Split Tunnel
This guide will describe the steps required to enable split tunneling with WireGuard using Firezone so only traffic to defined IP ranges will be routed through the VPN server.
Step 1 - Configure Allowed IPs
The Allowed IPs
field found on the /settings/default
page determines the IP ranges for which the client will route network traffic. Modifications to this field will apply only to new WireGuard tunnel configurations generated by Firezone.
The default value is 0.0.0.0/0, ::/0
, which routes all network traffic from the client to the VPN server.
Some examples of values in this field are:
0.0.0.0/0, ::/0
- all network traffic will be routed to the VPN server.192.0.2.3/32
- only traffic to a single IP address will be routed to the VPN server.3.5.140.0/22
- only traffic to IPs in the3.5.140.1 - 3.5.143.254
range will be routed to the VPN server. In this example, the CIDR range for theap-northeast-2
AWS region was used.
Note: When deciding where to route a packet, Firezone chooses the egress interface corresponding to the most specific route first.
Step 2 - Regenerate WireGuard configurations
To update existing user devices with the new split tunnel configuration, users will need to regenerate the configuration files and add them to their native WireGuard client.
See, add device for instructions.