This guide will describe the steps required to enable split tunneling with WireGuard using Firezone so only traffic to defined IP ranges will be routed through the VPN server.
Step 1 - Configure Allowed IPs
Allowed IPs field found on the
/settings/default page determines the IP
ranges for which the client will route network traffic. Modifications to this
field will apply only to new WireGuard tunnel configurations generated by Firezone.
The default value is
0.0.0.0/0, ::/0, which routes all network traffic
from the client to the VPN server.
Some examples of values in this field are:
0.0.0.0/0, ::/0- all network traffic will be routed to the VPN server.
192.0.2.3/32- only traffic to a single IP address will be routed to the VPN server.
188.8.131.52/22- only traffic to IPs in the
184.108.40.206 - 220.127.116.11range will be routed to the VPN server. In this example, the CIDR range for the
ap-northeast-2AWS region was used.
When deciding where to route a packet, Firezone chooses the egress interface corresponding to the most specific route first.
Step 2 - Regenerate WireGuard configurations
To update existing user devices with the new split tunnel configuration, users will need to regenerate the configuration files and add them to their native WireGuard client.
See add device for instructions.