← Back to Docs

Per-Device VPN Routing

How It Works

TLSOps routes traffic by source IP address. Each device on your LAN (and each device connected via the built-in WireGuard server) can have its own default outbound: Direct (unmodified path to the internet), a specific VPN tunnel, or a tunnel group. Domain-level rules can further override the device default for individual domains.

Prerequisites

  • At least one VPN tunnel added under VPN Tunnels (required only if routing through a tunnel)
  • Your router must hand out TLSOps as the default gateway for client devices — DNS-only mode does not apply routing policy to actual traffic

Assigning a Routing Policy to a Device

  1. Go to the Devices tab — devices appear here automatically after they use TLSOps as their DNS server or gateway
  2. Click the device card to open its settings
  3. Under Default Outbound, select: Direct, a specific VPN tunnel, or a tunnel group
  4. Click Save — the change takes effect within seconds, no restart required

Per-Device Default Route Limit

Each plan limits how many devices can have a non-default outbound assignment. The Free plan allows one per-device assignment. Devices beyond that limit use the global default (Direct) unless an assignment is freed up.

Domain-Level Overrides

A device's default outbound can be overridden for specific domains using domain routes or app presets. For example: a device set to route all traffic via Mullvad can still send netflix.com direct for better streaming performance.

Remote Devices via WireGuard

Devices connected through the built-in WireGuard server appear in the device list alongside LAN devices and follow the same routing policy. This means your phone or laptop away from home gets the same VPN and filtering rules you have set up at home — automatically.