diff --git a/apps/rego-tunnel/shared/host-routing.sh b/apps/rego-tunnel/shared/host-routing.sh
index 7450eda..1a28bb5 100644
--- a/apps/rego-tunnel/shared/host-routing.sh
+++ b/apps/rego-tunnel/shared/host-routing.sh
@@ -11,6 +11,8 @@ ACTION="${1:-start}"
 CONTAINER_IP="172.31.0.10"
 BRIDGE_NAME="br-rego-vpn"
 TARGET_IP="${TARGET_IP:-10.35.33.230}"
+LAN_SUBNET="192.168.0.0/23"
+LAN_INTERFACES="eth0 eth1 wlan0"
 LOG_FILE="/var/log/rego-routing.log"
 
 log() {
@@ -50,38 +52,44 @@ apply_routes() {
     ip route replace "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
     log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME"
 
-    # Allow forwarding in DOCKER-USER chain (if LAN interface detected)
-    if [[ -n "$lan_if" ]]; then
-        # Allow traffic from LAN to container for TARGET_IP
-        iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
-            iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
+    # Allow forwarding in DOCKER-USER chain for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
+        # Check if interface exists
+        if ip link show "$lan_if" &>/dev/null; then
+            # Allow traffic from LAN to container for TARGET_IP
+            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
 
-        # Allow return traffic
-        iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
-            iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            # Allow return traffic
+            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-        log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
-    else
-        log "WARN: Could not detect LAN interface, skipping DOCKER-USER rules"
-    fi
+            log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
+        fi
+    done
+
+    # Masquerade traffic from LAN subnet to VPN bridge (so return traffic routes correctly)
+    iptables -t nat -C POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE 2>/dev/null || \
+        iptables -t nat -A POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE
+    log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
 
     log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)"
 }
 
 remove_all() {
-    local lan_if
-    lan_if="$(get_lan_interface)"
-
     log "Removing all routing rules..."
 
     # Remove route
     ip route del "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
 
-    # Remove iptables rules
-    if [[ -n "$lan_if" ]]; then
+    # Remove iptables rules for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
         iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
         iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
-    fi
+    done
+
+    # Remove masquerade rule
+    iptables -t nat -D POSTROUTING -o "$BRIDGE_NAME" -s "$LAN_SUBNET" -j MASQUERADE 2>/dev/null || true
 
     log "All routing rules removed"
 }