I know… but it is the most simple and there aren’t any big risks in this case
And I think you’re confused about what OP is attempting to do?
They are trying to connect their LAN to a VPN, not connect to Pihole using a VPN.
If the google wifi is in bridge mode then the mesh doesnt work, which is a problem.
I don’t think that is the case (that it is split tunnel by default) at all. (And apologies for delay in reply I was away from tech this weekend 
).
I manage the split tunnel by setting the allowed networks to 10.0.6.0/24 (my WG VPN network) and 192.168.6.0/24 (my internal network). This allows my DNS requests which are being directed to 192.168.6.10 to route. But anything that isn’t on one of those networks goes out the ‘front door’ if you will (5G, wifi where I am).
By default the allowed networks is set to 0.0.0.0/24 which would route all traffic back to your home network.
You may need to add a line to the config file that says DNS=(IP of the DNS server on WG network). I can’t recall if it adds that by default, it’s been a bit since I set this up.
A super easy test would be to hit https://whatismyipaddress.com and make sure that you are getting an IP that isn’t your home network’s external IP.
WireGuard is easy too and much more secure.
Thank you and no worries.
I’ve spent whole weekend fighting with it and current assumption is that my ISP provided modem is breaking things.
It can’t be put into modem/bridge mode, it insists on braking crappy router so I have 2 in a row.
Nest step is testing all of this on my office network and see if it works there
Not available in Mikrotik stable yet
Don’t forget you’ll need some sort of route rule on your route. Say for example you have wireguard running on port 66766. You’ll need some a route in your router that says take all traffic for 66766 on (external IP) and route it to (WG internal IP). Make sense? Without that it just dies at the door because the router doesn’t know what to do with that traffic.
I don’t have my router in bridge mode at all. I have it doing DHCP, etc. I just route the WG traffic to the PI and I have the DNS set in DHCP to hand out the PI’s IP.
Yup, I’ve tried all combinations of NAT but it didn’t help.
Just to be clear this would be a port forward. Which depending on your router may be in a different config page than NAT settings.
Yes,
Router has it under NAT, modem under firewall 