Possible to serve both VPN and non-VPN traffic on same port?

Hi all, very likely a dumb question here but let’s go :slight_smile:

Is it possible to set up a networking component (like a load balancer) which is capable of serving both regular non Tailscale traffic as well as Tailscale traffic on the same port? Like a “VPN-aware” edge. An example use case is serving api.company.com/public to API consumers, and api.company.com/private only to Tailscale users.

As far as I understand, Wireguard is configured to listen on a port, and nothing else can use that port. That alone probably bars this setup from being feasible, or am I missing something? Does anyone do this? I think it would be really neat to have this kind of VPN-aware networking component.