diff --git a/app.py b/app.py
index d9338e5..5e5f188 100644
--- a/app.py
+++ b/app.py
@@ -327,6 +327,27 @@ def wg_update_state():
                         error=None, has_config=has_conf)
 
 
+_AP_SUBNET = '10.42.0.0/24'  # NetworkManager Hotspot-Standard
+
+
+def _wg_add_hotspot_routes():
+    """Hotspot-Subnet vom WireGuard-Tunnel ausschließen (höhere Priorität als wg-quick-Regeln)."""
+    subprocess.run(['ip', 'rule', 'add', 'from', _AP_SUBNET,
+                    'table', 'main', 'priority', '100'], capture_output=True)
+    subprocess.run(['ip', 'rule', 'add', 'to', _AP_SUBNET,
+                    'table', 'main', 'priority', '101'], capture_output=True)
+    log.info('Hotspot-Routing-Regeln gesetzt (Prio 100/101)')
+
+
+def _wg_remove_hotspot_routes():
+    """Hotspot-Routing-Regeln wieder entfernen."""
+    subprocess.run(['ip', 'rule', 'del', 'from', _AP_SUBNET,
+                    'table', 'main', 'priority', '100'], capture_output=True)
+    subprocess.run(['ip', 'rule', 'del', 'to', _AP_SUBNET,
+                    'table', 'main', 'priority', '101'], capture_output=True)
+    log.info('Hotspot-Routing-Regeln entfernt')
+
+
 def wg_connect():
     if not WG_CONF.exists():
         with wg_lock:
@@ -336,6 +357,7 @@ def wg_connect():
                        capture_output=True, text=True, timeout=30)
     if r.returncode == 0:
         time.sleep(1)
+        _wg_add_hotspot_routes()
         wg_update_state()
         log.info('WireGuard verbunden')
         return True
@@ -352,6 +374,7 @@ def wg_connect():
 
 
 def wg_disconnect():
+    _wg_remove_hotspot_routes()
     r = subprocess.run(['wg-quick', 'down', WG_IFACE],
                        capture_output=True, text=True, timeout=15)
     with wg_lock: