Skip to main content

Split Tunnel VPN

This guide will describe the steps required to enable split tunneling with WireGuard using Firezone so only traffic to defined IP ranges will be routed through the VPN server.

Step 1 - Configure Allowed IPs

The Allowed IPs field found on the /settings/default page determines the IP ranges for which the client will route network traffic. Modifications to this field will apply only to new WireGuard tunnel configurations generated by Firezone.

set split tunneling defaults

The default value is 0.0.0.0/0, ::/0, which routes all network traffic from the client to the VPN server.

Some examples of values in this field are:

  • 0.0.0.0/0, ::/0 - all network traffic will be routed to the VPN server.
  • 192.0.2.3/32 - only traffic to a single IP address will be routed to the VPN server.
  • 3.5.140.0/22 - only traffic to IPs in the 3.5.140.1 - 3.5.143.254 range will be routed to the VPN server. In this example, the CIDR range for the ap-northeast-2 AWS region was used.
note

When deciding where to route a packet, Firezone chooses the egress interface corresponding to the most specific route first.

Step 2 - Regenerate WireGuard configurations

To update existing user devices with the new split tunnel configuration, users will need to regenerate the configuration files and add them to their native WireGuard client.

See add device for instructions.