Posted inHow To Technology

How to Set Up Split Tunneling with WireGuard

1

Split tunneling allows users to route some of their internet traffic through a VPN while letting the rest go through their regular internet connection. This feature is particularly useful when you want to access both private resources via a VPN and public resources without the overhead of tunneling all your traffic. WireGuard, a modern VPN protocol, is lightweight, fast, and easy to configure. In this guide, we will dive into setting up split tunneling with WireGuard.

Contents show

Prerequisites

  • A server with WireGuard installed and configured (can be your own server or a VPN provider that supports WireGuard).
  • WireGuard client installed on your local machine.
  • Basic understanding of networking and routing.

Step 1: Install WireGuard on Your Local Machine

If you haven’t already installed WireGuard, the first step is to install the client software on your machine. WireGuard is available for Linux, macOS, Windows, iOS, and Android. Below are installation instructions for Linux and Windows:

For Linux:

sudo apt update
sudo apt install wireguard

For Windows:

Download the latest WireGuard installer from the official WireGuard website and follow the installation steps.

Step 2: Configure Your WireGuard VPN Server

The WireGuard VPN server needs to be configured before any client can connect to it. Here is a basic configuration for the server side:

[Interface]
PrivateKey = 
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.2/32

This configuration sets up the VPN server to listen on port 51820 and assign IPs from the 10.0.0.1/24 range to clients.

Step 3: Setting Up Split Tunneling on the Client

Once your WireGuard server is running, you can configure the client machine to use split tunneling. The idea is to route only specific traffic through the VPN. You’ll need to configure the AllowedIPs directive in the client configuration file to control what gets routed through the VPN.

Here’s a sample client configuration file with split tunneling set up:

[Interface]
PrivateKey = 
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 
Endpoint = :51820
AllowedIPs = 0.0.0.0/0, ::/0  # Route all traffic through VPN

# Split tunneling: Exclude certain traffic from the VPN
PostUp = ip rule add from 192.168.1.100/32 table main
PostDown = ip rule delete from 192.168.1.100/32 table main

In this configuration, the AllowedIPs is set to 0.0.0.0/0, ::/0, meaning all traffic will be routed through the VPN by default. However, the PostUp and PostDown directives add a rule to exclude traffic from IP address 192.168.1.100 from going through the VPN. This is how you achieve split tunneling—by routing specific traffic outside the VPN.

Step 4: Modify Routing Tables for Split Tunneling

Once you’ve set up the basic WireGuard configuration, the next step is to modify the routing table. The PostUp and PostDown commands are used to run commands after bringing up or down the VPN interface. You’ll need to use ip rule to ensure that traffic from specific IP addresses or subnets is excluded from being routed through the VPN.

For instance, to exclude traffic destined for the local network 192.168.1.0/24 from going through the VPN, modify your configuration like this:

[Peer]
PublicKey = 
Endpoint = :51820
AllowedIPs = 0.0.0.0/0, ::/0  # Route all traffic through VPN

PostUp = ip rule add from 192.168.1.0/24 table main
PostDown = ip rule delete from 192.168.1.0/24 table main

This ensures that traffic to the 192.168.1.0/24 network bypasses the VPN and goes through the regular internet connection.

Step 5: Verify Split Tunneling Configuration

After configuring the client, it’s essential to verify that the split tunneling works as expected. Use the following commands to check the routes and ensure the proper traffic is being routed through the VPN:

ip route show
ip rule show

The output of ip route show should indicate which traffic is routed through the VPN, and ip rule show will display the routing rules in effect.

Step 6: Testing and Troubleshooting

If you encounter any issues, start by testing the routing setup with simple commands such as ping or traceroute to specific destinations. You can also check your WireGuard connection logs for any errors:

sudo journalctl -u wg-quick@wg0

In case split tunneling is not working, ensure that the PostUp and PostDown directives are configured correctly, and confirm that your local firewall settings are not interfering with the routing.

We earn commissions using affiliate links.

1 Comment

  1. Avatar for editor1 trix
    Reply
    March 9, 2025,

    i tried this in both windows and linux mint, and the wireguard gui programs both reported that the postup/down stuff was invalid syntax 🙁
    any clue what im doing wrong? thanks for the guide anyhow!

Leave a Reply

Your email address will not be published. Required fields are marked *