Back to Help Center

How to configure Split Tunnelling

WireGuard Split Tunnelling

To start, head over to the configs section of your dashboard and download the configs you'd like to use. Next, you'll want to grab your IP address (or the IP address(es)) that you'd like to route through the VPN server. For the sake of clarity, let's pretend:

  • Our external IP address for this guide is 123.123.123.123
  • We have an internal service running on the VPN server with an IP address of 192.168.1.123
  • The config that we've downloaded is this:
[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Including Subnets

If we only want to traffic towards our internal service (reminder that the internal IP for the service is outlined above), we would want to update our config to look something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 192.168.1.123/32
PersistentKeepalive = 25

This would mean the WireGuard would only handle routing traffic meant for 192.168.1.123 through the tunnel to the VPN server.

Excluding Subnets

This is a little more complicated. With the same example as above, let's pretend you want to route all traffic through the tunnel except your public IP address. This can be helpful for trying to connect to a VPN from inside an SSH or RDP session to keep you from being disconnected. If you have access to a UNIX-based system, we've created a helpful script you can download via curl:

curl -LsS https://shockvpn.com/api/scripts/exclude_subnets.sh -o exclude_subnets.sh

Be sure that your script is executable (chmod +x exclude_subnets.sh) and run the script with the -s (sort the subnets by prefix for clarity) and -w (give us a response in the format needed for our WireGuard config) flags. In our case that would look like this:

./exclude_subnets.sh 123.123.123.123 -s -w

This should return something similar to this: 

AllowedIPs = 128.0.0.0/1, 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/4, 112.0.0.0/5, 124.0.0.0/6, 120.0.0.0/7, 122.0.0.0/8, 123.128.0.0/9, 123.0.0.0/10, 123.64.0.0/11, 123.96.0.0/12, 123.112.0.0/13, 123.124.0.0/14, 123.120.0.0/15, 123.122.0.0/16, 123.123.128.0/17, 123.123.0.0/18, 123.123.64.0/19, 123.123.96.0/20, 123.123.112.0/21, 123.123.124.0/22, 123.123.120.0/23, 123.123.122.0/24, 123.123.123.128/25, 123.123.123.0/26, 123.123.123.64/27, 123.123.123.96/28, 123.123.123.112/29, 123.123.123.124/30, 123.123.123.120/31, 123.123.123.122/32

If you don't have access to a UNIX-based system, you can use our API route at https://shockvpn.com/api/scripts/exclude_subnets. To use the API route, you must pass in a query parameter ip along with the IP address (or multiple IP addresses separated by commas). For this example, we would have https://shockvpn.com/api/scripts/exclude_subnets?ip=123.123.123.123 which would return the same output as above (the script output).

Then, you want to take the output from above and update the AllowedIPs section of your config, which should end up looking something like this:

[Interface]
Address = 10.0.0.2
PrivateKey = GFK+w7ZNKso27lNF0Q04CuVcIrOONXFMgrrCOB5j5Wo=
 
[Peer]
PublicKey = z0vcAafN0cEFXu+7nFcvtRvWmszxQzxwn8uTjxziWhk=
PresharedKey = KNnIaX4EgJEfRrCRXL0CaSD+5afZhCEfTzTWKMAMBgU=
Endpoint = tx2.shockvpn.com:51820
AllowedIPs = 128.0.0.0/1, 0.0.0.0/2, 64.0.0.0/3, 96.0.0.0/4, 112.0.0.0/5, 124.0.0.0/6, 120.0.0.0/7, 122.0.0.0/8, 123.128.0.0/9, 123.0.0.0/10, 123.64.0.0/11, 123.96.0.0/12, 123.112.0.0/13, 123.124.0.0/14, 123.120.0.0/15, 123.122.0.0/16, 123.123.128.0/17, 123.123.0.0/18, 123.123.64.0/19, 123.123.96.0/20, 123.123.112.0/21, 123.123.124.0/22, 123.123.120.0/23, 123.123.122.0/24, 123.123.123.128/25, 123.123.123.0/26, 123.123.123.64/27, 123.123.123.96/28, 123.123.123.112/29, 123.123.123.124/30, 123.123.123.120/31, 123.123.123.122/32
PersistentKeepalive = 25

At this point, you should be ready to go! All that is left to do is to bring up the interface (on Linux) or press the "Activate" button (on Windows and Mac) from inside the WireGuard client.