How to Set Up Split Tunneling with WireGuard

By -

Disclosure: Some links on this page are affiliate links. We may earn a commission if you make a purchase through them, at no additional cost to you.

WireGuard split tunneling allows you to route only specific traffic through the VPN while the rest uses your regular internet connection. This is achieved by carefully configuring the AllowedIPs parameter rather than relying on traditional VPN split tunneling toggles.

This setup is useful when you want to:

  • Access internal or geo-restricted resources via VPN
  • Maintain low latency for local traffic (gaming, streaming, LAN)
  • Avoid routing all traffic through the VPN tunnel
Contents show

Prerequisites

  • A working WireGuard server
  • A configured client profile
  • Basic understanding of IP routing

How Split Tunneling Works in WireGuard

Unlike traditional VPN clients, WireGuard does not use a toggle for split tunneling. Instead, it relies entirely on the AllowedIPs directive.

  • Full tunnel: 0.0.0.0/0, ::/0 → routes all traffic through VPN
  • Split tunnel: specify only certain subnets → routes only those through VPN

This makes WireGuard both faster and more predictable, but requires manual configuration.

Step 1: Install WireGuard Client

Linux:

sudo apt update
sudo apt install wireguard

Windows:

Download from the official WireGuard website.

Step 2: Basic Client Configuration

Example client configuration:

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0

This configuration sends all traffic through the VPN (full tunnel).

Step 3: Enable Split Tunneling (Recommended Method)

To enable split tunneling, modify AllowedIPs so only specific traffic is routed via the VPN.

Example: Route only VPN subnet

AllowedIPs = 10.0.0.0/24

Result:

  • Only traffic to 10.0.0.0/24 goes through VPN
  • All other traffic uses your normal internet connection

Example: Route specific country/service IPs

AllowedIPs = 203.0.113.0/24

This is useful for accessing geo-restricted services without tunneling everything.

Step 4: Advanced Split Tunneling (Policy-Based Routing)

If you want more control (e.g., route specific apps or source IPs), you can use policy routing.

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.2/32

PostUp = ip rule add from 192.168.1.100 table 51820
PostUp = ip route add default dev wg0 table 51820
PostDown = ip rule delete from 192.168.1.100 table 51820
PostDown = ip route delete default dev wg0 table 51820

This setup routes traffic only from a specific local IP through the VPN.

Note: This method is Linux-specific and requires proper routing table management.

Step 5: Verify Configuration

ip route
ip rule

You should see:

  • Custom routing table entries
  • Rules matching your split tunneling setup

Step 6: Testing

Test routing behavior:

curl ifconfig.me
traceroute 8.8.8.8
  • Traffic included in AllowedIPs → VPN IP
  • Other traffic → ISP IP

Common Mistakes

  • Using 0.0.0.0/0 and expecting split tunneling → this is full tunnel
  • Incorrect routing tables in PostUp
  • Forgetting to restart interface: wg-quick down wg0 && wg-quick up wg0

Summary

WireGuard split tunneling is controlled entirely through AllowedIPs. For most users, the simplest and most efficient approach is:

  • Use specific subnets instead of full tunnel
  • Avoid unnecessary policy routing unless needed

This keeps your setup fast, secure, and easy to maintain.

1 thought on “How to Set Up Split Tunneling with WireGuard”

  1. Avatar for editor1
    trix

    i tried this in both windows and linux mint, and the wireguard gui programs both reported that the postup/down stuff was invalid syntax 🙁
    any clue what im doing wrong? thanks for the guide anyhow!

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *