging only) split tunneling?
-
Is domain-based or Layer-7 policy routing planned for Omada in future updates?
-
If not currently possible, is there a recommended workaround for this scenario?